home.social

#passkey — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #passkey, aggregated by home.social.

  1. Microsoft 淘汰短訊驗證碼 全面推動 Passkey 無密碼登入
    Microsoft 宣佈將分階段停止向個人帳戶發送短訊驗證碼,改用 Passkey 通行密鑰、已驗證備用電郵及 […]
    #科技新聞 #Windows 11 #資訊保安 #microsoft
    unwire.hk/2026/05/20/microsoft

  2. @ScottHelme "This is mostly a list of things passkeys were never claimed to solve":

    1. You skipped the "private key never leaves the device" lie. Note that this vuln: seclists.org/fulldisclosure/20 is unfixed (see todon.nl/@ErikvanStraten/11655).

    The alternative, having access to YOUR OWN private keys does not make #BigTech lock-in vendors (i.e. Google, Apple) happy: github.com/keepassxreboot/keep.

    Btw, also unfixed: iOS/iPadOS passkeys may be used without local auth under certain conditions: todon.nl/@ErikvanStraten/11565 (@timcappalli ).

    2. Nobody cares what is considered out of scope for ANY auth. solution, in particular if it they're not told about it. People want to know their risks w.r.t. account takeover and account lockout. We need a safer internet.

    3. "Passkeys are not magic": I don't see "what risks remain" in scotthelme.co.uk/passkeys-101- - which is why I objected.

    4. Passkeys "are a major improvement over passwords": that depends. If people use a password manager to create unique long random passwords (which they should), and use AutoFill, then the advantages and risks (attestation?) of using passkeys vs passwords are not clear and neither easily comparable.

    #Passkeys #AndroidPasskeysGone #ApplePasskeyRisks #Passkey #PasswordManager #AutoFill #Autonomy #BigTechIsEvil #MYprivateKeys #DumbPasswordRules

  3. @ScottHelme "This is mostly a list of things passkeys were never claimed to solve":

    1. You skipped the "private key never leaves the device" lie. Note that this vuln: seclists.org/fulldisclosure/20 is unfixed (see todon.nl/@ErikvanStraten/11655).

    The alternative, having access to YOUR OWN private keys does not make #BigTech lock-in vendors (i.e. Google, Apple) happy: github.com/keepassxreboot/keep.

    Btw, also unfixed: iOS/iPadOS passkeys may be used without local auth under certain conditions: todon.nl/@ErikvanStraten/11565 (@timcappalli ).

    2. Nobody cares what is considered out of scope for ANY auth. solution, in particular if it they're not told about it. People want to know their risks w.r.t. account takeover and account lockout. We need a safer internet.

    3. "Passkeys are not magic": I don't see "what risks remain" in scotthelme.co.uk/passkeys-101- - which is why I objected.

    4. Passkeys "are a major improvement over passwords": that depends. If people use a password manager to create unique long random passwords (which they should), and use AutoFill, then the advantages and risks (attestation?) of using passkeys vs passwords are not clear and neither easily comparable.

    #Passkeys #AndroidPasskeysGone #ApplePasskeyRisks #Passkey #PasswordManager #AutoFill #Autonomy #BigTechIsEvil #MYprivateKeys #DumbPasswordRules

  4. @ScottHelme "This is mostly a list of things passkeys were never claimed to solve":

    1. You skipped the "private key never leaves the device" lie. Note that this vuln: seclists.org/fulldisclosure/20 is unfixed (see todon.nl/@ErikvanStraten/11655).

    The alternative, having access to YOUR OWN private keys does not make #BigTech lock-in vendors (i.e. Google, Apple) happy: github.com/keepassxreboot/keep.

    Btw, also unfixed: iOS/iPadOS passkeys may be used without local auth under certain conditions: todon.nl/@ErikvanStraten/11565 (@timcappalli ).

    2. Nobody cares what is considered out of scope for ANY auth. solution, in particular if it they're not told about it. People want to know their risks w.r.t. account takeover and account lockout. We need a safer internet.

