Arsalan Zaidi
GlyphRE: https://hachyderm.io/@miketheman/116008792409955286
When I say TOTP is phishable and webauthn (“passkeys”) isn’t, this is a real-world example of what I am talking about
cassie@glyph I wish regular password managers weren’t so flaky because they’ve trained me that they can’t be trusted to input the password and I’ll have to copy-paste into place at least occasionally
@porglezomp 1password is pretty good about this, but you have to know how to use it *really* well, and you have to regard "copy/paste into a field on a website" as an omega-level threat, rather than "basic, normal functionality of your computer" which is not in the muscle-memory of most people. https://mastodon.social/@glyph/115942437226812155
@glyph yeah I was very happy with 1Password but I didn’t want to jump into cloud subscription software and the legacy extension is rotting which is part of why I can’t rely on it. Also it never got good tools for merging different accounts that are actually the same. And Passwords.app has a different set of problems like occasionally disconnecting from my browser and being even worse at merging accounts.
@porglezomp I understand the trepidation about subscription software, but personally I am happy to subscribe. I want 1password to update to every new OS security feature, to always be available on lots of new devices, to be up to date and constantly responsive to evolving threats, and that involves a constantly-maintained service not just a drop-it-and-forget-it app purchase.
@glyph I was more opposed to the switch to only supporting online vaults than the subscription but I guess that’s always true with apple’s Passwords so I might as well switch back.
tj usiyan@porglezomp @glyph Just chiming in to a conversation that I wasn’t part of to agree that the “online vault only” bit was the objectionable part for me as well. I’m fine with 1password being a subscription since it’s pretty clear that they need to continually spend on maintaining it in a way that couldn’t be sustained by plain paid upgrades.
@griotspeak @porglezomp as I said, I get the trepidation. I actually use a few features that you can really only get from the "online vault" stuff (and, to be clear, there *is* an offline cache so you don't need to be literally connected to the Internet to access your data) but I can understand wanting a higher level of control over where your data is stored.
@glyph @porglezomp Ah yes I should have included that I do still use 1Password.
lj·rk
Jeff Forcier@glyph TBF a properly functioning (mentioned because not all are, or all the time) password manager would’ve prevented this too.
Though yarp, passkeys make it categorically impossible. Wish I trusted them more! 😰
@bitprophet you should set them up everywhere that allows you to have a TOTP backup. always use passkeys with wild abandon, maintain the TOTP fallback in the rare (and increasingly so over time) case where your webauthn stack shits itself, but treat "I have to enter a TOTP" as an extremely rare and dangerous thing that should only ever come from an action that you initiate (i.e.: never, ever when you click a link in email)
@glyph yea fair, I should keep my eyes out more for where they are an upgrade-with-fallback.
I /have/ seen them put to good use when stored inside 1P, which (IIUC) should mean they’ll also be proof against any sort of device loss.
Also, lol at clicking links in emails! Who does that. I mean I know who, but, it ain’t me that’s for sure.
@bitprophet the ones stored in Chrome and iCloud accounts are also cloud synced and resilient to device loss. the only "passkey"-shaped thing that isn't, is a yubikey, which is not really designed for any use-case without an out-of-band device reset
Jon (Snarf) MasonI'm not entirely pro-passkeys yet, but this is a good case for them.
John@snarfmason Passkeys are really good, but the forcing/tricking people into using them rubs people the wrong way.
@semanticist Yeah. My problems are just the user experience bits around managing them.
That's a big one. But also how they sync and where they are stored in a multi device world.
They are definitely technically good.
Will Smart@snarfmason @bitprophet if you don't mind sharing, what's stopping you from trusting passkeys / being pro-passkey? Not looking to debate, just to understand.
LisPi@glyph I vaguely recall the main issues with webauthn being implementation ones, with browsers doing silly things like having internal wallets that don't enable backups and don't allow external provider programs.
Basically, so long as user agency & autonomy are properly enabled, it is a technically superior option.
Basically, so long as user agency & autonomy are properly enabled, it is a technically superior option.
@lispi314 "don't enable backups" is slightly misunderstanding what is happening but I can see how some users would see it that way. (they do their own backups, to your "wallet" account; they otherwise prevent exfiltration, and a self-hosted backup is indistinguishable from exfiltration. there is a spec for interop and transferring passkeys between wallets but it is not implemented everywhere yet.)
to your "wallet" account
What is that and where is it stored?
I have reasons to believe it is less reliable and/or trustworthy a backup solution than the one I use generally.
As for interop, its absence makes the use of passkeys rather less useful and safe with Qubes, where one could instead have an RPC protocol between qubes/VMs (this is a very standard thing on Qubes, it's how keepassxc & the like are intended to be used) such that the one requesting authentication never even has access to the key in any shape or form, but merely passes along the handshake request.
Similar things could be done with hardware devices requiring a particular procedure to be interacted with in administrative mode. Or a different machine over a dedicated SSH protocol (or just piped), etc.
Sebastian Lauwers@glyph I’m using Webauthn on two physical security tokens. One is a backup, the other one is always with me. I also have non-exportable SSH keys on them.
aqunt