home.social

#passkeys — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #passkeys, aggregated by home.social.

  1. whoppie, sudo has entered the 21st century

    it's now passwordless

    the key is stored in Secretive

    The authentication to the server happens with the normal keychain ssh-key

    but sudo will now first ask for my fingerprint before asking for my password

    but Gabriel, now you turned your 2FA into 1FA because everything relies on your fingerprint

    yes, true, but it was already 1FA before because the password for the server (which I don't remember) was in my password manager, which... unlocks with my fingerprint (most of the time)

    security is all about compromise

    #sysadmin #linux #security #passkeys #biometrics #sudo

  2. duckduckfedi:

    Forgejo/Codeberg has an option to use passkeys as an authentication factor to sign in, but weirdly I never see a prompt to store them in my password manager, they just go….somewhere.

    Does anyone know how Forgejo stores passkeys?


    #Forgejo #Codeberg #passkeys
  3. ZDNet: Microsoft won’t send you SMS texts for login anymore – why it’s pushing passkeys instead.”On a new support page, Microsoft announced that it will start phasing out SMS as an authentication and account recovery method for personal Microsoft accounts. Instead, the company is pushing passkeys, which offer much stronger security.”

    https://rbfirehose.com/2026/05/23/zdnet-microsoft-wont-send-you-sms-texts-for-login-anymore-why-its-pushing-passkeys-instead/
  4. ZDNet: Microsoft won’t send you SMS texts for login anymore – why it’s pushing passkeys instead.”On a new support page, Microsoft announced that it will start phasing out SMS as an authentication and account recovery method for personal Microsoft accounts. Instead, the company is pushing passkeys, which offer much stronger security.”

    https://rbfirehose.com/2026/05/23/zdnet-microsoft-wont-send-you-sms-texts-for-login-anymore-why-its-pushing-passkeys-instead/
  5. ZDNet: Microsoft won’t send you SMS texts for login anymore – why it’s pushing passkeys instead.”On a new support page, Microsoft announced that it will start phasing out SMS as an authentication and account recovery method for personal Microsoft accounts. Instead, the company is pushing passkeys, which offer much stronger security.”

    https://rbfirehose.com/2026/05/23/zdnet-microsoft-wont-send-you-sms-texts-for-login-anymore-why-its-pushing-passkeys-instead/
  6. ZDNet: Microsoft won’t send you SMS texts for login anymore – why it’s pushing passkeys instead.”On a new support page, Microsoft announced that it will start phasing out SMS as an authentication and account recovery method for personal Microsoft accounts. Instead, the company is pushing passkeys, which offer much stronger security.”

    https://rbfirehose.com/2026/05/23/zdnet-microsoft-wont-send-you-sms-texts-for-login-anymore-why-its-pushing-passkeys-instead/
  7. ZDNet: Microsoft won’t send you SMS texts for login anymore – why it’s pushing passkeys instead.”On a new support page, Microsoft announced that it will start phasing out SMS as an authentication and account recovery method for personal Microsoft accounts. Instead, the company is pushing passkeys, which offer much stronger security.”

    https://rbfirehose.com/2026/05/23/zdnet-microsoft-wont-send-you-sms-texts-for-login-anymore-why-its-pushing-passkeys-instead/
  8. @ScottHelme wrote: "The change I referred to prevents arbitrary sibling/parent-domain abuse […]"

    I'm not sure if you're referring to the possible match on
    "evil-example.com" (see screenshot) in the old code, but if I remember correctly (from my analysis approx. 3 years ago), the client will only accept an exact match of "example.com" or
    "<whatever_including_dots>.example.com".

    So albeit ugly, the old server code should not pose a risk I guess?

    W.r.t. unexpected abuse of valid subdomains (*): my worry is that people will use your code for their site without modification, never considering the risk I described.

    (*) Or malicious JS (3rd party or XSS) on the main domain - while WebAuthn handling was supposed to take place only on e.g. "login.example.com" (using a dedicated subdomain may be a good idea like Dirk Balfanz wrote).

    Since your site appears to be using passkeys as an additional factor, the users of your site may not be at risk. However, the idea of passkeys was to "go passwordless", something that other users of your code will probably embrace.

