home.social
Sign in Create account

#backuppasskeys — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #backuppasskeys, aggregated by home.social.

  1. Erik van Straten @[email protected] ·

    @rmondello : what makes passkeys strong:

    1. Software checks the domain name, which makes phishing hard;

    2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);

    3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.

    The rest is marketing (including the -hyped- asymmetric cryptography).

    The "advantage" of denying the owner access to their own private keys hardly makes sense as long as session cookies are not device-bound.

    The disadvantage of not being able to back up ones own private keys is the risk of vendor lock-in and the underestimated huge risk of account lockout [1]. And the latter leads to the necessity of being able to log in using weak authentication after the user loses access to their private keys.

    @brandonbutler

    [1] seclists.org/fulldisclosure/20

    #Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports

    #passkeys #phishing #phishingresistant #asymmetriccryptography #androidpasskeys #androidpasskeysgone
  2. Erik van Straten @[email protected] ·

    @rmondello : what makes passkeys strong:

    1. Software checks the domain name, which makes phishing hard;

    2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);

    3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.

    The rest is marketing (including the -hyped- asymmetric cryptography).

    The "advantage" of denying the owner access to their own private keys hardly makes sense as long as session cookies are not device-bound.

    The disadvantage of not being able to back up ones own private keys is the risk of vendor lock-in and the underestimated huge risk of account lockout [1]. And the latter leads to the necessity of being able to log in using weak authentication after the user loses access to their private keys.

    @brandonbutler

    [1] seclists.org/fulldisclosure/20

    #Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports

    #passkeys #phishing #phishingresistant #asymmetriccryptography #androidpasskeys #androidpasskeysgone
  3. Erik van Straten @[email protected] ·

    @rmondello : what makes passkeys strong:

    1. Software checks the domain name, which makes phishing hard;

    2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);

    3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.

    The rest is marketing (including the -hyped- asymmetric cryptography).

    The "advantage" of denying the owner access to their own private keys hardly makes sense as long as session cookies are not device-bound.

    The disadvantage of not being able to back up ones own private keys is the risk of vendor lock-in and the underestimated huge risk of account lockout [1]. And the latter leads to the necessity of being able to log in using weak authentication after the user loses access to their private keys.

    @brandonbutler

    [1] seclists.org/fulldisclosure/20

    #Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports

    #passkeys #phishing #phishingresistant #asymmetriccryptography #androidpasskeys #androidpasskeysgone
  4. Erik van Straten @[email protected] ·

    @rmondello : what makes passkeys strong:

    1. Software checks the domain name, which makes phishing hard;

    2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);

    3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.

    The rest is marketing (including the -hyped- asymmetric cryptography).

    The "advantage" of denying the owner access to their own private keys hardly makes sense as long as session cookies are not device-bound.

    The disadvantage of not being able to back up ones own private keys is the risk of vendor lock-in and the underestimated huge risk of account lockout [1]. And the latter leads to the necessity of being able to log in using weak authentication after the user loses access to their private keys.

    @brandonbutler

    [1] seclists.org/fulldisclosure/20

    #Passkeys #Phishing #PhishingResistant #AsymmetricCryptography #AndroidPasskeys #androidPasskeysGone #iOSpasskeys #iPadOSpasskeys #ApplePasskeys #BackUp #Export #BackUpPasskeys #ExportPassKeys #PasskeyBackUps #PasskeyExports

    #passkeys #phishing #phishingresistant #asymmetriccryptography #androidpasskeys #androidpasskeysgone