zealot128
Royce Williams"Let us be the repository of your passkeys" and "We may terminate your account at any time and permanently refuse to communicate with you" ... seems like a bad combination?
Bas (Tools on Tech)@tychotithonus trust me bro authentication
Thomas Brand@tychotithonus privacy am I right?
F4GRX Sébastien@Eggfreckles @tychotithonus and plain arbitrary account deletion.
Dave Wilburn 
@tychotithonus in a better universe I'd say this might be a good place for government to step in with digital IDs, but somehow that would be even worse because we live in the worst and dumbest timeline.
Helge Heß@DaveMWilburn @tychotithonus I think the German IDs do have certs embedded for a while, but yes.
@helge @tychotithonus I wouldn't trust the American government with that, simply because they don't even respect or acknowledge the rights of anyone that lives here, including our own citizens. And even if Trump goes away, the underlying rot won't.
Hopefully you can keep AfD out of power and avoid our same fate.
@DaveMWilburn @tychotithonus That’s the cool thing about cryptography, it gives a shit about such things.
su_liam@DaveMWilburn @helge @tychotithonus The fascists come and go, but they’re never replaced by anyone who wants to fix the damage they do. I think at this point, most of the elected officials know that they wouldn’t have been elected in a clean democracy.
scj643@DaveMWilburn @helge @tychotithonus The US government already does this with the common access card though.
I was there, Gandalf. I was there 3,000 years ago when DoD rolled out the first CACs. I was there the day the DEERS RAPIDS system failed because the f^%cking badge printer crapped out and we all had to go home and try to make an appointment again the next day.
bmaxv@tychotithonus
...that's just passkeys though, right?
What is this hypothetical storage medium that you don't have to care about, but also have to care about enough that it doesn't fall into the wrong hands and that *isn't* tied to some user account, or is a literal piece of hardware you can just lose?
@bmaxv If the interfaces managed passkeys the way physical keys are managed -- "you need to have as many of them as you are comfortable having house keys, probably more" -- that would be pretty manageable. A hybrid - in which physical keys are tracked and rotated, to bring them up to current with recent adds, and passkey managers providing flexibility and redundancy in the meantime -- is the most robust, but requires some relatively complex personal risk modeling (and state keeping -- today, you basically have to track it all on a spreadsheet, which most people aren't going to do)
Jonathan Kamens 86 47@bmaxv @tychotithonus I will use passkeys when there is an interoperable export/import format. I.e., I need to be able to export my passkeys from their primary vendor platform, store the export securely myself, and then import them if needed into a _different_ vendor platform.
Until then, they're no more convenient than the YubiKey I already have and use.
Until then, they're no more convenient than the YubiKey I already have and use.
@jik
+5, Insightful
+5, Insightful
Tak!@jik @tychotithonus @bmaxv the sad thing is that this is a description of the ssh keys that have been in use for decades
Kg. Madee Ⅱ.
Kuba Suder • @mackuba.eu on 🦋@jik @bmaxv @tychotithonus There is some import/export between different apps implemented, but as I understand it they're deliberately making it hard to export to just files or something, because sEcUrItY
TAL@tychotithonus this is a dig at Google right? Asking because Proton just sent out a passkey related email
@tychotithonus fair enough! I haven't heard horror stories about proton yet, but I wouldn't even be surprised
Alexander 😷Me, reading about Passkeys: Oh, it's vendor lock-in for credentials!
Apple: Hold our Zinfandel
🫠
David Nelson@alxndr @tychotithonus This situation is absolutely rotten. I don’t oppose putting passkeys in a password manager but this illustrates how it can be dangerous to *only* have them in a password manager. I argue that from a risk management perspective we should think of the password manager as a single virtual YubiKey: You wouldn’t register just one. Anything important should have at least a couple backup methods registered, be they hardware keys or a second password manager backed up offline.
Softwarewolf@tychotithonus As someone around here described them: Passkeys are just passwords with landlords. And the landlords can evict you at any time for any reason without notice.
_GreyWolf@faoluin
Technically passkeys should be like ssh keys and it does work that way if you use hardware passkeys
Sadly most services only allow you one passkey somehow...
halcy 
@tychotithonus that's why it's important to always keep a local backup of-
oh. oh no. Oh No
Dopes The Frogman@tychotithonus and don't even think about scrutinizing our current administration, otherwise you'll get doxxed on top of getting your account perma-banned
Administrator@tychotithonus This is why, even if I use a passkey with a site, I always keep the backup option of a password.
