PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
The funniest part is that no matter how many security factors we use to replace passwords (two factor auth, passkeys, security keys, etc) there's always a backup that's just another password.
I recently implemented Passkey support in one of my apps, and ran into some limitations of the spec. I had no idea it was this bad.
I had assumed I’d be able to get my passkeys out of my Apple devices, but hadn’t put any real thought into that.
“Since then Passkeys are now seen as a way to capture users and audiences into a platform. What better way to encourage long term entrapment of users then by locking all their credentials into your platform, and even better, credentials that can't be extracted or exported in any capacity.”
Key point is this: "companies and end users should always use multi-factor authentication to lockdown accounts when possible and ensure it’s compliant with the #FIDO standard when available. #MFA available through push notifications or one-time passwords provided by text, email, or authenticator apps are better than nothing, but as events over the past few years have demonstrated, they are themselves easily defeated in credential phishing attacks" #webauthn#2fa
@Edent@ben The Omnikey 5022 works with Yubico NFC #WebAuthn on Windows (including the PIN). I have a vague memory of testing it once on Ubuntu a few years ago. Might be able to test it later if that helps?
and no, the Magic Keyboard with Touch ID when paired with #VisionPro does not permit the use of Touch ID
i even asked this to an Apple salesperson and they didn't know and they scoffed at the question because "there's Optic ID why would you want a second factor of authentication?!?"
Hello TypeScript WebAuthn devs, I'm happy to announce the release of SimpleWebAuthn v8.3.7! This small release includes some newly exported classes and types for easier integration with your projects. Check out the CHANGELOG for full details 🚀
py_webauthn v2.0.0 is out on PyPI (as webauthn==2.0.0)! The package's core API is largely unchanged despite removing Pydantic as a dependency, but there are still some breaking changes to consider so please check out the release notes for refactor guidance 🐍 🔐
It's been six months — half a year — since Firefox 114 was released with support for FIDO2/WebAuthn. Microsoft 365 support is still broken, particularly for Linux users. You can register a security key but cannot authenticate using it.
Amusingly, Microsoft doesn't even support its Edge browser on Linux.
Attention Python WebAuthn devs: I'm contemplating removing Pydantic as a dependency of py_webauthn due to maintenance burden related to the Pydantic v2 update. For more context, and to chime in with your support or questions, please check out the following GitHub issue:
I've got a PR open too that has all the work completed, I'm just waiting a few days now to see if anyone has compelling reasons now to move forward with this:
The FIDO specification defines a form of Universal 2nd Factor (U2F) when users log in to a system. Rather than relying on one-time codes sent via SMS, or displayed on a phone screen, these are physical hardware tokens which are used to supplement passwords. When used with websites, this technology is also known as WebAuthn.