    I haven't scanned all of your code, but if not present, my advice is to at least add a warning for unexpected WebAuthn processing on a subdomain (or even the main domain).

    #Passkeys #RPID #SubDomains #WebAuthn

  9. Microsoft planerar att ta bort SMS som metod för tvåfaktorsinloggning och hänvisar i stället användare till säkrare alternativ som passkeys och autentiseringsappar.#passkeys #android #ios #microsoft #nyheter #tvåfaktorsinloggning #sms-koder
    Microsoft skrotar SMS‑koder
  10. Microsoft planerar att ta bort SMS som metod för tvåfaktorsinloggning och hänvisar i stället användare till säkrare alternativ som passkeys och autentiseringsappar.#passkeys #android #ios #microsoft #nyheter #tvåfaktorsinloggning #sms-koder
    Microsoft skrotar SMS‑koder
  11. Microsoft planerar att ta bort SMS som metod för tvåfaktorsinloggning och hänvisar i stället användare till säkrare alternativ som passkeys och autentiseringsappar.#passkeys #android #ios #microsoft #nyheter #tvåfaktorsinloggning #sms-koder
    Microsoft skrotar SMS‑koder
  12. Microsoft planerar att ta bort SMS som metod för tvåfaktorsinloggning och hänvisar i stället användare till säkrare alternativ som passkeys och autentiseringsappar.#passkeys #android #ios #microsoft #nyheter #tvåfaktorsinloggning #sms-koder
    Microsoft skrotar SMS‑koder
  13. @ScottHelme from scotthelme.co.uk/open-sourcing:

    "It now requires an exact match or a true subdomain."

    That is probably insufficient. Please read github.com/w3ctag/design-revie by Dirk Balfanz (Google, screenshot of part of the entry below).

    Google doesn't want potentially malicious (e.g. sites.google.com) or "forgotten" subdomains (developer.mozilla.org/en-US/do) to be able to handle passkeys.

    As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.

    PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in todon.nl/@ErikvanStraten/11659.

    Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.

    According to the RELATIONS tab in virustotal.com/gui/domain/repo your domain has (at least) 3.2K subdomains. Do you trust each of them?

    #Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking

  14. @ScottHelme from scotthelme.co.uk/open-sourcing:

    "It now requires an exact match or a true subdomain."

    That is probably insufficient. Please read github.com/w3ctag/design-revie by Dirk Balfanz (Google, screenshot of part of the entry below).

    Google doesn't want potentially malicious (e.g. sites.google.com) or "forgotten" subdomains (developer.mozilla.org/en-US/do) to be able to handle passkeys.

    As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.

    PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in todon.nl/@ErikvanStraten/11659.

    Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.

    According to the RELATIONS tab in virustotal.com/gui/domain/repo your domain has (at least) 3.2K subdomains. Do you trust each of them?

    #Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking

  15. @ScottHelme from scotthelme.co.uk/open-sourcing:

    "It now requires an exact match or a true subdomain."

    That is probably insufficient. Please read github.com/w3ctag/design-revie by Dirk Balfanz (Google, screenshot of part of the entry below).

    Google doesn't want potentially malicious (e.g. sites.google.com) or "forgotten" subdomains (developer.mozilla.org/en-US/do) to be able to handle passkeys.

    As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.

    PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in todon.nl/@ErikvanStraten/11659.

    Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.

    According to the RELATIONS tab in virustotal.com/gui/domain/repo your domain has (at least) 3.2K subdomains. Do you trust each of them?

    #Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking

  16. @ScottHelme from scotthelme.co.uk/open-sourcing:

    "It now requires an exact match or a true subdomain."

    That is probably insufficient. Please read github.com/w3ctag/design-revie by Dirk Balfanz (Google, screenshot of part of the entry below).

    Google doesn't want potentially malicious (e.g. sites.google.com) or "forgotten" subdomains (developer.mozilla.org/en-US/do) to be able to handle passkeys.

    As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.

    PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in todon.nl/@ErikvanStraten/11659.

    Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.

    According to the RELATIONS tab in virustotal.com/gui/domain/repo your domain has (at least) 3.2K subdomains. Do you trust each of them?

