blaineFeb 2, 2023

Not going to lie, Twitter killing off free API access hits me in the feels. I remember with great affection the flood of creativity that happened after we opened up the API, and it's heartbreaking to see that unceremoniously strangled.

I'm relieved that we've got better alternatives, though. While this is perhaps the final straw for many bots on Twitter, it's been a long time coming and the API has long been hobbled compared to the early days. Open protocols or bust. ✊

Show threadblaineFeb 2, 2023
Meanwhile, has anyone built a Twitter API compatibility shim for Mastodon? 🤔
Show threadBoris MannFeb 2, 2023
@blaine I’m wondering most about Twitter logins. But since that does the login on the Twitter site, they wouldn’t be turning THAT off?
Show threadblaineFeb 2, 2023

@bmann I assume they're not going to be charging for *logins*. That'd be really dumb and I would laugh at their incompetence. 😂 Restricting access to eg the post API (or even any API access, eg for reader apps) makes marginally more sense.

My thought here is more: switch the "twitter.com" const to "birdbrainsformastodons.com" and all the old bots (and maybe even client apps) just work again?

Show threadSimon WillisonFeb 2, 2023
@blaine @bmann I'm honestly not confident there's anyone left there who would even think to ask the question "what about sites that use login with a Twitter?" - at least not anyone who's in a position where the people making the decisions would listen to them
Show threadJono FergusonFeb 2, 2023

@simon @blaine @bmann

oh man OpenID seemed like such a good idea and then "login in with x" now i just dread stumbling across something that uses flickr or similar to authenticate

Show threadLucid00Feb 3, 2023
@jonoabroad @simon @blaine @bmann I think this is why Google, Microsoft and Apple started pushing Passkeys.
Show threadSimon WillisonFeb 3, 2023

@lucid00 @jonoabroad @blaine @bmann I see Passkeys as mainly being about the fact that passwords are just a TERRIBLE form of authentication for the vast majority of people

They either forget them or they use the same password for every account. Password managers are a useful solution for a tiny fraction of the overall user-base

Show threadBoris Mann

@simon @lucid00 @jonoabroad @blaine let me rephrase before Blaine twitches more: password managers are a necessary blight for super users.

Passkeys as a mass market passwordless solution that increases security by default is what we’re betting on at @fission

Feb 3, 2023 at 2:08amWeb
Show threadJono FergusonFeb 3, 2023

@bmann @simon @lucid00 @blaine @fission

It worries me that I fall into the super user category.

What are passkeys?

Show threadBoris MannFeb 3, 2023

@jonoabroad @simon @lucid00 @blaine @fission a mass market friendly brand for WebAuthN that uses “software keys” rather than like Yubikeys, supported by Apple / Amazon / Google / Microsoft etc

Here’s Apple https://support.apple.com/en-us/HT213305

About the security of passkeys

Passkeys are a replacement for passwords. They are faster to sign in with, easier to use, and much more secure.

Apple Support
Show threadJono FergusonFeb 3, 2023
@bmann @simon @lucid00 @blaine @fission cheers!
Show threadTodd SmithFeb 4, 2023

@bmann @jonoabroad @simon @lucid00 @blaine @fission I did some reading about passkeys, but couldn't find any information about handling certain real-world problem scenarios. Namely:

"Someone just stole my phone!"

Okay, are there solutions offering support for:

1) Having backup passkeys on secondary devices?

2) Remote invalidation of the lost phone's passkey?

How do passkeys support redundancy and key management? I couldn't find information on that.

Show threadBoris MannFeb 4, 2023

@todd_smith @jonoabroad @simon @lucid00 @blaine @fission the major platforms are backing up / syncing passkeys across devices and in their respective cloud storage.

There is a growing directory of sites where you can try it https://passkeys.directory

And the WebAuthN demo site is likely the most obvious https://webauthn.io

Attached image is the success message after register / authenticate

Passkeys.directory

Show threadBoris MannFeb 5, 2023
@todd_smith @jonoabroad @simon @lucid00 @blaine @fission put together some more resources on Fission’s public wiki https://plnetwork.xyz/@boris/109809707058993453
Boris Mann (@[email protected])

#passkeys really are just getting started, so I put together a page on @fission’s public wiki with links to some resources https://talk.fission.codes/t/passkeys/4086 We’re working on adding passkey support to our #UCAN and #WebnativeSDK libraries which currently use the browser WebCryptoAPI for passwordless logins https://webnative.dev

PL Network
Show threadDick Hardt Feb 3, 2023
@bmann @simon @lucid00 @jonoabroad @blaine @fission while passkeys will be widely available - I predict low adoption by users for their apps
Show threadBoris MannFeb 3, 2023
@DickHardt @simon @lucid00 @jonoabroad @blaine @fission chicken meet egg. Lots of hacker level devs that would love to outsource / remove passwords, and as this thread indicates, “login with Twitter” not really viable.
Show threadDick Hardt Feb 3, 2023
@bmann @simon @lucid00 @jonoabroad @blaine @fission website PMs don’t care about getting rid of passwords so much as reducing friction - social login reduced sign up friction - Hellō does that even better and let’s dev outsource all identity