PASSKEYS, HOE DAN EN WAAROM?
Zojuist heb ik geprobeerd om in https://security.nl/posting/929755 uit te leggen hoe passkeys werken, en wat de voor/nadelen zijn.
Boosten van deze toot wordt gewaardeerd!
#Passkeys #WebAuthn #FIDO2 #Yubikey #Phishing #PhishingResistant #PhishingResistance #InfoSec
@Theeo123 this is pretty good, but I think the opening paragraph ties #passkeys too closely to the biometric factor. That has two issues:
1. Biometrics are not required to use passkeys; it is a convenience factor. A device PIN or password manager master password can also be used to protect the keys. Some misunderstand passkeys to send fingerprints to websites, and repeating "passkeys = fingerprint" can make that confusion worse.
Reddit’s CEO thinks your iPhone sensor is the best proof of personhood
The twist is that Reddit doesn’t want your face or your name, just a cryptographic yes that a real person is behind the screen.
Llevamos años escuchando que las contraseñas tienen los días contados. La realidad es más compleja: el problema nunca fue la contraseña en sí, sino la forma en que la mayoría de personas las usa. Las passkeys son una alternativa más segura frente al phishing y el robo de credenciales, pero llegan con sus propias complicaciones: la mayoría de servicios todavía no las soporta, perder el dispositivo puede convertirse en un dolor de cabeza y, en muchas situaciones, seguirás necesitando un gestor de contraseñas.
TIL of OpenYOLO - "You only login once"
Basically.. proto-FIDO2 but it directly let pages request a password from an authenticator lmao. And save credentials too, not unlike a passkey.
https://openid.net/specs/openyolo-android-03.html
https://github.com/openid/OpenYOLO-Web
What a silly old thing, sheesh. Is this what modern webauthn was born from, or was that a parallel effort?
Glad we have better stuff now that uh, wouldn't get popped from the first XHR that gets found for a site
OpenYOLO for Android is a protocol for retrieving, updating and assisting in the creation of authentication credentials. This document describes the core concepts of OpenYOLO, and the platform-specific details for implementing the OpenYOLO protocol on Android. What's in a name? YOLO stands for "You Only Login Once", which is the internal code-name for Google's Smart Lock for Passwords API on Android. OpenYOLO is the open standards successor to YOLO, and came to be as a result of an initial collaboration between Google and Dashlane. OpenYOLO leverages the lessons learned from YOLO, and also ensures that implementations of OpenYOLO can compete on a level playing field. OpenYOLO would not have been likely to succeed without AgileBits, Keeper Security and LastPass, to whom we are grateful for their continued support and engagement.
Rohan Paul (@rohanpaul_ai)
Reddit CEO가 봇과 AI 계정 문제를 해결하기 위해 정부 ID 같은 강한 신원 확인 없이, Face ID·Touch ID·passkeys를 활용해 실제 인간 사용자인지 검증하는 방안을 검토 중이라고 밝혔다.
Europol just took down Tycoon 2FA — the biggest phishing-as-a-service platform (96K victims, 55K Microsoft accounts). Meanwhile, Starkiller shows AitM phishing is now a SaaS product. TOTP, push, and SMS MFA all fail. Only FIDO2 passkeys stop it.
Passkeys are the future of authentication, but using them for data encryption is a disaster waiting to happen. Overloading these credentials creates a dangerous blast radius that can lead to the irreversible loss of a user's most sacred memories and documents.
Users hate it, but age-check tech is coming. Here’s how it works.
On-device face scans and cross-platform age keys decrease privacy risks, but trust issues abound.
Archive: ia: https://s.faithcollapsing.com/sw0it
https://arstechnica.com/tech-policy/2026/03/after-discord-fiasco-age-check-tech-promises-privacy-by-running-locally-does-it-work/#age-checks #age-gates #age-keys #age-verification #cybersecurity #discord #features #hackers #online-privacy #passkeys #policy #privately #yoti
Erik van Straten
iinuwa
Shubham Sawarkar
ALT43 
Saphire Lattice
sayzard
IAMDevBox
Dan 
Steven Saus [he/him]