#passkeys — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #passkeys, aggregated by home.social.
-
whoppie, sudo has entered the 21st century
it's now passwordless
the key is stored in Secretive
The authentication to the server happens with the normal keychain ssh-key
but sudo will now first ask for my fingerprint before asking for my password
but Gabriel, now you turned your 2FA into 1FA because everything relies on your fingerprint
yes, true, but it was already 1FA before because the password for the server (which I don't remember) was in my password manager, which... unlocks with my fingerprint (most of the time)
security is all about compromise
-
https://www.europesays.com/at/179243/ Android 17 und iOS 26.5: KI-Phishing, Trojaner und Quishing – Hersteller kontern #AI #Android #ARTIFICIALINTELLIGENCE #AT #Austria #Cyberkriminalität #identität #iOS #KI #kryptografie #KünstlicheIntelligenz #Österreich #Passkeys #Phishing #QrCode #Science #Science&Technology #Sicherheit #Smartphone #SSH #Technik #Technology #Tls #Trojaner #VPN #Wissenschaft #Wissenschaft&Technik
-
ZDNet: Microsoft won’t send you SMS texts for login anymore – why it’s pushing passkeys instead.”On a new support page, Microsoft announced that it will start phasing out SMS as an authentication and account recovery method for personal Microsoft accounts. Instead, the company is pushing passkeys, which offer much stronger security.”
https://rbfirehose.com/2026/05/23/zdnet-microsoft-wont-send-you-sms-texts-for-login-anymore-why-its-pushing-passkeys-instead/ -
ZDNet: Microsoft won’t send you SMS texts for login anymore – why it’s pushing passkeys instead.”On a new support page, Microsoft announced that it will start phasing out SMS as an authentication and account recovery method for personal Microsoft accounts. Instead, the company is pushing passkeys, which offer much stronger security.”
https://rbfirehose.com/2026/05/23/zdnet-microsoft-wont-send-you-sms-texts-for-login-anymore-why-its-pushing-passkeys-instead/ -
ZDNet: Microsoft won’t send you SMS texts for login anymore – why it’s pushing passkeys instead.”On a new support page, Microsoft announced that it will start phasing out SMS as an authentication and account recovery method for personal Microsoft accounts. Instead, the company is pushing passkeys, which offer much stronger security.”
https://rbfirehose.com/2026/05/23/zdnet-microsoft-wont-send-you-sms-texts-for-login-anymore-why-its-pushing-passkeys-instead/ -
ZDNet: Microsoft won’t send you SMS texts for login anymore – why it’s pushing passkeys instead.”On a new support page, Microsoft announced that it will start phasing out SMS as an authentication and account recovery method for personal Microsoft accounts. Instead, the company is pushing passkeys, which offer much stronger security.”
https://rbfirehose.com/2026/05/23/zdnet-microsoft-wont-send-you-sms-texts-for-login-anymore-why-its-pushing-passkeys-instead/ -
ZDNet: Microsoft won’t send you SMS texts for login anymore – why it’s pushing passkeys instead.”On a new support page, Microsoft announced that it will start phasing out SMS as an authentication and account recovery method for personal Microsoft accounts. Instead, the company is pushing passkeys, which offer much stronger security.”
https://rbfirehose.com/2026/05/23/zdnet-microsoft-wont-send-you-sms-texts-for-login-anymore-why-its-pushing-passkeys-instead/ -
#Microsoft Phasing Out #SMS #Authentication Codes for Personal #Accounts in Favor of #Passkeys
👏👏👏👏👏
-
#Microsoft Phasing Out #SMS #Authentication Codes for Personal #Accounts in Favor of #Passkeys
👏👏👏👏👏
-
#Microsoft Phasing Out #SMS #Authentication Codes for Personal #Accounts in Favor of #Passkeys
👏👏👏👏👏
-
#Microsoft Phasing Out #SMS #Authentication Codes for Personal #Accounts in Favor of #Passkeys
👏👏👏👏👏
-
@ScottHelme wrote: "The change I referred to prevents arbitrary sibling/parent-domain abuse […]"
I'm not sure if you're referring to the possible match on
"evil-example.com" (see screenshot) in the old code, but if I remember correctly (from my analysis approx. 3 years ago), the client will only accept an exact match of "example.com" or
"<whatever_including_dots>.example.com".So albeit ugly, the old server code should not pose a risk I guess?
W.r.t. unexpected abuse of valid subdomains (*): my worry is that people will use your code for their site without modification, never considering the risk I described.
(*) Or malicious JS (3rd party or XSS) on the main domain - while WebAuthn handling was supposed to take place only on e.g. "login.example.com" (using a dedicated subdomain may be a good idea like Dirk Balfanz wrote).
