I tried setting up a #passkey with PayPal today. If all my devices were made by Apple, I'd be all set. But Windows and #Linux desktops are not supported, along with any browser not made by Apple or Google.
If every login involves Google or Apple being involved, I can't see how this is the "future of passwords". #security#CyberSecurity
And being able to use passkeys on some devices and browsers and not others just seems like a mess.
#passkey login really needs to be more consistent across applications. @bitwarden wants the master password after login with #Passkeys - what's the passkey for, then??? #PayPal asks for a TOTP after logging in with my passkey.
Passwörter gelten als unsicher, weshalb Firmen wie Google, Microsoft und Apple das Konzept der Passkeys in den Markt drücken möchten. Ist das der richtige Weg, oder ist es nur Marketing?
Hier ein Versuch der #ThreadOfThreads-Idee: Je einen 🧵 für Englisch und Deutsch über jeden meiner Fediverse-Threads.
Initial starte ich mit der Liste der #Top10 meistgelesenen Artikel von mir. Viel Spass beim #FeiertagsLesen!
🔟 Nicht wirklich «Responsible Disclosure»: Die Extraportion Spam über die Festtage (2023-12)
Noch keine zwei Tage alt und schafft es schon in die #TopTen, wow!
4️⃣ Cloud untergräbt Sicherheit von Zwei-Faktor-Authentifizierung (2023-09)
Zwei-Faktor-Authentisierung ist ein wichtiger Aspekt zur Sicherung unserer Online-Infrastruktur und -Daten. Leider erfordert sie ein paar zusätzliche Schritte und Vorsichtsmassnahmen. Deshalb haben viele Nutzer sie nicht aktiv. #PassKey soll das vereinfachen. Aber man sollte sie nicht so einfach auf angeblich neue Geräte syncen… #2FA#MFA https://dnip.ch/2023/09/19/cloud-untergraebt-sicherheit-von-zwei-faktor-authentifizierung/
When implementing #WebAuthn on an Identity Provider's side. Where exactly should one draw the line between #SecurityKey and #Passkey? I see that most platforms make a distinction between those. Can anyone link me some article or blog post on this topic? If I were to implement security key and passkey support on a provider that does not yet support any WebAuthn, should I go down the same route?
My current assumption is that during passkey registration you'd set "residentKey = required" and "userVerification = required", whereas for a security key you'd set "residentKey = discouraged" and "userVerification = preferred".
Also, I'm assuming that a security key can also function as a form of #passwordless multi-factor authentication if UV was true during registration AND authentication. Obviously without the neat part of Passkeys where you don't have to manually enter the username.
@ljrk@lexd0g It's worse because #Passkey brick a lot of workflows and systems as an addon-layer instead of fixing the core problem.
And the core problem is that #ITsec, #OpSec, #ComSec and #InfoSec are just "Afterthoughts" at best for all but the most #TechLiterate.
Using i.e. #PGP encryption and login on everything [and not as a "password replacement"] would be a way better fix.
Just like @torproject does a self-signing namespace on #OnionServices.
Nor do they save the problem that platforms / logins don't do basic behaviour-based protection against just spamming credentials or irregular patterns.
@ljrk@lexd0g I think forcing people to learn actual encryption and tech would be better...
Whilst Passkeys can't be phished once established, the whole TOFU setup OR Key Custody issues still exist until it's setup.
And considering how hard it is to convince people to exercise proper ITsec and encrypt their shit see [#PGP/MIME on #eMail] I think forcing people to learn absolute basics will work far better.
@ljrk@lexd0g
And yes, I think that instead of Passkeys we should've yeeted SSL for PGP as this would've made login-bruteforcing like with #23AndMe more resource-costly, slower to do and more likely to get caught early on.
@ljrk@lexd0g Think of me what you will, but to me #Passkey|s are a hinderance because we failed to make #TechLiteracy mandatory the way we did it for cars...
... Bitte lassen Sie den Chat bis dahin offen. Schließen Sie einfach die App oder Ihren Browser. ...
Translated from German:
... Please keep the chat open. Simply close the application or the browser. ...
Looking at you #PayPal. Incidentally, has anyone with the supported configurations in their FAQ (e.g., macOS with Chrome/Safari) managed to actually add a #Passkey there?
Von allen "alternativen" Login-Verfahren, mal von 2FA überhaupt nicht erst angefangen, ist mir #Passkey am unsympathischsten. Erstens verlegt es lediglich die olle Public-Key-Authentifizierung von der Transport- auf die Applikationsebene, und zweitens wissen wir nun wirklich sehr genau, wie schlecht selbst geschicktere Anwender in der Lage sind, mit Schlüsselmaterial umzugehen.
