WingNews logo WingNews
top | item 38521712

(no title)

gerwim | 2 years ago

What is this post ranting about? Pushing your keys to big tech? There is no difference if you use Chrome’s password manager for passwords or passkeys.

You can save passkeys on your own network if you use Bitwarden or if you want, write your own solution.

For 99% of the internet users, passkeys are much better than passwords.

discuss

order

echohack5|2 years ago

Here's a workflow:

1. Normally I run everything on my own devices, use 1Password, 2FA, etc, but rarely I need to use a locked down device and manually and painstakingly enter 100+ character passwords and 2FA keys. Installing anything on the device is out of the question, but I need to use a web browser and auth using these credentials. Copy and paste and externally using any devices to connect with the system is prohibited.

How does doing a FIDO2 dance work in this scenario?

konha|2 years ago

> Copy and paste and externally using any devices to connect with the system is prohibited.

Like a keyboard? In which case: How do you enter your password?

Is that a common scenario? Where you can use a (presumably) usb attached keyboard but you cannot insert your security key?

barkingcat|2 years ago

why does this need a technical solution? Just type in the password. Presumably if the system is important enough to be airgapped and needs a 100+ character randomized password (without copy paste and without hardware keys), it is important enough for you to spend the time to memorize and type in the passwords.

Otherwise, it is just security theatre if you won't even spend the time to make absolutely sure that 1) you are typing into an authorized device that won't log your key strokes, and 2) that using any other "assistance" mechanisms represents a breach in the security of this system.

Just friggin memorize it and type it in. For me, I memorize my bank password and PIN even though it's very complicated. This information is important enough for me to commit the time and not cheapen out by "relying on a tool". Of course, I keep it in my password manager as a record, but in daily use I absolutely do not say to the teller: oh I need to look it up. I recite to the bank my passphrase and other id confirmation by memorization, I know it even better than my own phone number.

If you need multiple people to log in, each person should have a different password, only memorized by that person alone.

If the person can't memorize it, I would say either change the design of the system or fire this person because "they had one job: to memorize and type in this password".

bonton89|2 years ago

> You can save passkeys on your own network if you use Bitwarden or if you want, write your own solution.

And then google or whoever will block login because your device attestation flag (part of the spec) doesn't say the right version of Chrome or Android. Maybe the website just won't let you login with firefox anymore "because hackers use it".

Don't worry, Apple zeroes out their flag (for now) so you'll just have to pretend to be an Apple device to get in (for now). Assuming the service in question doesn't have an axe to grind with Apple anyway.

psanford|2 years ago

Android passkeys return `fmt:none` as well if you ask for an attestation certificate.

Its pretty weird to claim that this is a big lock-in risk when both of the major players are not supporting attestation certificates for consumer use cases.

And the one well known site (vanguard) that was requiring an attestation certificate no longer does.

aftbit|2 years ago

How exactly does this work? I have Bitwarden and Firefox on Linux. I have been unable to get Passkeys to work at all, using either Bitwarden or my YubiKey. Is Firefox just not supported?

gerwim|2 years ago

You need version 2023.10 (or higher) for both extension and server for it to work.