WingNews logo WingNews
top | item 45737608

(no title)

ajnin | 4 months ago

> websites which [...] also want to know how the passkey is being handled by the user’s device to keep their accounts safe

This is exactly where passkeys go too far. "to keep their accounts safe" is always the excuse used to reduce the freedoms of users. Web sites have no business deciding how things are handled on user devices but it's precisely what passkeys enable. The boundary of control of a website used to stop at the interface between the site and the user. Now that boundary will extend to the devices. The idea of property and ownership is attacked again. The device is not something the user owns and has full control over but something that is a gateway to access content controlled by the big Internet companies.

Knowing this, how long until Netflix, Disney other content providers (sorry I don't know which ones are popular right now) demand use of a passkey originating form a device with a Trusted Platform (aka Untrusted User) Module ? This is part of a long plan initiated years ago with Windows TPM requirements, Microsoft account requirements. The gap between closed and open platforms will widen and the path is clearly to apply the Smartphone model where everything is closed, controlled, DRM'd, to other computers. We're lucky the IBM PC architecture was an open one but the war on that is on.

discuss

order

throwawayffffas|4 months ago

Yep the whole tpm thing and the device constrained nature they have envisioned is the major drawback.

But no they have to live in their secured enclave or on a dongle so that you can't copy them between devices because nothing ever happened to a device.

As if the rest of the users system is compromised the user can't be tricked into providing access to their account.

And no one ever "recovered" someone else's account.

The main benefit of passkeys is that they are keys you don't have to send them over the wire. The main risk of having them on disk encrypted purely in software is that a compromised system can lead to the keys getting stolen.

Their trusted platform bulshit doesn't really escape that threat though, instead of stealing your keys the attacking malware can just get access to your service and maybe even enroll their own key.

If you tried to login to a website and you got two requests to allow the use of your key one after the other would you really have the wherewithal to say no wait a second I just gave permission for that key to be used, the second request is obviously from malware on this computer that's trying to gain access to my account.

That's ignoring that the malware can just read everything you are reading.

The whole tpm obsession is security theater on top of a power play

m-p-3|4 months ago

> But no they have to live in their secured enclave or on a dongle so that you can't copy them between devices because nothing ever happened to a device.

I'm actually fine with this. It's like how SSH private keys are supposed to be handled: generated on the device, and never supposed to leave it.

The proper way of doing Passkeys is to have several Passkeys enrolled in your account, so that you always have a trusted device to access your services. Now, if the service doesn't allow multiple Passkeys per account that IS a problem.

stavros|4 months ago

I've seen this argument many times, but I don't understand it. Can you explain a scenario where this would be an issue? So, Netflix makes me log in with a passkey that comes from their own hardware, instead of my password manager. What's the danger there, beyond the fact that this seems to me extremely unworkable because I'd just never sign in?

array_key_first|4 months ago

The danger is that you now can no longer use netflix without they're approved hardware? Of course, that's essentially already the case with netflix, but this becomes dicey when services that actually matter take this approach.

And then suddenly you're debanked.

petre|4 months ago

> Web sites have no business deciding how things are handled on user devices but it's precisely what passkeys enable.

On the contrary, their operators can decide whatever they like, but I won't be visiting them if they go the passkeys route. I can live w/o Netflix or Disney just fine.

Your PII will leak off their platform anyway.

ajnin|4 months ago

You'll also have to live without banking, government ID ... The "I don't need those services" rhetoric only goes so far.

DANmode|4 months ago

How do you keep out multi-device USB HSM users?

Arbitrarily?

I’ll die on that hill.