    3. "Passkeys are not magic": I don't see "what risks remain" in scotthelme.co.uk/passkeys-101- - which is why I objected.

    4. Passkeys "are a major improvement over passwords": that depends. If people use a password manager to create unique long random passwords (which they should), and use AutoFill, then the advantages and risks (attestation?) of using passkeys vs passwords are not clear and neither easily comparable.

    #Passkeys #AndroidPasskeysGone #ApplePasskeyRisks #Passkey #PasswordManager #AutoFill #Autonomy #BigTechIsEvil #MYprivateKeys #DumbPasswordRules

  5. @ScottHelme "This is mostly a list of things passkeys were never claimed to solve":

    1. You skipped the "private key never leaves the device" lie. Note that this vuln: seclists.org/fulldisclosure/20 is unfixed (see todon.nl/@ErikvanStraten/11655).

    The alternative, having access to YOUR OWN private keys does not make #BigTech lock-in vendors (i.e. Google, Apple) happy: github.com/keepassxreboot/keep.

    Btw, also unfixed: iOS/iPadOS passkeys may be used without local auth under certain conditions: todon.nl/@ErikvanStraten/11565 (@timcappalli ).

    2. Nobody cares what is considered out of scope for ANY auth. solution, in particular if it they're not told about it. People want to know their risks w.r.t. account takeover and account lockout. We need a safer internet.

    3. "Passkeys are not magic": I don't see "what risks remain" in scotthelme.co.uk/passkeys-101- - which is why I objected.

    4. Passkeys "are a major improvement over passwords": that depends. If people use a password manager to create unique long random passwords (which they should), and use AutoFill, then the advantages and risks (attestation?) of using passkeys vs passwords are not clear and neither easily comparable.

    #Passkeys #AndroidPasskeysGone #ApplePasskeyRisks #Passkey #PasswordManager #AutoFill #Autonomy #BigTechIsEvil #MYprivateKeys #DumbPasswordRules

  6. @ScottHelme : why do security people not mention any disadvantages of authentication mechanisms, and even lie about certain aspects?

    "private key never leaves your device": if this were true, then a bricked, lost, stolen or simply replaced device by a new one, would mean that the user loses access to all of their passkeys on the former device.

    "no password to steal": session cookies continue to be stealable.

    "stops phishing attacks": not while *creating* a passkey, not when an attacker manages to obtain a valid certificate for a site with the particular domain name and is able to send visitors there, and in specific cases using subdomains and faulty server webauthn implementations.

    "Your device now knows where your passkey can be used, and it will not let you use it anywhere else, which is a protection that can't be offered for passwords": it *can* (but is uncommon, it beats me why).

    "The public key […] here isn't an additional piece of sensitive information in there to be compromised and all the attacker has managed to gain access to is the public key of the user": in case of a server breach, the attacker can add their own passkey public key or replace yours.

    Please stop misleading people (like happened with TOTP).

    #Passkeys #PasskeyRisks #VendorLockIn #TOTP #Passwords #Passkey

  7. @ScottHelme : why do security people not mention any disadvantages of authentication mechanisms, and even lie about certain aspects?

    "private key never leaves your device": if this were true, then a bricked, lost, stolen or simply replaced device by a new one, would mean that the user loses access to all of their passkeys on the former device.

    "no password to steal": session cookies continue to be stealable.

    "stops phishing attacks": not while *creating* a passkey, not when an attacker manages to obtain a valid certificate for a site with the particular domain name and is able to send visitors there, and in specific cases using subdomains and faulty server webauthn implementations.

    "Your device now knows where your passkey can be used, and it will not let you use it anywhere else, which is a protection that can't be offered for passwords": it *can* (but is uncommon, it beats me why).

    "The public key […] here isn't an additional piece of sensitive information in there to be compromised and all the attacker has managed to gain access to is the public key of the user": in case of a server breach, the attacker can add their own passkey public key or replace yours.