Since your site appears to be using passkeys as an additional factor, the users of your site may not be at risk. However, the idea of passkeys was to "go passwordless", something that other users of your code will probably embrace.
I haven't scanned all of your code, but if not present, my advice is to at least add a warning for unexpected WebAuthn processing on a subdomain (or even the main domain).
-
Microsoft Is Phasing Out SMS 2FA Codes For Personal Accounts
Microsoft starts scrapping 2FA SMS codes. getty Microsoft has confirmed it is starting to phase out SMS as…
#NewsBeep #News #Technology #2FA #2FAusingSMScode #AU #Australia #Microsoft #Microsoft2FA #Microsoftauthentication #Microsoftlogincodealert #Microsoftpasskey #MicrosoftscrapsSMS2FAcodes #passkeys #SMS
https://www.newsbeep.com/au/685502/ -
“Microsoft Is Eliminating SMS Codes for Two-Factor Authentication”
No date for this yet. But get ready!
#mfa #sms #microsoft #infosec #Passkeys #2fa #webauthn
https://lifehacker.com/tech/microsoft-is-eliminating-sms-codes-for-2fa
-
https://winbuzzer.com/2026/05/20/microsoft-drops-sms-codes-in-personal-account-passkey-push-xcxwbn/
Microsoft is removing SMS codes from personal-account sign-in and recovery and replacing that path with passkeys and verified email.
#MicrosoftAccount #Microsoft #Passkeys #Passwordless #Authentication #Cybersecurity #Windows11
-
https://winbuzzer.com/2026/05/20/microsoft-drops-sms-codes-in-personal-account-passkey-push-xcxwbn/
Microsoft is removing SMS codes from personal-account sign-in and recovery and replacing that path with passkeys and verified email.
#MicrosoftAccount #Microsoft #Passkeys #Passwordless #Authentication #Cybersecurity #Windows11
-
https://winbuzzer.com/2026/05/20/microsoft-drops-sms-codes-in-personal-account-passkey-push-xcxwbn/
Microsoft is removing SMS codes from personal-account sign-in and recovery and replacing that path with passkeys and verified email.
#MicrosoftAccount #Microsoft #Passkeys #Passwordless #Authentication #Cybersecurity #Windows11
-
https://winbuzzer.com/2026/05/20/microsoft-drops-sms-codes-in-personal-account-passkey-push-xcxwbn/
Microsoft is removing SMS codes from personal-account sign-in and recovery and replacing that path with passkeys and verified email.
#MicrosoftAccount #Microsoft #Passkeys #Passwordless #Authentication #Cybersecurity #Windows11
-
https://winbuzzer.com/2026/05/20/microsoft-drops-sms-codes-in-personal-account-passkey-push-xcxwbn/
Microsoft is removing SMS codes from personal-account sign-in and recovery and replacing that path with passkeys and verified email.
#MicrosoftAccount #Microsoft #Passkeys #Passwordless #Authentication #Cybersecurity #Windows11
-
#Development #Analyses
XSS is deadly for passkeys · The hidden flaw in passkey authentication https://ilo.im/16d1v9_____
#Attacks #Authentication #Passkeys #Vulnerability #Security #XSS #Browser #WebDev #Frontend #JavaScript -
#Development #Analyses
XSS is deadly for passkeys · The hidden flaw in passkey authentication https://ilo.im/16d1v9_____
#Attacks #Authentication #Passkeys #Vulnerability #Security #XSS #Browser #WebDev #Frontend #JavaScript -
#Development #Analyses
XSS is deadly for passkeys · The hidden flaw in passkey authentication https://ilo.im/16d1v9_____
#Attacks #Authentication #Passkeys #Vulnerability #Security #XSS #Browser #WebDev #Frontend #JavaScript -
#Development #Analyses
XSS is deadly for passkeys · The hidden flaw in passkey authentication https://ilo.im/16d1v9_____
#Attacks #Authentication #Passkeys #Vulnerability #Security #XSS #Browser #WebDev #Frontend #JavaScript -
Microsoft planerar att ta bort SMS som metod för tvåfaktorsinloggning och hänvisar i stället användare till säkrare alternativ som passkeys och autentiseringsappar.#passkeys #android #ios #microsoft #nyheter #tvåfaktorsinloggning #sms-koder
Microsoft skrotar SMS‑koder -
Microsoft planerar att ta bort SMS som metod för tvåfaktorsinloggning och hänvisar i stället användare till säkrare alternativ som passkeys och autentiseringsappar.#passkeys #android #ios #microsoft #nyheter #tvåfaktorsinloggning #sms-koder
Microsoft skrotar SMS‑koder -
Microsoft planerar att ta bort SMS som metod för tvåfaktorsinloggning och hänvisar i stället användare till säkrare alternativ som passkeys och autentiseringsappar.#passkeys #android #ios #microsoft #nyheter #tvåfaktorsinloggning #sms-koder
Microsoft skrotar SMS‑koder -
Microsoft planerar att ta bort SMS som metod för tvåfaktorsinloggning och hänvisar i stället användare till säkrare alternativ som passkeys och autentiseringsappar.#passkeys #android #ios #microsoft #nyheter #tvåfaktorsinloggning #sms-koder
Microsoft skrotar SMS‑koder -
@ScottHelme from https://scotthelme.co.uk/open-sourcing-passkeys-php-a-security-focused-webauthn-library-for-php/:
"It now requires an exact match or a true subdomain."