    #Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking

  17. #Microsoft beendet den SMS-Versand für die Zwei-Faktor-Authentifizierung bei privaten Konten. SIM-Swapping macht das Verfahren zu unsicher - Nutzer müssen auf #Passkeys oder Authenticator-Apps umsteigen. winfuture.de/news,158775.html?

  18. #Microsoft beendet den SMS-Versand für die Zwei-Faktor-Authentifizierung bei privaten Konten. SIM-Swapping macht das Verfahren zu unsicher - Nutzer müssen auf #Passkeys oder Authenticator-Apps umsteigen. winfuture.de/news,158775.html?

  19. #Microsoft beendet den SMS-Versand für die Zwei-Faktor-Authentifizierung bei privaten Konten. SIM-Swapping macht das Verfahren zu unsicher - Nutzer müssen auf #Passkeys oder Authenticator-Apps umsteigen. winfuture.de/news,158775.html?

  20. #Microsoft beendet den SMS-Versand für die Zwei-Faktor-Authentifizierung bei privaten Konten. SIM-Swapping macht das Verfahren zu unsicher - Nutzer müssen auf #Passkeys oder Authenticator-Apps umsteigen. winfuture.de/news,158775.html?

  21. #Microsoft beendet den SMS-Versand für die Zwei-Faktor-Authentifizierung bei privaten Konten. SIM-Swapping macht das Verfahren zu unsicher - Nutzer müssen auf #Passkeys oder Authenticator-Apps umsteigen. winfuture.de/news,158775.html?

  22. @ScottHelme : I am not advocating passwords per sé, and neither am I stating that private keys are sent to relying party servers.

    One of the controversies is whether the user has access to their own private keys. If they don't, malware cannot steal them, but vendor lock-in is the price they pay. However, with malware on their device, an AitM (in the device) can deceive them in lots of ways - including taking over their passkey protected accounts. Real victims do not care whether such attacks are "out of scope" for passkeys - according to tech-bro's.

    Passkeys do have advantages but most people are overwhelmed when every story they read mentions asymmetric cryptography - as if *that* makes passkeys strong: IMO that's a myth.

    Repeating (from todon.nl/@ErikvanStraten/11655) what makes passkeys stronger than the strongest unique passwords, even if AutoFill is used:

    1. Software checks the domain name, which makes phishing hard;

    2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);

    3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.

    OTOH: passkeys also come with disadvantages and risks, partially depending on the provider.

    #Passkeys #AsymmetricCryptography

  23. @ScottHelme : I am not advocating passwords per sé, and neither am I stating that private keys are sent to relying party servers.

    One of the controversies is whether the user has access to their own private keys. If they don't, malware cannot steal them, but vendor lock-in is the price they pay. However, with malware on their device, an AitM (in the device) can deceive them in lots of ways - including taking over their passkey protected accounts. Real victims do not care whether such attacks are "out of scope" for passkeys - according to tech-bro's.

    Passkeys do have advantages but most people are overwhelmed when every story they read mentions asymmetric cryptography - as if *that* makes passkeys strong: IMO that's a myth.

    Repeating (from todon.nl/@ErikvanStraten/11655) what makes passkeys stronger than the strongest unique passwords, even if AutoFill is used:

    1. Software checks the domain name, which makes phishing hard;

    2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);

    3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.

    OTOH: passkeys also come with disadvantages and risks, partially depending on the provider.

    #Passkeys #AsymmetricCryptography

  24. @ScottHelme : I am not advocating passwords per sé, and neither am I stating that private keys are sent to relying party servers.

    One of the controversies is whether the user has access to their own private keys. If they don't, malware cannot steal them, but vendor lock-in is the price they pay. However, with malware on their device, an AitM (in the device) can deceive them in lots of ways - including taking over their passkey protected accounts. Real victims do not care whether such attacks are "out of scope" for passkeys - according to tech-bro's.

    Passkeys do have advantages but most people are overwhelmed when every story they read mentions asymmetric cryptography - as if *that* makes passkeys strong: IMO that's a myth.

    Repeating (from todon.nl/@ErikvanStraten/11655) what makes passkeys stronger than the strongest unique passwords, even if AutoFill is used:

    1. Software checks the domain name, which makes phishing hard;

    2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);

    3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.

    OTOH: passkeys also come with disadvantages and risks, partially depending on the provider.

    #Passkeys #AsymmetricCryptography