iamkale

@iamkale@infosec.exchange

Full Stack web dev, WebAuthn expert. Creator of SimpleWebAuthn, maintainer of py_webauthn, steward of webauthn.io. Duonaut @ Cisco.

I also like video games and gadgets 👾

My toots are my own.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

tcannonfodder, to random

@iamkale hey hey! Any chance we can get devise-passkeys added to Webauthn.io with an "alpha" flag? https://github.com/ruby-passkeys/devise-passkeys

I'm trying to get more folks to battle-test the library, which is a devise-specific wrapper around webauthn-ruby. :)

iamkale,

@tcannonfodder Can you please create a new issue on https://github.com/duo-labs/webauthn.io so I'll remember to take a closer look? ✌️

iamkale, to random

YouTube Premium is jumping up in price, from $14.99 to $22.99/mo, with not even a modicum of effort to toss in some extra "value" to justify the raise. A ridiculous, blind cash grab, but they know the current incarnation of YouTube ads make it unpalatable to stop subscribing. Talk about a rock and a hard place 😩

#YouTubePremium

iamkale,

@ligniform YouTube Premium keep ads away when I watch on Apple TV, my phone, my friend's TV's...basically everywhere else uBlock Origin isn't available haha

gnyman, to random

Does anyone have a good working Passkeys with the Conditional UI ?

For those that don't know, the conditional UI is where is you have a passkey for the site, the browser will detect that and suggest you log in with that.

This is, I think, a key part of what will make the passkeys experience better than anything else. But most demo's don't use it and instead are just fancier WebAuthN versions where you have to enter email and/or password, or remember that you have used passkeys (when prompted with 4 different alternatives).

passkeys.com is almost there but for some reason it doesn't work in Safari. It shows the UI but nothing happens. If I click the login button, it will correctly prompt me. I'm aware this might be a Safari bug but still wondering if someone has a version where this works, if it can work. #passkeys

iamkale,

@gnyman I added conditional UI to https://webauthn.io a while back, it should work in all browsers that support conditional UI unless the browser has some kind of bug related to the feature.

mav, to random

I started off this morning reading the #FIDOalliance 's whitepaper on multi-device #FIDO authenticators (aka #passkeys) and now I definitely don't trust them (the FIDO Alliance, not the tech.)

https://media.fidoalliance.org/wp-content/uploads/2022/03/How-FIDO-Addresses-a-Full-Range-of-Use-Cases-March24.pdf

Read this and tell me what's missing from it. Maybe it's just me, but it seems extremely obvious.

iamkale,

@mav I think it's just you, what's missing?

iamkale, to random

Hey @mttvll are you considering adding some kind of visual indicator to Woolly's notifications tab when there are unread notifications? Have the majority of your users been okay without that?

iamkale, to random

I had a chance to dogfood Google's passkeys support a couple of weeks back. I'd have posted about my experiences sooner but was requested not to until it launched.

Well today's the day! My review of Google's support of passkeys: it's great! Much better than the "find your YouTube app to approve this login then make your way back here" flow that Google loved defaulting to even with TOTP set up as a second factor. Passkeys sign in happens so quickly, too; I don't have to futz around with my TOTP app to find the code I need, I just tap a button and look at my phone.

I see lots of positive response to the news, too, which makes me happy. I feel like this will drive more people to learn about WebAuthn and hopefully see the benefits of using it for sign in: it's a faster, more convenient way of signing in (and of course it's more secure but most people outside of our sphere don't care about that.) This would in turn drive demand for the technology across more and more sites because, "it's so simple to sign into Google, why can't you do that?"

All in all I'm happy to see such a huge Relying Party like Google commit to supporting passkeys. Here's to a more passwordless world!

#WebAuthn #passkeys

iamkale,

@simonzerafa Third-party "passkey providers" will start becoming an option as operating systems start adding platform APIs for password managers/etc... to create, store, and sync passkeys outside of Apple/Google/etc... clouds.

Android has an alpha of their support for third-party passkey providers so it'll probably become a reality sooner than later https://developer.android.com/jetpack/androidx/releases/credentials

Remember, passkeys are still "v1", and the ecosystem is actively expanding in functionality, so stay tuned ✌️

iamkale,

@tpmajer It's very helpful early on when diagnosing WebAuthn-related issues to identify which OS and browser combination is exhibiting the symptoms.

iamkale,

@vdelitz I mean, Apple officially launched their passkeys support last September and they're a pretty big company...

"...a manner like Google did"

Can you clarify the aspect of Google's launch that you're interested in? Is it specifically about securing a provider's cloud account with passkeys? Just generally supporting passkeys for auth?

iamkale,

@vdelitz Understanding your question better, I have to admit I'm not aware of anyone else who's rolled out passkeys support so extensively to such a large number of users. That's probably why there's been so much hype about Google's support: prior to it passkeys support was kind of a "best effort" across a few fairly popular sites.