    Please stop misleading people (like happened with TOTP).

    #Passkeys #PasskeyRisks #VendorLockIn #TOTP #Passwords #Passkey

  8. @ScottHelme : why do security people not mention any disadvantages of authentication mechanisms, and even lie about certain aspects?

    "private key never leaves your device": if this were true, then a bricked, lost, stolen or simply replaced device by a new one, would mean that the user loses access to all of their passkeys on the former device.

    "no password to steal": session cookies continue to be stealable.

    "stops phishing attacks": not while *creating* a passkey, not when an attacker manages to obtain a valid certificate for a site with the particular domain name and is able to send visitors there, and in specific cases using subdomains and faulty server webauthn implementations.

    "Your device now knows where your passkey can be used, and it will not let you use it anywhere else, which is a protection that can't be offered for passwords": it *can* (but is uncommon, it beats me why).

    "The public key […] here isn't an additional piece of sensitive information in there to be compromised and all the attacker has managed to gain access to is the public key of the user": in case of a server breach, the attacker can add their own passkey public key or replace yours.

    Please stop misleading people (like happened with TOTP).

    #Passkeys #PasskeyRisks #VendorLockIn #TOTP #Passwords #Passkey

  9. @ScottHelme : why do security people not mention any disadvantages of authentication mechanisms, and even lie about certain aspects?

    "private key never leaves your device": if this were true, then a bricked, lost, stolen or simply replaced device by a new one, would mean that the user loses access to all of their passkeys on the former device.

    "no password to steal": session cookies continue to be stealable.

    "stops phishing attacks": not while *creating* a passkey, not when an attacker manages to obtain a valid certificate for a site with the particular domain name and is able to send visitors there, and in specific cases using subdomains and faulty server webauthn implementations.

    "Your device now knows where your passkey can be used, and it will not let you use it anywhere else, which is a protection that can't be offered for passwords": it *can* (but is uncommon, it beats me why).

    "The public key […] here isn't an additional piece of sensitive information in there to be compromised and all the attacker has managed to gain access to is the public key of the user": in case of a server breach, the attacker can add their own passkey public key or replace yours.

    Please stop misleading people (like happened with TOTP).

    #Passkeys #PasskeyRisks #VendorLockIn #TOTP #Passwords #Passkey

  10. OK, normally I have my shit wired together, but this bastard is getting to me.

    The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.

    Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.

    Life.

    I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.

    So I search for:
    "google passkey login with ssh"
    My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
    Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
    Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.

    Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?

    #TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh

  11. OK, normally I have my shit wired together, but this bastard is getting to me.

    The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.

    Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.

    Life.

    I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.

    So I search for:
    "google passkey login with ssh"
    My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
    Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
    Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.

    Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?

    #TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh

  12. OK, normally I have my shit wired together, but this bastard is getting to me.

    The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.

    Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.

    Life.

    I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.

    So I search for:
    "google passkey login with ssh"
    My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
    Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
    Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.

    Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?

    #TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh

  13. OK, normally I have my shit wired together, but this bastard is getting to me.

    The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.

    Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.

    Life.

    I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.

    So I search for:
    "google passkey login with ssh"
    My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
    Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
    Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.

    Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?

    #TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh

  14. OK, normally I have my shit wired together, but this bastard is getting to me.

    The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.

    Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.

    Life.

    I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.

    So I search for:
    "google passkey login with ssh"
    My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
    Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
    Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.

    Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?

    #TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh

  15. So, erste Erfahrungen mit #Passkey und Hardware-Token gesammelt.

    Für meinen J+S Baspo NDS Login habe ich bislang CH-Login verwendet, aber dieses weist in letzter Zeit penetrant auf den AGOV-Login hin. Da ich mich erstens an keine App und schon gar nicht an ein Google/Apple-Gerät binden will, fiel meine Wahl auf ein Hardware-Token. Ich hatte schon etwas Erfahrung mit Yubikeys gemacht, bin unterdessen aber auf token2.swiss gestossen und wollte das mal ausprobieren. Dabei ist mir aufgefallen, das die explizit Token für #AGOV führen [1] und habe diese Chance wahrgenommen und mir so einen bestellt (PINPlus Dual Slim FIDO2.1 Key USB).

