Spent the entire holiday studying. Still having lots of difficulty with React, my head just can't wrap around the syntax of this thing.
At least I finished setting up my old laptop with Ubuntu. Thanks to passkeys on @1password, setting all my apps and browsers was a breeze. It's nice to live in the future!
Am I right in assuming that only one hardware bound passkey can be stored for a given domain on a FIDO security key? Since they’re discoverable you can’t keep there more than one account for domain, because you can’t choose which one to send.
Apparently I'm wrong, I tried and it works, which confuses me since the rpID is the only bit of data that the relying party is required to pass to the authenticator and it coincides with the domain. So, how do you avoid disclosing multiple #passkeys for the same domain?
Co to jest passkeys, jak tego używać i czy jest to rozwiązanie lepsze niż hasła - opowiadał podczas wczorajszego webinaru @kacperszurek, zapis poniżej:
In the midst of the Passkeys hype, a quick reminder for browser makers that developers would definitely benefit from an open API that could be used to listen WebAuthn/Passkeys requests directly in a friendly way. Currently every password manager browser extension injects JavaScript to all web pages because they don't have any other option.
I see lots of benefits, but also some risk. The rush to make logins easier, seems to be lowering the security bar. Storing passkeys in #1Password makes me a bit nervous because it seems to rely on a single authentication. Just using a password out of 1PW still needed 2FA if I didn't mark the device trusted. For some services, I never store trust. 2FA always. #InfoSec
Let's not forget #Google - like all #GAFAMs - was a #PRISM collaborator, is subject to #CliudAct and #ITAR and thus not only capable but able and willing beyond the legally mandated minimums to do so.
#Passkeys have a lot of confusion and valid criticism against them. However, there is one huge benefit that I feel like no one is talking about: they effectively eliminate password breaches as we know it!
It looks like BitWarden is following suit with 1Password and returning "uv:true" in WebAuthn authentication requests even though the user isn't prompted for anything more than to confirm the use of a passkey. The unlocking of the vault is considered the user-verifying event...
As an end user I appreciate the streamlined experience. But as an RP I'm disappointed - what if vault unlock occurred 5/10/30 minutes prior? Someone could cruise by someone's desk when the vault is unlocked and auth as the vault owner and the RP would be none the wiser 😢
It's a tough middle point that passkey providers have to try and find 🥴
Bitwarden begins adding passkey support to its password manager
Although Bitwarden now supports storing and logging in using passkeys from its browser extensions, it’s not currently possible to store passkeys in the company’s mobile app. According to Bitwarden’s FAQ, this feature is “planned for a future release.”
But I don't want to use #passkeys. I have a password manager, it's fine. Faangs and other vampire squids are going to 1) pat themselves on the back for supporting a standard, 2) make it super easy to generate keys that work with their proprietary gunk, and 3) make it difficult to export those keys. Nope.