The only other company I could see making such a big deal out of adding passkeys login support might be Meta, just from the continued sheer size of their user base across Facebook, Instagram, and Whatsapp.

I was more curious in finding a passkey-first player that proactively pushes its users towards passkeys...

BTW I was wondering how far Google took "passwordless", and it turns out creating a new Google account still requires you to set up a password 😂

rmondello, to random
@rmondello@hachyderm.io avatar

So, what’ll support passkeys first? Bluesky or Mastodon? Whichever it is will have all of my love.

iamkale,

@nsa @rmondello It's gonna be nostr, they'll treat clients like wallets and derive passkeys from your private key 😂

timcappalli, to random

The beginning of the end for #BeReal 😥

iamkale,

@timcappalli "Let's give them more of what they're not using, that'll restore engagement metrics!!"

iamkale, to random

Nothing like trying to fix Algolia-backed search on your library's docs site that's been broken for six months, only to discover ghosts in the machines hosting it all. I haven't changed anything about my site, search fine worked before. But the machinations behind the scenes get refactored and updated over time, and I'm stuck trying to piece together what all went wrong.

My favorite part so far was the discovery that the Algolia crawler was following canonical URL's on pages with URLs ending in a slash (it's a static site so it's index.html files all the way down). Netlify then responded with HTTP 301 redirects so the crawler ended up skipping every page on the site because it was a non-HTTP 200 response.

And even better Netlify was prettifying these URLs despite my going into the deployment's settings on that side of things and visually confirming that the "Prettify URLs" option was disabled...or at least appeared so. Enabling the option and then immediately disabling it seemed to stop the HTTP 301 redirects. At which point the Algolia crawler reported that it'd stop skipping every page on my site.

Now I have to figure out why searches on the site using a read-only API key report no results, while debug searches within Algolia, using the read-write API key are happy to return results from the same indices for the same query 😩

alanb, to random
@alanb@mastodon.social avatar

Seems to be a new trend of Japanese CMs to end with a "Hallo". Which is just weird.

iamkale,

@alanb Sounds like you've come full-circle from the late-2000's CM's with that comedian that went stoic and delivered a single "bye"

iamkale, to random

My kingdom for a web-based, git-focused Hugo editor that works with its Page Bundles feature:

https://gohugo.io/content-management/page-bundles/

I just tried out TinaCMS but unfortunately it (like many other such CMS's) expects media to get thrown into a single big bucket of a "static/media/" folder. I've liked how easy it is to keep track of a post's media since it's in the same folder as the post's index.md, but maybe it's not worth it if it means I can't wrap the site in a web-based editing experience.

Anyone have any advice for me here?

#blogging #hugo

iamkale, to random

Someone animated a proper #Animusic routine to #Mario music :mind_blown:​ https://www.youtube.com/watch?v=vSmWeQ8LOFQ

iamkale, to random

Okay that's enough OIDs analysis for today 😩

GossiTheDog, to random
@GossiTheDog@cyberplace.social avatar

deleted_by_author

    •
    iamkale,

    @GossiTheDog I hate the idea that things I've contributed to the Mastodon fediverse get split up across instances if I ever move out of infosec.exchange to another community I feel I vibe more with. "Account portability" here means you can bring your followers list along to a new instance, but all your existing content gets left behind on the old instance. This aspect plays out horribly in my head whenever I consider migrating:

    "Now where did I post that again?" And then I waste a bunch of time searching multiple instances 🙃

    iamkale,

    @GossiTheDog Maybe that's the trick: I need to treat content I post anywhere other than my blog as ephemeral, and be okay if it all vanishes one day.

    But that kinda runs counter to my social media persona of "WebAuthn fanatic who posts about recent developments to help others follow its evolution." I've considered that maybe I need to document more things as blog posts instead of throwing these things out into short-form social media posts. But then again there's actual interaction (and more dopamine) seeing notification counters go up, vs anything I'd see in CloudFlare's coarse, DNS-based analytics for whatever I post to my site.

    I don't otherwise post a lot about my personal life because it feels too intimate to share to, no offense to you all who have been really chill to date, "total strangers on the internet."

    iamkale, to typescript

    SimpleWebAuthn just hit 500 stars on GitHub 🌟 🥳

    https://github.com/MasterKale/SimpleWebAuthn

    #TypeScript #WebAuthn

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • mdbf
  • ngwrru68w68
  • modclub
  • magazineikmin
  • thenastyranch
  • rosin
  • khanakhh
  • InstantRegret
  • Youngstown
  • slotface
  • Durango
  • kavyap
  • DreamBathrooms
  • megavids
  • GTA5RPClips
  • tacticalgear
  • normalnudes
  • tester
  • osvaldo12
  • everett
  • cubers
  • ethstaker
  • anitta
  • provamag3
  • Leos
  • cisconetworking
  • lostlight
  • All magazines
    •