    Schwierigkeit war vor allem, dass ich das mit Firefox unter Debian Linux verwenden will, es dafür jedoch keine Dokumentation gibt (die gibt es für Windows und OSX mit Chrome und Safari). Also habe ich mich da mal etwas länger informiert wie das alles zusammen wirkt.

    Als erstes habe ich den sowieso mal notwendigen Upgrade von Debian Bookworm auf Trixie durchgeführt, damit ist die Software schon mal etwas aktueller. Unter Debian Trixie gibt es die libfido2 in Version 1.15.0, welche mit solchen USB-Sticks funktionieren sollte. Das Zusatzpaket fido2-tools liefert noch das Command fido2-token für die Verwaltung. Beides entstammt Yubico.

    Für das Setzen eines PIN gibt es von eine von Token2 abgeänderte libfido2-Variante genannt fido2-manage [2]. Diese lässt sich unter Debian Trixie problemlos bauen, worauf sich dann mit fido2-manage.sh der PIN setzen lässt. Da dieses Paket das von Yubico [3] als Basis hat, hat man schliesslich zwei fast identische libfido2 in Version 1.15.0 vor sich. Das bringt unter anderen Schwierigkeiten mit sich, dass sich dieses nicht ohne grössere Anpassungen paketieren lässt, da sich so die beiden libfido2-1 ins Gehege kommen und man erste nicht deinstallieren will, weil u.a. OpenSSH davon abhängt.

    Ich habe aber gesehen, dass die von Debian gelieferte libfido2 von Yubico auch mit dem Token2 Token funktioniert. Ausserdem funktioniert in Firefox die #FIDO2 Infrastruktur und Passkey gut mit dem Token zusammen (nachdem ich den PIN gesetzt habe). Der Wechsel von CH-Login nach AGOV hat damit dann problemlos geklappt.

    Als nächstes versuche ich herauszufinden, inwiefern sich die libfido2 von Yubico und Token2 unterscheiden und ob diese nicht zusammengeführt werden könnten.

    [1] agov.token2.ch/
    [2] github.com/token2/fido2-manage
    [3] github.com/Yubico/libfido2

  16. So, erste Erfahrungen mit #Passkey und Hardware-Token gesammelt.

    Für meinen J+S Baspo NDS Login habe ich bislang CH-Login verwendet, aber dieses weist in letzter Zeit penetrant auf den AGOV-Login hin. Da ich mich erstens an keine App und schon gar nicht an ein Google/Apple-Gerät binden will, fiel meine Wahl auf ein Hardware-Token. Ich hatte schon etwas Erfahrung mit Yubikeys gemacht, bin unterdessen aber auf token2.swiss gestossen und wollte das mal ausprobieren. Dabei ist mir aufgefallen, das die explizit Token für #AGOV führen [1] und habe diese Chance wahrgenommen und mir so einen bestellt (PINPlus Dual Slim FIDO2.1 Key USB).

    Schwierigkeit war vor allem, dass ich das mit Firefox unter Debian Linux verwenden will, es dafür jedoch keine Dokumentation gibt (die gibt es für Windows und OSX mit Chrome und Safari). Also habe ich mich da mal etwas länger informiert wie das alles zusammen wirkt.

    Als erstes habe ich den sowieso mal notwendigen Upgrade von Debian Bookworm auf Trixie durchgeführt, damit ist die Software schon mal etwas aktueller. Unter Debian Trixie gibt es die libfido2 in Version 1.15.0, welche mit solchen USB-Sticks funktionieren sollte. Das Zusatzpaket fido2-tools liefert noch das Command fido2-token für die Verwaltung. Beides entstammt Yubico.