Mike Taylor 🦕@tychotithonus Can't even tell which particular Giant Evil Tech Corp this is about.
Ozzelot 
LR@tychotithonus not what you'd want in a husband
RRB@tychotithonus Are you implying that tech CEOs are not trustworthy?
@rrb @tychotithonus I can throw most people farther than I would trust a tech CEO. The exceptions, the “good guys” you might call them, have a well-established tendency to disappoint. So, I’d be cautious about the ones I can throw.
@su_liam @tychotithonus Check on how many "Dark Patterns" they use to deceive their users.
Ron Bowes@tychotithonus I love using centralized login things to avoid passwords, but the number of things I have linked to Google terrifies me
QuasitI still don't know what a passkey IS. And I'm certainly not going to use them.
These days my default answer is "no" to almost anything new unless I'm sure I understand it.
@Quasit @tychotithonus That is generally the best response. Somewhere along the way, Google decided “don’t be evil” was too radical, and the one thing you really need to understand is that all the other tech bros nodded in agreement.
7leaguebootdisk𓅽@tychotithonus yeah, with my main email, I can recover everything else, or, with my password manager account, I can log in directly. I really like having a different memorized PW for each, written down in an obscure location that's easy for me to recover, but hard for someone else (I know which scribble in which notebook full of scribbled notes, good luck!).
Dave Robeson@tychotithonus The main reason of several that I won’t go anywhere near passkeys (and don’t trust my photo backups to their cloud).
Brad Koehn@tychotithonus I’ve been quite happy keeping passkeys etc. on Yubikeys (plural!). I know that that way they cannot be accessed remotely (you have to have a PIN and touch it for it to work), and with more than one yubikey I don’t have a single point of failure.
But I was never comfortable using a password manager or other software for passkeys; it seemed to defeat the purpose.
mike805@tychotithonus People must learn to manage files. If you understand files and directories, and can copy data from a laptop to a USB device and vice versa, you own your computing environment. If you cannot do those things, Big Tech owns you.
KeePassXC is supposed to provide self-custody of passkeys, although I have not tried that part. It works fine for TOTP.
If you forgot the USB cable, try this: https://TheUnCloud.co/ (WebRTC chat and file xfer)
JohnWI'm reaaallly old school when it comes to vital information. I never started using online services. I use KeyPass locally for personal credentials, and for my over 200 past and present clients as a web dev,.
Matt Cengia@tychotithonus ideally https://fidoalliance.org/specifications-credential-exchange-specifications/ will improve this situation; Apple have already implemented the export functionality. It's not a complete solution (which is one of the reasons I self-host Vaultwarden/Bitwarden), but it's a start.
Schroedingers_Cat@tychotithonus Yes, but unfortunately, me and my brain are fixed together.
But I know that one day, it will refuse to communicate with me.
Christo@tychotithonus Is this a specific company or a general thing?
Marc Edwards
Andrea Pappacoda@tychotithonus isn't it the same as regular password managers from those companies, where passwords are actually hard/impossible to remember?
McWabbit 🇺🇦🍋🌻🍉@tychotithonus It’s that my novice tech brain said: “Why should I replace my good enough 2FA with your passkey for? And why is it suddenly being pushed by so many companies?”, that I was apprehensive on why there is such need and ignored their offer.
Guess my hunch was right.
tessarakt@tychotithonus Do they also refuse to communicate with the court and thus end up with default judgements?
lemgandi@tychotithonus keepass ( https://keepass.info/ ) FTW. It might be a little clunky, but you can back your passwords up to your own physical media which no Stranger controls.
@lemgandi I mean, I'm a fan of the passkey property of robust phishing resistance (by authenticating the origin site), which generic password vaults/storage cannot provide.
@tychotithonus Sure, as long as you control the site.
@lemgandi Can you elaborate? FIDO2 authenticates the origin from the point of registration onward -- for example, I register a security key with google.com, and then after that no site other than google.com (like g00gle.com or whatever) can try to pretend to be google.com (the authentication will fail). This eliminates an entire class of authentication compromise.
Daniel Demmel@tychotithonus @lemgandi it's not as strong of course, but you can set domains in keepass and with the browser extension if the domain isn't right, the credentials won't be filled in
Kevin Karhan 
@tychotithonus now you know why I want my home "stupid" and my shit self-hosted…
NeonkAaa@tychotithonus No no, completely common, like it's written in the Terms everyone read and deliberately accept, right?
Fuxle 
🔜EF30@tychotithonus just host Vaultwarden youself and you don't have this kind of problem