toad.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon server operated by David Troy, a tech pioneer and investigative journalist addressing threats to democracy. Thoughtful participation and discussion welcome.

Administered by:

Server stats:

211
active users

#passkeys

12 posts12 participants0 posts today

> #Google informed me that I already had a #passkey on my device. If that's the case, why didn't it work when I attempted to log into my Google account on the tablet? When I was logging into the tablet, Google should have been aware I had #passkeys on my Pixel 9 Pro and request #authentication with either a fingerprint or face scan. It didn't. No passkey was recognized… even though it's there.

> It's a recursive nightmare from which I can't seem to escape.

zdnet.com/article/passkeys-won

ZDNET · Passkeys won't be ready for primetime until Google and other companies fix thisBy Jack Wallen

THIS is precisely the experience I've had with #passkeys and why I didn't use them for a couple of years and only now use them where I trust there are alternative login methods still usable as fallbacks.

Passkeys are great, but every implementation I've seen seems to suck, except for MyChart (Epic).

I cannot recommend them yet for this reason.

zdnet.com/article/passkeys-won

ZDNET · Passkeys won't be ready for primetime until Google and other companies fix thisBy Jack Wallen

On weekend I managed to connect all my selfhosted services that support it to the #Keycloak #SSO (single sign on).
Namely #Mastodon #Peertube #NextCloud #FreshRSS #Matomo and #grafana

Why to bother with such complication for apps serving only a couple of users?
First it's quite easy nowadays.
And second, because I want to get rid of passwords and just use #passkeys .

This is one of many examples showing that good apps should just focus on one task and just use standards to cooperate with other apps focusing on other tasks.

Peertube for example focuses on videos, not user management. I am very OK that they don't support passkeys, because they implemented OpenId Connect standard to allow me use Keycloak for better login options.

On the other hand, I am quite sad that SSO is often the one feature, that is proprietary and reserved only for paying customers. SSO is not for huge corporations anymore. It's also usefull for us, selfhosters with couple of users.

❤️ :opensource: :keycloak:

Exactly my fear about #passkeys just happened with a family member:

- A web site encouraged them to "switch to passwordless sign-in" without using the word "passkeys" or explaining what that meant
- Weeks later, they tried to sign in on another device, and it told them to scan a QR code using "their computer" to sign in. It did not explain passkeys
- When they tried to sign in on their computer in a given browser, it told them they didn't have any saved passkeys

1/2

Continued thread

@cryptomator Credential management was a particularly fun one to figure out: the best way to secure those.

I am using Proton Pass, since they have cloud-synced #passkey support, but their export only supports .json. To make it easy, I import the .json into @keepassxc to make a #KeePass vault, so even if the service goes down, I can still open my creds on desktop or #KeePassDX. KeePass vaults are also widely-supported for import into other cloud credential managers.

How #PassKeys work: The complete guide to your inevitable passwordless future

Why are passkeys so much safer than passwords? And how exactly does this sorcery work? We go behind the scenes of this still-evolving authentication process.

zdnet.com/article/how-passkeys

ZDNET · How passkeys work: The complete guide to your inevitable passwordless futureBy David Berlind

As requested from several directions, I tried to update my expert profile on the EU's experts website, since @ngi is looking for more reviewers. But as usual, the horror of the EC's own login system (WHY!) struck again (#ECAS).

WHY DOESN'T IT USE STANDARD WEB TECHNOLOGIES LIKE #PASSKEYS!!

I STILL CAN'T ACTIVATE 2FA AND I HAVE THE EU LOGIN APP SET UP ON MY IPHONE!

GAAAAAAAAAAAAAH! 🤯

Replied in thread

@relishthecracker : that's make belief.

"Wow, asymmetric encryption, even quantum-computer-proof", "military-grade", etcetera.

Right after logging in using a passkey with an unbreakably protected private key, the website sends a session cookie (or similar) to the browser - which is NOT protected like private keys. If a website (like most of them) does not log you out if your IP-address changes, such a cookie is nearly as bad as a password. And fully if the cookie never expires.

Therefore:

1️⃣ Even if attackers cannot copy private keys: if the user device is sufficiently compromised (i.e. on Android, running an accessibility service), they can take over all of the user's accounts;

2️⃣ If the user's browser is compromised, attackers can copy session cookies and use them to obtain access to accounts the user logs in to;

3️⃣ An AitM (Attacker in the Middle) using a malicious website can copy/steal authentication cookies. Such AitM-attacks are possible in at least the following cases if either:

• A malicious third party website manages to obtain a fraudulently issued certificate (examples: infosec.exchange/@ErikvanStrat);

• An attacker obtains unauthorised write access to the website's DNS record;

• An attacker manages to obtain access to a server where a "dangling" (forgotten) subdomain name points to, *AND* the real authenticating server (RP) does not carefully check for allowed subdomains (see github.com/w3ctag/design-revie);

4️⃣ The server is compromised or has a rogue admin: the attacker can add their passkey's public key to your account, or replace your public key with theirs (note that passkey pubkeys are not encapsulated by certificates issued by trusted issuers, stating who owns the public key).