    Für das Setzen eines PIN gibt es von eine von Token2 abgeänderte libfido2-Variante genannt fido2-manage [2]. Diese lässt sich unter Debian Trixie problemlos bauen, worauf sich dann mit fido2-manage.sh der PIN setzen lässt. Da dieses Paket das von Yubico [3] als Basis hat, hat man schliesslich zwei fast identische libfido2 in Version 1.15.0 vor sich. Das bringt unter anderen Schwierigkeiten mit sich, dass sich dieses nicht ohne grössere Anpassungen paketieren lässt, da sich so die beiden libfido2-1 ins Gehege kommen und man erste nicht deinstallieren will, weil u.a. OpenSSH davon abhängt.

    Ich habe aber gesehen, dass die von Debian gelieferte libfido2 von Yubico auch mit dem Token2 Token funktioniert. Ausserdem funktioniert in Firefox die #FIDO2 Infrastruktur und Passkey gut mit dem Token zusammen (nachdem ich den PIN gesetzt habe). Der Wechsel von CH-Login nach AGOV hat damit dann problemlos geklappt.

    Als nächstes versuche ich herauszufinden, inwiefern sich die libfido2 von Yubico und Token2 unterscheiden und ob diese nicht zusammengeführt werden könnten.

    [1] agov.token2.ch/
    [2] github.com/token2/fido2-manage
    [3] github.com/Yubico/libfido2

  17. So, erste Erfahrungen mit #Passkey und Hardware-Token gesammelt.

    Für meinen J+S Baspo NDS Login habe ich bislang CH-Login verwendet, aber dieses weist in letzter Zeit penetrant auf den AGOV-Login hin. Da ich mich erstens an keine App und schon gar nicht an ein Google/Apple-Gerät binden will, fiel meine Wahl auf ein Hardware-Token. Ich hatte schon etwas Erfahrung mit Yubikeys gemacht, bin unterdessen aber auf token2.swiss gestossen und wollte das mal ausprobieren. Dabei ist mir aufgefallen, das die explizit Token für #AGOV führen [1] und habe diese Chance wahrgenommen und mir so einen bestellt (PINPlus Dual Slim FIDO2.1 Key USB).

    Schwierigkeit war vor allem, dass ich das mit Firefox unter Debian Linux verwenden will, es dafür jedoch keine Dokumentation gibt (die gibt es für Windows und OSX mit Chrome und Safari). Also habe ich mich da mal etwas länger informiert wie das alles zusammen wirkt.

    Als erstes habe ich den sowieso mal notwendigen Upgrade von Debian Bookworm auf Trixie durchgeführt, damit ist die Software schon mal etwas aktueller. Unter Debian Trixie gibt es die libfido2 in Version 1.15.0, welche mit solchen USB-Sticks funktionieren sollte. Das Zusatzpaket fido2-tools liefert noch das Command fido2-token für die Verwaltung. Beides entstammt Yubico.

    Für das Setzen eines PIN gibt es von eine von Token2 abgeänderte libfido2-Variante genannt fido2-manage [2]. Diese lässt sich unter Debian Trixie problemlos bauen, worauf sich dann mit fido2-manage.sh der PIN setzen lässt. Da dieses Paket das von Yubico [3] als Basis hat, hat man schliesslich zwei fast identische libfido2 in Version 1.15.0 vor sich. Das bringt unter anderen Schwierigkeiten mit sich, dass sich dieses nicht ohne grössere Anpassungen paketieren lässt, da sich so die beiden libfido2-1 ins Gehege kommen und man erste nicht deinstallieren will, weil u.a. OpenSSH davon abhängt.

    Ich habe aber gesehen, dass die von Debian gelieferte libfido2 von Yubico auch mit dem Token2 Token funktioniert. Ausserdem funktioniert in Firefox die #FIDO2 Infrastruktur und Passkey gut mit dem Token zusammen (nachdem ich den PIN gesetzt habe). Der Wechsel von CH-Login nach AGOV hat damit dann problemlos geklappt.

