Mastodawn

So here's what stops me from using Passkeys.

- I want Passkeys.
- I want to use "BitWarden".
- BitWarden can use passkeys on all my platforms incl Android.
- However, I do not install BitWarden on all my computers, because I don't trust some of them to hold my BitWarden vault.
- This means I have to have a way of "airgapping" the passkey— some way of using a passkey on a phone, is a computer.
- The ONLY way to do this the FIDO Alliance allows requires Bluetooth.
- My computer doesn't have that.

Show thread

mcc Dec 4

I don't want to enable Bluetooth on my phone and I don't want to buy a Bluetooth card for my aging desktop. Moreover FIDO views "airgapping" as a security risk. They believe that banning "airgapping" is a necessary component of "anti-phishing", and "anti-phishing" is a highest-priority goal of the FIDO alliance. "Anti-phishing" is not a goal I have, but it is SO important to the FIDO alliance they'd rather I not use passkeys at all than me have passkeys but be allowed to airgap them.

Show thread

mcc Dec 4

So, here's my solution: Fork BitWarden, and fork its Firefox extension. Add some kind of special wifi handshake, that allows me to keep BitWarden on my phone, and have the passkey/password autofill on the untrusted computer's browser WebAuthn with passwords or passkeys as needed tunneled encrypted from the phone, and the traffic goes over TCP/IP rather than bluetooth.

I think this would work, and be safe but I think also the FIDO alliance would call what I'm doing here "phishing".

Show thread

mcc Dec 4

So I wonder about this. The thing I want is supposed to be impossible, and FIDO tries to put technical measures in place to make it impossible. But passkeys have been implemented by open source applications. So technically I don't see how they stop me.

There's another weird thing. [EDIT: removed outdated statement about Firefox support]; and the BitWarden site seems to imply Passkeys require Google Play Services. What? Problematic, as I am moving to Lineage or something soon.

Show thread

mcc Dec 4

Wait. Are Passkey apps literally banned from being properly open source?

https://peoplemaking.games/@leon/115663918924867641

If what Leon speculates here is the case, doesn't that imply you literally cannot write a GPL3-compliant Passkey implementation, as your build-time signing keys would have to be part of the chain of trust and this would violate the GPL3's rules against such signing keys being secret-but-mandatory?

Leon (@[email protected])

@[email protected] iirc an important part of the passkey system is attestation - the passkey wallet on the computer proves cryptographically it is made by who it’s said to be made by and is intact, so it hasn’t been compromised. This is enforced by a web of trust like HTTPS. For this reason I’m not sure forking bitwarden will result in a trustable passkey wallet, and something you should probably run to ground before investing time on imp.

People Making Games

Show thread

vriska, thief of light

Dec 4

@mcc attestation is optional and bitwarden afaik doesn't implement it anyway

Show thread

mcc Dec 4

@leo @q Huh that's worrying though because some of the sites I would like to sign into with via passkeys are companies (Google, Microsoft) who own and are actively trying to lock me into "software signing" ecosystems. So if attested keys are optional now, but could become non-optional in future, then that looks like a plausible future screw-turn for Google or Microsoft to attempt.

Show thread

Will Smart

@mcc @leo @q There is already an open source passkey implementation. https://github.com/google/OpenSK it uses CTAP (the FIDO alliance standard "Client to Authenticator Protocol". It is implemented as a separate hardware device, but there's no reason a virtual USB HID device could not do the same.

GitHub - google/OpenSK: OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards. - google/OpenSK

GitHub

Show thread

Will Smart Dec 4

@mcc @leo @q FIDO Attestation is *not* a web of trust. It is centrally managed by the FIDO alliance. There is no agreed-upon method for attestation for software passkeys, because there is nothing specifically to attest to: FIDO attestation is a mechanism to determine that a private key was generated on a specific piece of hardware and cannot be exported.
(Edit: Link to FIDO Metadata service, which is the source of truth for attestation roots: https://fidoalliance.org/metadata/ )

FIDO Metadata Service (MDS) Overview | FIDO Alliance

Explore FIDO Metadata Service (MDS), a centralized repository for relying parties to validate authenticator attestation and prove device model genuineness.

FIDO Alliance