GlyphRE: https://hachyderm.io/@miketheman/116008792409955286
When I say TOTP is phishable and webauthn (“passkeys”) isn’t, this is a real-world example of what I am talking about
LisPi@glyph I vaguely recall the main issues with webauthn being implementation ones, with browsers doing silly things like having internal wallets that don't enable backups and don't allow external provider programs.
Basically, so long as user agency & autonomy are properly enabled, it is a technically superior option.
Basically, so long as user agency & autonomy are properly enabled, it is a technically superior option.
@lispi314 "don't enable backups" is slightly misunderstanding what is happening but I can see how some users would see it that way. (they do their own backups, to your "wallet" account; they otherwise prevent exfiltration, and a self-hosted backup is indistinguishable from exfiltration. there is a spec for interop and transferring passkeys between wallets but it is not implemented everywhere yet.)
to your "wallet" account
What is that and where is it stored?
I have reasons to believe it is less reliable and/or trustworthy a backup solution than the one I use generally.
As for interop, its absence makes the use of passkeys rather less useful and safe with Qubes, where one could instead have an RPC protocol between qubes/VMs (this is a very standard thing on Qubes, it's how keepassxc & the like are intended to be used) such that the one requesting authentication never even has access to the key in any shape or form, but merely passes along the handshake request.
Similar things could be done with hardware devices requiring a particular procedure to be interacted with in administrative mode. Or a different machine over a dedicated SSH protocol (or just piped), etc.