    Als nächstes versuche ich herauszufinden, inwiefern sich die libfido2 von Yubico und Token2 unterscheiden und ob diese nicht zusammengeführt werden könnten.

    [1] agov.token2.ch/
    [2] github.com/token2/fido2-manage
    [3] github.com/Yubico/libfido2

  18. So, erste Erfahrungen mit #Passkey und Hardware-Token gesammelt.

    Für meinen J+S Baspo NDS Login habe ich bislang CH-Login verwendet, aber dieses weist in letzter Zeit penetrant auf den AGOV-Login hin. Da ich mich erstens an keine App und schon gar nicht an ein Google/Apple-Gerät binden will, fiel meine Wahl auf ein Hardware-Token. Ich hatte schon etwas Erfahrung mit Yubikeys gemacht, bin unterdessen aber auf token2.swiss gestossen und wollte das mal ausprobieren. Dabei ist mir aufgefallen, das die explizit Token für #AGOV führen [1] und habe diese Chance wahrgenommen und mir so einen bestellt (PINPlus Dual Slim FIDO2.1 Key USB).

    Schwierigkeit war vor allem, dass ich das mit Firefox unter Debian Linux verwenden will, es dafür jedoch keine Dokumentation gibt (die gibt es für Windows und OSX mit Chrome und Safari). Also habe ich mich da mal etwas länger informiert wie das alles zusammen wirkt.

    Als erstes habe ich den sowieso mal notwendigen Upgrade von Debian Bookworm auf Trixie durchgeführt, damit ist die Software schon mal etwas aktueller. Unter Debian Trixie gibt es die libfido2 in Version 1.15.0, welche mit solchen USB-Sticks funktionieren sollte. Das Zusatzpaket fido2-tools liefert noch das Command fido2-token für die Verwaltung. Beides entstammt Yubico.

    Für das Setzen eines PIN gibt es von eine von Token2 abgeänderte libfido2-Variante genannt fido2-manage [2]. Diese lässt sich unter Debian Trixie problemlos bauen, worauf sich dann mit fido2-manage.sh der PIN setzen lässt. Da dieses Paket das von Yubico [3] als Basis hat, hat man schliesslich zwei fast identische libfido2 in Version 1.15.0 vor sich. Das bringt unter anderen Schwierigkeiten mit sich, dass sich dieses nicht ohne grössere Anpassungen paketieren lässt, da sich so die beiden libfido2-1 ins Gehege kommen und man erste nicht deinstallieren will, weil u.a. OpenSSH davon abhängt.

    Ich habe aber gesehen, dass die von Debian gelieferte libfido2 von Yubico auch mit dem Token2 Token funktioniert. Ausserdem funktioniert in Firefox die #FIDO2 Infrastruktur und Passkey gut mit dem Token zusammen (nachdem ich den PIN gesetzt habe). Der Wechsel von CH-Login nach AGOV hat damit dann problemlos geklappt.

    Als nächstes versuche ich herauszufinden, inwiefern sich die libfido2 von Yubico und Token2 unterscheiden und ob diese nicht zusammengeführt werden könnten.

    [1] agov.token2.ch/
    [2] github.com/token2/fido2-manage
    [3] github.com/Yubico/libfido2

  19. Someone noticed! SMS “Hey baby boy, how many technical people did you piss off by translating their technical Passkey mambo jumbo nonsense into paragraphs about cats and cookies? I love it! Can you do this for all technical documentation?”sightlessscribbles.com/posts/h #Tech #Technology #PassKey #Passkey #Passkeys #BackUpPasskeys

  20. Someone noticed! SMS “Hey baby boy, how many technical people did you piss off by translating their technical Passkey mambo jumbo nonsense into paragraphs about cats and cookies? I love it! Can you do this for all technical documentation?”sightlessscribbles.com/posts/h #Tech #Technology #PassKey #Passkey #Passkeys #BackUpPasskeys