GitHub passkeys are now supported on Firefox+Ubuntu?
I thought built-in passkeys weren't supported yet on ubuntu, and firefox was waiting on ubuntu to implement. #passkey#firefox
Edit: This may be related to something special 1Password is doing.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #46/2023 is out! It includes the following and much more:
➝ 🔓 🇯🇵 #Toyota confirms breach after Medusa #ransomware threatens to leak data
➝ 🇺🇸 😂 Ransomware gang files #SEC complaint over victim’s undisclosed #breach
➝ 🔓 🪶 Attackers claim Plume Design, Inc data breach
➝ 🇺🇸 💰 #ICBC paid ransom after hack that disrupted markets, #cybercriminals say
➝ 🔓 #Dragos Says No Evidence of Breach After Ransomware Gang Claims Hack via Third Party
➝ 🔓 ✈️ Hackers swipe Booking.com, damage from attack is global
➝ 🇷🇺 🇺🇦 Russian #CyberEspionage Group Deploys #LitterDrifter USB #Worm in Targeted Attacks
➝ 🇮🇱 🇺🇸 Israeli Man Who Made $5M From Hacking Scheme Sentenced to Prison in US
➝ 🇫🇮 ⚖️ Alleged Extortioner of Psychotherapy Patients Faces Trial
➝ 🇺🇸 💸 #LockBit ransomware exploits #CitrixBleed in attacks, 10K servers exposed
➝ 🇺🇸 ⚖️ #IPStorm botnet with 23,000 proxies for malicious traffic dismantled
➝ 👶🏻 🧨 Teens with “digital bazookas” are winning the ransomware war, researcher laments
➝ 💸 #Ethereum feature abused to steal $60 million from 99K victims
➝ 🇩🇰 🇷🇺 #Denmark Hit With Largest #Cyberattack on Record
➝ 🇨🇳 🇰🇭 Chinese Hackers Launch Covert #Espionage Attacks on 24 Cambodian Organizations
➝ 🇲🇾 Major Phishing-as-a-Service Syndicate '#BulletProofLink' Dismantled by Malaysian Authorities
➝ 🇪🇺 🥳 EU Parliament committee rejects mass scanning of private and encrypted communications
➝ 🩹 #ICS Patch Tuesday: 90 Vulnerabilities Addressed by Siemens and Schneider Electric
➝ 🦠 🐍 27 Malicious #PyPI Packages with Thousands of Downloads Found Targeting IT Experts
🇻🇳 🇮🇳 Vietnamese Hackers Using New #Delphi-Powered #Malware to Target Indian Marketers
➝ 🔐 #Google Adds #Passkey Support to New Titan Security Key
➝ 🐛 Zero-Day Flaw in #Zimbra Email Software Exploited by Four Hacker Groups
➝ 🩹 #SAP Patches Critical Vulnerability in Business One Product
➝ 🐛 New #Reptar CPU flaw impacts Intel desktop and server systems
➝ 🐛 New #CacheWarp AMD #CPU attack lets hackers gain root in Linux VMs
📚 This week's recommended reading is: "Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World" by @marcusjcarey and Jennifer Jin
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
Primary storage ist via #bitwarden with a local #vaultwarden installation (both needs to be version 23.10 at least)
Secondary storage is a #yubikey 5 NFC which I carry with me. This one alllows me to use the passkey on my iPhone (iPad not tested yet)
Tertiary storage is another (cheaper) Yubikey which is deposited in a safe at home
Both Yubikeys are protected by a PIN which my wife knows. That way I canot lose access to my account and have taken precautions in case I become incapacitated.
But this setup requires quite some time for each web site to switch to passkeys. That's why I am so angry with companies like Paypal who make it practically unusable.
Why, in the year 2021, can‘t I login into every service I use via public key auth? I am sure we can even do this in a way, that every service sees another public key from me, so that they are uncorrelatable.
I am sure there are solutions in this direction. Can you point me to them?
@acowley What part do you mean? I assumed it’s an open standard? #Bitwarden is open source and implements it. Every webpage can implement it, right? To be fair, only service where I have successfully used passwordless login via #passkey until now is #GitHub.
Portability can of course be an issue if you save your passkeys in a proprietary cloud or device where you can’t get them out (but possibly even someone else could.)