Phishing using fake websites is probably the number one problem on the internet. *THE* major advantage of passkeys is that they make phishing attacks VERY HARD.

Indeed, if your device is sufficiently compromised, the risk of all of your passwords being stolen if you use a password manager is BIG.

However, as I wrote, if your device is sufficiently compromised, an attacker does not need access to your private keys in order to obtain access to your accounts.

@oliversampson @kaye

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)🌘DV-CERT MIS-ISSUANCE INCIDENTS🌒 🧵#3/3 Note: this list (in reverse chronological order) is probably incomplete; please respond if you know of additional incidents! 2024-07-31 "Sitting Ducks" attacks/DNS hijacks: mis-issued certificates for possibly more than 35.000 domains by Let’s Encrypt and DigiCert: https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/ (src: https://www.bleepingcomputer.com/news/security/sitting-ducks-dns-attacks-let-hackers-hijack-over-35-000-domains/) 2024-07-23 Let's Encrypt mis-issued 34 certificates,revokes 27 for dydx.exchange: see 🧵#2/3 in this series of toots 2023-11-03 jabber.ru MitMed/AitMed in German hosting center https://notes.valdikss.org.ru/jabber.ru-mitm/ 2023-11-01 KlaySwap en Celer Bridge BGP-hijacks described https://www.certik.com/resources/blog/1NHvPnvZ8EUjVVs4KZ4L8h-bgp-hijacking-how-hackers-circumvent-internet-routing-security-to-tear-the 2023-09-01 Biggest BGP Incidents/BGP-hijacks/BGP hijacks https://blog.lacnic.net/en/routing/a-brief-history-of-the-internets-biggest-bgp-incidents 2022-09-22 BGP-hijack mis-issued GoGetSSL DV certificate https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/ 2022-09-09 Celer Bridge incident analysis https://www.coinbase.com/en-nl/blog/celer-bridge-incident-analysis 2022-02-16 Crypto Exchange KLAYswap Loses $1.9M After BGP Hijack https://www.bankinfosecurity.com/crypto-exchange-klayswap-loses-19m-after-bgp-hijack-a-18518 🌘BACKGROUND INFO🌒 2024-08-01 "Cloudflare once again comes under pressure for enabling abusive sites (Dan Goodin - Aug 1, 2024) https://arstechnica.com/security/2024/07/cloudflare-once-again-comes-under-pressure-for-enabling-abusive-sites/ 2018-08-15 Usenix-18: "Bamboozling Certificate Authorities with BGP" https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee Edited 2024-09-05 14:19 UTC: corrected the link for the "jabber.ru" incident. #DV #LE #LetsEncrypt #Certificates #Certs #Misissuance #Mis_issuance #Revocation #Revoked #Weaknessess #WeakCertificates #WeakAuthentication #Authentication #Impersonation #Identification #Infosec #DNS #DNSHijacks #SquareSpace #Authorization #UnauthorizedChanges #UnauthorizedModifications #DeFi #dydx_exchange #CryptoCoins
Replied in thread

@oliversampson @kaye

Primary passkeys advantage:
• With some uncommon exceptions, you cannot (be persuaded to) log in to a phishing website with a (slightly) different domain name *USING A PASSKEY* (see below) - because software (not you) checks the domain name.

Some passkeys disadvantages:
• Typically you yourself do not have access to each passkey's private key (*)(usually you can't back them up/export them). Risks: vendor lock-in and losing access to accounts.

• Because there's a risk of losing access to passkeys and thus to accounts, usually accounts can also be accessed using a rescue code - which renders them phishable again.

• Implementation errors (both Apple and Android suffered from them, and probably still do - I did not check today).

(*) For each new passkey, your device generates a unique complementary keypair. The public key is stored in your account on the server and is used to verify that your device has access to the complementary private key, which is kept secret. However, even if attackers do not have access to your private key(s), there are other ways for them to obtain access your account(s).

A reasonable alternative to passkeys is using a password manager that "integrates" with the browser to verify the domain name of the site you're logging in to. Android and iOS "Autofill" provide such a bridge between password managers and browsers (without requiring browser plug-ins).