Ricky MondelloDec 30, 2024
I vibe with this. Does anyone have any examples of where and how any vendor’s dialogs around passkeys might lead people astray? The more feedback, the better.
https://infosec.exchange/@adamshostack/113743707996398149
Adam Shostack :donor: :rebelverified: (@[email protected])

@[email protected] I think the biggest thing is to (a) ensure dialogs are clear about what software is presenting them (b) where it plans to store the key and (c) letting people configure what their preference is for passkey management. Err, “things are”

Infosec Exchange
Show threadGuillaume RossDec 30, 2024
@rmondello Personally for me the biggest issue I have is I want passkeys in iOS and passwords in 1Password (can’t migrate yet), and 1P has this tiny little USB security key icon, and then macOS sugggests password related things. This experience was better a couple years ago before 1P did passkeys and before the passwords app :/
Show threadRicky MondelloDec 30, 2024

@g The article we’re discussing was trying to make an argument around “normal” people, I think. People who don’t use Mastodon.

That said, let’s talk about you personally, because you were kind enough to share with me, and I appreciate that!

Can you tell me more about why do you want passkeys in Apple Passwords and passwords in 1Password, instead of using one provider (even if it’s 1Password, which is great software!)?

Show threadGuillaume RossDec 30, 2024

@rmondello I don’t want to ADD more in 1Password like new passkeys, I want them platform level, but I can’t move my 1P usage out completely yet and don’t want to fragment where I have passwords.

But 1P starting to do passkeys and hijacking security keys has caused me issues at work where people tried to 2FA with Yubikeys and could not figure out how to not have 1P hijack the dialog because the freaking USB stick icon is minuscule :/

Show threadRicky MondelloDec 30, 2024
@g I think it’s been a profound mistake on 1Password’s part that 1Password on desktop intentionally ignores the platform-native way to plug passkey data into web browsers and instead implements passkeys by hijacking the web API via their browser extension. (On iOS, however, they properly integrate as a data source.)
Show threadSam Schmitt
@rmondello
I am not a Safari user so I’m not sure about there, but unless I’m mistaken their passkey support predated the macOS APIs to do that properly in other browsers? Is there an example of another third party password manager supporting it the proper way? I’d love to see the difference.
Dec 30, 2024 at 10:01pmWeb
Show threadGracjan NowakDec 30, 2024

@sam I think that Strongbox does it the native way.

https://apps.apple.com/pl/app/strongbox-password-manager/id897283731

‎Strongbox - Password Manager

‎Strongbox is an application for keeping all your passwords safely stored and protected by one master password. Supporting the open source Password Safe and KeePass formats. *** Features *** - Touch ID & Apple Watch Unlock for the ultimate in convenience, security and speed. - Passkey support - Th…

App Store