#dumbpasswordrules — Public Fediverse posts

@ScottHelme "This is mostly a list of things passkeys were never claimed to solve":

1. You skipped the "private key never leaves the device" lie. Note that this vuln: https://seclists.org/fulldisclosure/2024/Feb/15 is unfixed (see https://todon.nl/@ErikvanStraten/116552104781266939).

The alternative, having access to YOUR OWN private keys does not make #BigTech lock-in vendors (i.e. Google, Apple) happy: https://github.com/keepassxreboot/keepassxc/issues/10407.

Btw, also unfixed: iOS/iPadOS passkeys may be used without local auth under certain conditions: https://todon.nl/@ErikvanStraten/115658045799601168 (@timcappalli ).

2. Nobody cares what is considered out of scope for ANY auth. solution, in particular if it they're not told about it. People want to know their risks w.r.t. account takeover and account lockout. We need a safer internet.

3. "Passkeys are not magic": I don't see "what risks remain" in https://scotthelme.co.uk/passkeys-101-an-introduction-to-passkeys-and-how-they-work/ - which is why I objected.

4. Passkeys "are a major improvement over passwords": that depends. If people use a password manager to create unique long random passwords (which they should), and use AutoFill, then the advantages and risks (attestation?) of using passkeys vs passwords are not clear and neither easily comparable.

#Passkeys #AndroidPasskeysGone #ApplePasskeyRisks #Passkey #PasswordManager #AutoFill #Autonomy #BigTechIsEvil #MYprivateKeys #DumbPasswordRules

@ScottHelme "This is mostly a list of things passkeys were never claimed to solve":

1. You skipped the "private key never leaves the device" lie. Note that this vuln: https://seclists.org/fulldisclosure/2024/Feb/15 is unfixed (see https://todon.nl/@ErikvanStraten/116552104781266939).

The alternative, having access to YOUR OWN private keys does not make #BigTech lock-in vendors (i.e. Google, Apple) happy: https://github.com/keepassxreboot/keepassxc/issues/10407.

Btw, also unfixed: iOS/iPadOS passkeys may be used without local auth under certain conditions: https://todon.nl/@ErikvanStraten/115658045799601168 (@timcappalli ).

2. Nobody cares what is considered out of scope for ANY auth. solution, in particular if it they're not told about it. People want to know their risks w.r.t. account takeover and account lockout. We need a safer internet.

3. "Passkeys are not magic": I don't see "what risks remain" in https://scotthelme.co.uk/passkeys-101-an-introduction-to-passkeys-and-how-they-work/ - which is why I objected.

4. Passkeys "are a major improvement over passwords": that depends. If people use a password manager to create unique long random passwords (which they should), and use AutoFill, then the advantages and risks (attestation?) of using passkeys vs passwords are not clear and neither easily comparable.

#Passkeys #AndroidPasskeysGone #ApplePasskeyRisks #Passkey #PasswordManager #AutoFill #Autonomy #BigTechIsEvil #MYprivateKeys #DumbPasswordRules

@ScottHelme "This is mostly a list of things passkeys were never claimed to solve":

1. You skipped the "private key never leaves the device" lie. Note that this vuln: https://seclists.org/fulldisclosure/2024/Feb/15 is unfixed (see https://todon.nl/@ErikvanStraten/116552104781266939).

The alternative, having access to YOUR OWN private keys does not make #BigTech lock-in vendors (i.e. Google, Apple) happy: https://github.com/keepassxreboot/keepassxc/issues/10407.

Btw, also unfixed: iOS/iPadOS passkeys may be used without local auth under certain conditions: https://todon.nl/@ErikvanStraten/115658045799601168 (@timcappalli ).

2. Nobody cares what is considered out of scope for ANY auth. solution, in particular if it they're not told about it. People want to know their risks w.r.t. account takeover and account lockout. We need a safer internet.

3. "Passkeys are not magic": I don't see "what risks remain" in https://scotthelme.co.uk/passkeys-101-an-introduction-to-passkeys-and-how-they-work/ - which is why I objected.

4. Passkeys "are a major improvement over passwords": that depends. If people use a password manager to create unique long random passwords (which they should), and use AutoFill, then the advantages and risks (attestation?) of using passkeys vs passwords are not clear and neither easily comparable.

#Passkeys #AndroidPasskeysGone #ApplePasskeyRisks #Passkey #PasswordManager #AutoFill #Autonomy #BigTechIsEvil #MYprivateKeys #DumbPasswordRules

@ScottHelme "This is mostly a list of things passkeys were never claimed to solve":

1. You skipped the "private key never leaves the device" lie. Note that this vuln: https://seclists.org/fulldisclosure/2024/Feb/15 is unfixed (see https://todon.nl/@ErikvanStraten/116552104781266939).

The alternative, having access to YOUR OWN private keys does not make #BigTech lock-in vendors (i.e. Google, Apple) happy: https://github.com/keepassxreboot/keepassxc/issues/10407.

Btw, also unfixed: iOS/iPadOS passkeys may be used without local auth under certain conditions: https://todon.nl/@ErikvanStraten/115658045799601168 (@timcappalli ).

2. Nobody cares what is considered out of scope for ANY auth. solution, in particular if it they're not told about it. People want to know their risks w.r.t. account takeover and account lockout. We need a safer internet.

3. "Passkeys are not magic": I don't see "what risks remain" in https://scotthelme.co.uk/passkeys-101-an-introduction-to-passkeys-and-how-they-work/ - which is why I objected.

4. Passkeys "are a major improvement over passwords": that depends. If people use a password manager to create unique long random passwords (which they should), and use AutoFill, then the advantages and risks (attestation?) of using passkeys vs passwords are not clear and neither easily comparable.

#Passkeys #AndroidPasskeysGone #ApplePasskeyRisks #Passkey #PasswordManager #AutoFill #Autonomy #BigTechIsEvil #MYprivateKeys #DumbPasswordRules