Bist du es leid, dir unzählige #Passwörter zu merken? Die neueste Technologie der #Passkeys verspricht eine einfache Lösung.
Aber wie nah sind wir wirklich an dieser Zukunft? In meinem neuesten Blogbeitrag werfe ich einen kritischen Blick auf die aktuellen Herausforderungen von Passkeys.
Erfahre mehr über die Zukunft der digitalen Authentifizierung. 🚀💻
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
The funniest part is that no matter how many security factors we use to replace passwords (two factor auth, passkeys, security keys, etc) there's always a backup that's just another password.
Structural security trumps computational security ... or ...
Diffuse structural security trumps amalgamated computational security ...
All your big, strong passkeys in one basket is less secure than your passwords in many individual baskets ...
Trying to explain this to tech bros can resemble pushing a wagon uphill ...
Because they want to sell something, logic is not paramount.
"A password in my brain is generally safer than an app or SMS stream that can be compromised. Although a passphrase may in some cases not be computationally more secure than a token mechanism or two-factor sytem, the simple passphrase is often structurally more secure because that passphrase only links to and exposes one service target."
"I like to compare it to having one basket of eggs in one spot, and many baskets of eggs in many places. If your one basket of eggs has the master key to all the other stronger keys, is it easier to get the one basket, or the many baskets with weaker keys? So in this scenario cipher strength is not the most important factor for security. With a single basket one fox or pick-pocket or one search warrant can own all of your eggs for all your services."
Am I the only one confused by #passkeys? They feel clunky, it's not at all clear what is going on, and honestly doesn't feel any different than a password manager (but somehow worse)
I really don't even understand what is going on under the hood. Are there any good explainers out there? #ux#passkey
»Manche halten »Schalke04« für einen guten Verein, aber es ist kein gutes #Passwort«
Alle Jahre wieder ein Thema und ich habe immer noch die selbe Antwort:
Nutzt generierte Passwörter mittels @keepassxc oder @bitwarden und zusätzlich mit einer #2FA / #TOTP Eingabe gesichert – Eine Kreativität ist nicht sicher in der #IT, die vorhin erwähnte Technik aber schon und (zukünftig) noch die #Passkey Methode.
Ich hoffe, das Passkeys diesbezüglich nicht betroffen ist so wie Passwort-Manager wie @keepassxc, @bitwarden inklusive 2FA schon einen grösseren Schutz gegenüber der KI ergibt.
»GPT-4 kann eigenständig bekannte Sicherheitslücken ausnutzen:
Forscher haben festgestellt, dass GPT-4 allein anhand der zugehörigen Schwachstellenbeschreibungen 13 von 15 Sicherheitslücken erfolgreich ausnutzen kann.«
I’m all for the idea of passkeys. But I am not for the idea of Google or Apple knowing my fingerprint or face. I have all that turned off as strongly as possible without searing off my fingerprints or cutting off my face.
First screenshot is the real PIN prompt, second one is a JavaScript prompt() with a custom prompt text.
The only differences are:
• PIN dialog is at the top of the window, prompt() centered.
• PIN dialog says "Sign In" on the button, prompt() says "OK" (which is not customizable).
• PIN dialog has "https://", prompt() just the domain.
I'd say that makes it pretty trivial to phish for Passkey PINs … 🤦♂️
eBay just offered to let me set up a #passkey. Naturally, I decided this was a good idea. Except they only let me set up one passkey. That's not how this is supposed to work. That's not how any of this is supposed to work, eBay!
Now that my favorite browser #Firefox and beloved password manager #KeePassXC both support #Passkeys decided to spent some time checking them out.
And boy oh boy are passkeys not ready yet in Firefox. I love Firefox and wish them well, but they really need to do some testing. There are major issues.
#PassKey creation is straight-up broken and resulting in reproducible crashes on both google.com and webauthn.io
Now that all major desktop browsers support #Passkeyscaniuse.com/passkeys is there an effort happening to create browser level APIs open to everybody to ensure passkeys can be used effectively?
While #1Password open sourced their implementation blog.1password.com/passkey-cra… of #passkey-crates the question is: is any work happening on Passkey APIs for browser extensions (i.a. password managers) to use.
While it is great to see big tech move the needle on this and announce their implementations and push this technology, it is a pity those efforts seem to focus around siloing and limiting passkey usage to their implmenetation / tech.
For example Apple makes it impossible for e.g. @keepassxc to generate passkeys in the browser.
Are there plans to work on open browser APIs? is there any public info / efforts you are aware of and can share @rmondello? Specifically for #macOS it would be great if Passkey creation / authentication could be used via Apple APIs.
Does anyone know of a modern #Android phone which allows call recording without root?
I'm currently on an aging 5T running #LineageOS and can record calls just fine - a button in the dialler lets me record straight from the line. I don't need to put it on speaker and record via the microphone.
(Looking for 1st hand experience, not search results. No need to reply to discuss the legality of call recording. I need root-less for online banking etc.)
The FIDO specification defines a form of Universal 2nd Factor (U2F) when users log in to a system. Rather than relying on one-time codes sent via SMS, or displayed on a phone screen, these are physical hardware tokens which are used to supplement passwords. When used with websites, this technology is also known as WebAuthn.