  21. Someone noticed! SMS “Hey baby boy, how many technical people did you piss off by translating their technical Passkey mambo jumbo nonsense into paragraphs about cats and cookies? I love it! Can you do this for all technical documentation?”sightlessscribbles.com/posts/h #Tech #Technology #PassKey #Passkey #Passkeys #BackUpPasskeys

  22. Someone noticed! SMS “Hey baby boy, how many technical people did you piss off by translating their technical Passkey mambo jumbo nonsense into paragraphs about cats and cookies? I love it! Can you do this for all technical documentation?”sightlessscribbles.com/posts/h #Tech #Technology #PassKey #Passkey #Passkeys #BackUpPasskeys

  23. Someone noticed! SMS “Hey baby boy, how many technical people did you piss off by translating their technical Passkey mambo jumbo nonsense into paragraphs about cats and cookies? I love it! Can you do this for all technical documentation?”sightlessscribbles.com/posts/h #Tech #Technology #PassKey #Passkey #Passkeys #BackUpPasskeys

  24. Both Microsoft and Google are reporting passkeys alone are not the panacea solution being sold by vendors. This is a recurring reminder that no one solution exists in protecting user identities and security systems.

    There exists no silver bullet in a world of cybersecurity. Security requires defense in depth and constant vigilance on behalf of every person from the end users to admins and executives.

    Keep safe out there!

    #passkey #cybersecurity

  25. Both Microsoft and Google are reporting passkeys alone are not the panacea solution being sold by vendors. This is a recurring reminder that no one solution exists in protecting user identities and security systems.

    There exists no silver bullet in a world of cybersecurity. Security requires defense in depth and constant vigilance on behalf of every person from the end users to admins and executives.

    Keep safe out there!

    #passkey #cybersecurity

  26. Both Microsoft and Google are reporting passkeys alone are not the panacea solution being sold by vendors. This is a recurring reminder that no one solution exists in protecting user identities and security systems.

    There exists no silver bullet in a world of cybersecurity. Security requires defense in depth and constant vigilance on behalf of every person from the end users to admins and executives.

    Keep safe out there!

    #passkey #cybersecurity

  27. Configurata la #passkey per accedere a #gitlab attraverso #vaultwarden mi sembra che funzioni senza problemi!

  28. Configurata la #passkey per accedere a #gitlab attraverso #vaultwarden mi sembra che funzioni senza problemi!

  29. Configurata la #passkey per accedere a #gitlab attraverso #vaultwarden mi sembra che funzioni senza problemi!

  30. Configurata la #passkey per accedere a #gitlab attraverso #vaultwarden mi sembra che funzioni senza problemi!

  31. Configurata la #passkey per accedere a #gitlab attraverso #vaultwarden mi sembra che funzioni senza problemi!

  32. Anyone got a working solution for passkeys? I have my keepass db on nextcloud and sync to desktop and phone (grapheneOs). It's very per-device.

    #passkey #keepass #NextCloud #grapheneos

  33. Anyone got a working solution for passkeys? I have my keepass db on nextcloud and sync to desktop and phone (grapheneOs). It's very per-device.

    #passkey #keepass #NextCloud #grapheneos

  34. Anyone got a working solution for passkeys? I have my keepass db on nextcloud and sync to desktop and phone (grapheneOs). It's very per-device.

    #passkey #keepass #NextCloud #grapheneos

  35. Anyone got a working solution for passkeys? I have my keepass db on nextcloud and sync to desktop and phone (grapheneOs). It's very per-device.

    #passkey #keepass #NextCloud #grapheneos

  36. Anyone got a working solution for passkeys? I have my keepass db on nextcloud and sync to desktop and phone (grapheneOs). It's very per-device.

    #passkey #keepass #NextCloud #grapheneos