#androidpasskeysgone — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #androidpasskeysgone, aggregated by home.social.
-
@jtb : yes, but AFAIK passkey private keys cannot be exported from "Apple Passwords" and neither from "Google Passwords". Which are probably used most.
Why would people install a third party password manager (often payed, and/or a privacy/security risk - remember Lastpass) if your phone comes with such an app and they're unaware of the risks?
Edited to add: my Feb. 2024 write up on Full Disclosure still mostly applies.
Screenshots, chronological:
1) Top right: contents of Google Password Manager after creating a passkey on https://webauthn.io
2) Left: tapping the "Delete data" button in https://chrome.google.com/sync
3) Bottom right: contents of Google Password Manager after tapping the "Delete data" button in https://chrome.google.com/sync. The passkey is gone.
People are wrongly made to believe that Google passkeys are stored safely on their device; they are not.
-
@jtb : yes, but AFAIK passkey private keys cannot be exported from "Apple Passwords" and neither from "Google Passwords". Which are probably used most.
Why would people install a third party password manager (often payed, and/or a privacy/security risk - remember Lastpass) if your phone comes with such an app and they're unaware of the risks?
Edited to add: my Feb. 2024 write up on Full Disclosure still mostly applies.
Screenshots, chronological:
1) Top right: contents of Google Password Manager after creating a passkey on https://webauthn.io
2) Left: tapping the "Delete data" button in https://chrome.google.com/sync
3) Bottom right: contents of Google Password Manager after tapping the "Delete data" button in https://chrome.google.com/sync. The passkey is gone.
People are wrongly made to believe that Google passkeys are stored safely on their device; they are not.
-
@jtb : yes, but AFAIK passkey private keys cannot be exported from "Apple Passwords" and neither from "Google Passwords". Which are probably used most.
Why would people install a third party password manager (often payed, and/or a privacy/security risk - remember Lastpass) if your phone comes with such an app and they're unaware of the risks?
Edited to add: my Feb. 2024 write up on Full Disclosure still mostly applies.
Screenshots, chronological:
1) Top right: contents of Google Password Manager after creating a passkey on https://webauthn.io
2) Left: tapping the "Delete data" button in https://chrome.google.com/sync
3) Bottom right: contents of Google Password Manager after tapping the "Delete data" button in https://chrome.google.com/sync. The passkey is gone.
People are wrongly made to believe that Google passkeys are stored safely on their device; they are not.
-
@jtb : yes, but AFAIK passkey private keys cannot be exported from "Apple Passwords" and neither from "Google Passwords". Which are probably used most.
Why would people install a third party password manager (often payed, and/or a privacy/security risk - remember Lastpass) if your phone comes with such an app and they're unaware of the risks?
Edited to add: my Feb. 2024 write up on Full Disclosure still mostly applies.
Screenshots, chronological:
1) Top right: contents of Google Password Manager after creating a passkey on https://webauthn.io
2) Left: tapping the "Delete data" button in https://chrome.google.com/sync
3) Bottom right: contents of Google Password Manager after tapping the "Delete data" button in https://chrome.google.com/sync. The passkey is gone.
People are wrongly made to believe that Google passkeys are stored safely on their device; they are not.
-
@rmondello : what makes passkeys strong:
1. Software checks the domain name, which makes phishing hard;
2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);
3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.
The rest is marketing (including the -hyped- asymmetric cryptography).
The "advantage" of denying the owner access to their own private keys hardly makes sense as long as session cookies are not device-bound.
The disadvantage of not being able to back up ones own private keys is the risk of vendor lock-in and the underestimated huge risk of account lockout [1]. And the latter leads to the necessity of being able to log in using weak authentication after the user loses access to their private keys.
[1] https://seclists.org/fulldisclosure/2024/Feb/15
#Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports
-
@rmondello : what makes passkeys strong:
1. Software checks the domain name, which makes phishing hard;
2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);
3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.
The rest is marketing (including the -hyped- asymmetric cryptography).
The "advantage" of denying the owner access to their own private keys hardly makes sense as long as session cookies are not device-bound.
The disadvantage of not being able to back up ones own private keys is the risk of vendor lock-in and the underestimated huge risk of account lockout [1]. And the latter leads to the necessity of being able to log in using weak authentication after the user loses access to their private keys.
[1] https://seclists.org/fulldisclosure/2024/Feb/15
#Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports
-
@rmondello : what makes passkeys strong:
1. Software checks the domain name, which makes phishing hard;
2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);
3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.
The rest is marketing (including the -hyped- asymmetric cryptography).
The "advantage" of denying the owner access to their own private keys hardly makes sense as long as session cookies are not device-bound.
The disadvantage of not being able to back up ones own private keys is the risk of vendor lock-in and the underestimated huge risk of account lockout [1]. And the latter leads to the necessity of being able to log in using weak authentication after the user loses access to their private keys.
[1] https://seclists.org/fulldisclosure/2024/Feb/15
#Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports
-
@rmondello : what makes passkeys strong:
1. Software checks the domain name, which makes phishing hard;
2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);
3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.
The rest is marketing (including the -hyped- asymmetric cryptography).
The "advantage" of denying the owner access to their own private keys hardly makes sense as long as session cookies are not device-bound.
The disadvantage of not being able to back up ones own private keys is the risk of vendor lock-in and the underestimated huge risk of account lockout [1]. And the latter leads to the necessity of being able to log in using weak authentication after the user loses access to their private keys.
[1] https://seclists.org/fulldisclosure/2024/Feb/15
#Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports