@mcc @glyph i am using non-vendor-locked passkeys with zero bluetooth

(keepassx supports it)

@glyph @mcc i am using a password manager with a browser extension that lets me do passkey logins in most places i've tried to do them

keepassx stores them in the password database, like everything else it stores

it's a normal file

@whitequark @dalias @glyph I said something about a separate device (in a different part of the thread)

Continuing from here:

https://mastodon.social/@mcc/113748384835298072

…in addition to the website not being trustable with your password, it's also possible the machine on which the web browser is running cannot be trusted with your password. This is an important case to me personally, not on *all* machines, but on some machines separately.

Here I note something important and problematic:

(Post 2 of 4)

@mcc @whitequark @dalias I think there is some validity to what you're saying—in particular, I think that passkey implementations could do a better job respecting individual autonomy and allowing individuals to provide input to their threat model, which the big vendors cannot have and is not universal.

But to the extent that "passkeys" are trying to do a thing, it's to solve a big *social* problem of password reuse and account compromise, which other solutions have demonstrably not addressed

@mcc Then you’re not the target audience for passkeys. The audience for passkeys is users who don’t want to have to know what password managers are or why 2FA is imposed on them, and the goal is to make auth easier and more secure than passwords.

The mere fact of passkeys trying to do so is laudable, because the goal of the alternatives (SMS or app 2FA, hardware tokens) is for nerds to assert their superiority over non nerds by making them miserable with the excuse of more security.
@glyph

@mcc I should note that within the spec, this *is* entirely possible to achieve with passkeys. Nobody has yet built the extremely specific device you want, because I think it is a fairly esoteric threat model. But nothing precludes it.

(I keep wanting to convince you to drop some of these constraints, because I wanted the same thing at one point and I was happier after _I_ was convinced to drop those aspects, but I do not think our threat models overlap exactly, so this impulse is misguided.)

@glyph What I'd really like:
- I say "Authenticate with passkey" in Firefox
- I get a notification on my phone*
- I tap "authenticate" on my phone
- My phone contacts the appropriate server and/or some anonymizing proxy hosted by whoever forwarded the push notification, and does the authentication handshake with the server

It should be possible to just do this over the internet.

* For anti-phishing, maybe there is a symbol or 5-digit code on both firefox and the phone & you check if they match

@mcc okay so in principle, I agree with your criticism of the spec; passkeys should have a fully self-contained fallback like this.

However, as a heavy user of password managers and also passkeys, the practical lived reality does include this sort of worst-case fallback, which is "password+TOTP".

It's still a huge improvement to my security because I log in with passkeys constantly without thinking about it, and when I am in the desperate situation you describe, I slow *way* down