Libre Office Draw allows drag and drop of PDF pages.

Banks also charge for cash services, many business accounts may just include it in the price, but someone has to physically count, collate and move around the cash, often with security. There are costs for running a computer system, and costs for using cash that businesses have always paid. Some small businesses definitely do not understand that, but cashless can be cheaper and safer depending on your country and quality of banking services.

You just solve it as per the blog post, because it’s trivial to solve, as your browser is literally doing so in a slow language on a potentially slow CPU. It’s only solving 5 digits of the hash by default.

If a phone running JavaScript in the browser has to be able to solve it you can’t just crank up the complexity. Real humans will only wait tens of seconds, if that, before giving up.

It will obviously depend heavily on the type of bot crawling, but that is not hard coordination for harvesting data for LLM’s, as they will already have strategies to prevent nodes all crawling the same thing - a simple valkey cache can store a solved JWT.

The author demonstrated that the challenge can be solved in 17ms however, and that is only necessary once every 7 days per site. They need less than a second of compute time, per site, to be able to send unlimited requests 365 days a year.

The deterrent might work temporarily until the challenge pattern is recognised, but there’s no actual protection here, just obscurity. The downside is real however for the user on an old phone that must wait 30 seconds, or like the blogger, a user of a text browser not running JavaScript. The very need to support an old phone is what defeats this approach based on compute power, as it’s always a trivial amount for the data center.

You might consider something like the friendly elec CM3588 for a DIY option with openmediavault or freenas. I have a big old box currently with spinning metal, but am looking at this as an option now that there are some larger m.2 drives available.

The problems highlighted in the first section are optional however. Forcing a particular authentication / device attestation method isn’t a passkey problem, it’s a provider problem. They are free to do that today with or without passkeys. Equating passkeys = bad because of that feels harsh; it is like any scenario where bad actors behave badly with any given technology.

Doesn’t the post conclude the opposite however, that you can in fact manage your own passkeys outside of any “big tech”?

I think one important detail the author missed is that passkeys are in most cases not a sensible replacement for a password. They can act as a convenient semi-permanent replacement or second factor, but you will always need a mechanism should the passkey, or device be lost, which will be a traditional password or account recovery.

If parties do not trust your particular passkey provider / system then you lose that convenience, but the spec does need someway to handle obviously flawed or broken client implementations. If all your passkeys are hanging out in plain text without a pin/biometric/other key gating their access, they are all compromised and should be rejected.

I really wish they would ditch the elongated display ratio. It’s wasted space in landscape 99% of the time, makes the top of the display inaccessible with one hand and the phone unnecessarily large in your pocket. The premium on these could be justified when all the features hit that mark but this is poor human ux.