That is probably insufficient. Please read https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 by Dirk Balfanz (Google, screenshot of part of the entry below).
Google doesn't want potentially malicious (e.g. https://sites.google.com) or "forgotten" subdomains (https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Subdomain_takeover) to be able to handle passkeys.
As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.
PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in https://todon.nl/@ErikvanStraten/116595157772945666.
Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.
According to the RELATIONS tab in https://www.virustotal.com/gui/domain/report-uri.com your domain has (at least) 3.2K subdomains. Do you trust each of them?
#Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking
-
@ScottHelme from https://scotthelme.co.uk/open-sourcing-passkeys-php-a-security-focused-webauthn-library-for-php/:
"It now requires an exact match or a true subdomain."
That is probably insufficient. Please read https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 by Dirk Balfanz (Google, screenshot of part of the entry below).
Google doesn't want potentially malicious (e.g. https://sites.google.com) or "forgotten" subdomains (https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Subdomain_takeover) to be able to handle passkeys.
As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.
PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in https://todon.nl/@ErikvanStraten/116595157772945666.
Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.
According to the RELATIONS tab in https://www.virustotal.com/gui/domain/report-uri.com your domain has (at least) 3.2K subdomains. Do you trust each of them?
#Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking
-
@ScottHelme from https://scotthelme.co.uk/open-sourcing-passkeys-php-a-security-focused-webauthn-library-for-php/:
"It now requires an exact match or a true subdomain."
That is probably insufficient. Please read https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 by Dirk Balfanz (Google, screenshot of part of the entry below).
Google doesn't want potentially malicious (e.g. https://sites.google.com) or "forgotten" subdomains (https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Subdomain_takeover) to be able to handle passkeys.
As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.
PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in https://todon.nl/@ErikvanStraten/116595157772945666.
Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.
According to the RELATIONS tab in https://www.virustotal.com/gui/domain/report-uri.com your domain has (at least) 3.2K subdomains. Do you trust each of them?
#Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking
-
@ScottHelme from https://scotthelme.co.uk/open-sourcing-passkeys-php-a-security-focused-webauthn-library-for-php/:
"It now requires an exact match or a true subdomain."
That is probably insufficient. Please read https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 by Dirk Balfanz (Google, screenshot of part of the entry below).
Google doesn't want potentially malicious (e.g. https://sites.google.com) or "forgotten" subdomains (https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Subdomain_takeover) to be able to handle passkeys.
As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.
PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in https://todon.nl/@ErikvanStraten/116595157772945666.
Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.
According to the RELATIONS tab in https://www.virustotal.com/gui/domain/report-uri.com your domain has (at least) 3.2K subdomains. Do you trust each of them?
#Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking
-
-
-
-
-
-
https://www.europesays.com/be-nl/65524/ Microsoft stopt met sms-codes en schuift passkeys naar voren als alternatief #BE #België #Belgium #Microsoft #passkeys #Science #ScienceAndTechnology #ScienceAndTechnology #Technologie #Technology #Wetenschap #WetenschapEnTechnologie #WetenschapTechnologie
-
Microsoft streicht den SMS-Code: So gelingt der Wechsel auf Passkeys und Apps
#microsoft #cybersecurity #passkeys #techupdate #zweifaktorauthentifizierung
-
Microsoft streicht den SMS-Code: So gelingt der Wechsel auf Passkeys und Apps
#microsoft #cybersecurity #passkeys #techupdate #zweifaktorauthentifizierung
-
Microsoft streicht den SMS-Code: So gelingt der Wechsel auf Passkeys und Apps
#microsoft #cybersecurity #passkeys #techupdate #zweifaktorauthentifizierung
-
Microsoft streicht den SMS-Code: So gelingt der Wechsel auf Passkeys und Apps
#microsoft #cybersecurity #passkeys #techupdate #zweifaktorauthentifizierung
-
#Microsoft beendet den SMS-Versand für die Zwei-Faktor-Authentifizierung bei privaten Konten. SIM-Swapping macht das Verfahren zu unsicher - Nutzer müssen auf #Passkeys oder Authenticator-Apps umsteigen. https://winfuture.de/news,158775.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia
-
#Microsoft beendet den SMS-Versand für die Zwei-Faktor-Authentifizierung bei privaten Konten. SIM-Swapping macht das Verfahren zu unsicher - Nutzer müssen auf #Passkeys oder Authenticator-Apps umsteigen. https://winfuture.de/news,158775.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia
-
#Microsoft beendet den SMS-Versand für die Zwei-Faktor-Authentifizierung bei privaten Konten. SIM-Swapping macht das Verfahren zu unsicher - Nutzer müssen auf #Passkeys oder Authenticator-Apps umsteigen. https://winfuture.de/news,158775.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia
-
#Microsoft beendet den SMS-Versand für die Zwei-Faktor-Authentifizierung bei privaten Konten. SIM-Swapping macht das Verfahren zu unsicher - Nutzer müssen auf #Passkeys oder Authenticator-Apps umsteigen. https://winfuture.de/news,158775.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia
-
#Microsoft beendet den SMS-Versand für die Zwei-Faktor-Authentifizierung bei privaten Konten. SIM-Swapping macht das Verfahren zu unsicher - Nutzer müssen auf #Passkeys oder Authenticator-Apps umsteigen. https://winfuture.de/news,158775.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia
-
@ScottHelme : I am not advocating passwords per sé, and neither am I stating that private keys are sent to relying party servers.
One of the controversies is whether the user has access to their own private keys. If they don't, malware cannot steal them, but vendor lock-in is the price they pay. However, with malware on their device, an AitM (in the device) can deceive them in lots of ways - including taking over their passkey protected accounts. Real victims do not care whether such attacks are "out of scope" for passkeys - according to tech-bro's.
Passkeys do have advantages but most people are overwhelmed when every story they read mentions asymmetric cryptography - as if *that* makes passkeys strong: IMO that's a myth.
Repeating (from https://todon.nl/@ErikvanStraten/116552022706029032) what makes passkeys stronger than the strongest unique passwords, even if AutoFill is used:
1. Software checks the domain name, which makes phishing hard;
2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);
3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.
OTOH: passkeys also come with disadvantages and risks, partially depending on the provider.
-
@ScottHelme : I am not advocating passwords per sé, and neither am I stating that private keys are sent to relying party servers.
One of the controversies is whether the user has access to their own private keys. If they don't, malware cannot steal them, but vendor lock-in is the price they pay. However, with malware on their device, an AitM (in the device) can deceive them in lots of ways - including taking over their passkey protected accounts. Real victims do not care whether such attacks are "out of scope" for passkeys - according to tech-bro's.
Passkeys do have advantages but most people are overwhelmed when every story they read mentions asymmetric cryptography - as if *that* makes passkeys strong: IMO that's a myth.
Repeating (from https://todon.nl/@ErikvanStraten/116552022706029032) what makes passkeys stronger than the strongest unique passwords, even if AutoFill is used:
1. Software checks the domain name, which makes phishing hard;
2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);
3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.
OTOH: passkeys also come with disadvantages and risks, partially depending on the provider.
-
@ScottHelme : I am not advocating passwords per sé, and neither am I stating that private keys are sent to relying party servers.
One of the controversies is whether the user has access to their own private keys. If they don't, malware cannot steal them, but vendor lock-in is the price they pay. However, with malware on their device, an AitM (in the device) can deceive them in lots of ways - including taking over their passkey protected accounts. Real victims do not care whether such attacks are "out of scope" for passkeys - according to tech-bro's.
Passkeys do have advantages but most people are overwhelmed when every story they read mentions asymmetric cryptography - as if *that* makes passkeys strong: IMO that's a myth.
Repeating (from https://todon.nl/@ErikvanStraten/116552022706029032) what makes passkeys stronger than the strongest unique passwords, even if AutoFill is used:
1. Software checks the domain name, which makes phishing hard;
2. Https is enforced, which helps prevent AitM attacks (unless Cloudflare et al. come into play);
3. A unique, long, unguessible, randomly generated "password" (public key) per account: dumb password rules and broken human RNG's no longer apply.
OTOH: passkeys also come with disadvantages and risks, partially depending on the provider.