fsebugoutzone.org:9999

       Post AVHpjT5KYBtdRTGyn2 by LarsFosdal@mastodon.social
 (DIR) More posts by LarsFosdal@mastodon.social
 (DIR) Post #AVHn9jwkBNq3P65n1c by lauren@mastodon.laurenweinstein.org
       2023-05-03T18:18:29Z
       
       0 likes, 0 repeats
       
       Oh, and to be clear, I will *not* be enabling #Google passkeys on any of my devices at this time. I noticed that Google already created them automatically for two of my devices, but apparently they are unused unless I choose to enable passkeys on the account.
       
 (DIR) Post #AVHnPX5njzmwAgrLYu by LarsFosdal@mastodon.social
       2023-05-03T18:21:14Z
       
       0 likes, 0 repeats
       
       @lauren I have no issues with activating passkeys on my Pixel.
       
 (DIR) Post #AVHnYlMw1zMl3TH6gK by bhawthorne@infosec.exchange
       2023-05-03T18:22:53Z
       
       0 likes, 0 repeats
       
       @lauren The only reason I want to enable passkeys is to disable the “Google prompt” authentication that can’t otherwise be disabled without logging out of the account on that device. The most frustrating behavior is when Google sends me an email, I open it in the gmail app, which opens an embedded browser that then wants to authenticate by prompting me in gmail, and the only way to get to that prompt is by closing the embedded browser. Lather-rinse-repeat.
       
 (DIR) Post #AVHoi68gHH2825cg1w by bhawthorne@infosec.exchange
       2023-05-03T18:34:41Z
       
       0 likes, 0 repeats
       
       @LarsFosdal @lauren Given that Google already uses prompts on logged in devices as a second authentication method, and there is. I way to disable this, do passkeys introduce additional risk?
       
 (DIR) Post #AVHoi71H0IhalPAH7g by lauren@mastodon.laurenweinstein.org
       2023-05-03T18:35:51Z
       
       0 likes, 0 repeats
       
       @bhawthorne @LarsFosdal Passkeys apparently override both passwords and all 2FA methods.
       
 (DIR) Post #AVHovz71CSIKIGT0TY by bhawthorne@infosec.exchange
       2023-05-03T18:38:21Z
       
       0 likes, 0 repeats
       
       @lauren @LarsFosdal Just like Google prompts do. Will they never learn? I have a perfectly good 2FA authenticator app configured for my Google accounts, but it is nearly impossible get Google to use it because they insist on prioritizing their Google Prompts and now passkeys.
       
 (DIR) Post #AVHoyQdVpx0aElpaaW by LarsFosdal@mastodon.social
       2023-05-03T18:38:53Z
       
       0 likes, 0 repeats
       
       @lauren @bhawthorne Replace, not override. And you can still log into a different device and disable the passkey device. We&#39;ll have to see how it turns out over time.
       
 (DIR) Post #AVHpA2iia8z3XPnufA by lauren@mastodon.laurenweinstein.org
       2023-05-03T18:40:53Z
       
       0 likes, 0 repeats
       
       @LarsFosdal @bhawthorne No need to quibble with words. The point is that if a passkey is present neither a password nor 2FA method matters on that device.
       
 (DIR) Post #AVHpEMFDvudFFY48tk by lauren@mastodon.laurenweinstein.org
       2023-05-03T18:41:41Z
       
       0 likes, 0 repeats
       
       @LarsFosdal @bhawthorne Sure, if you can get to another device before the thief has locked you out.
       
 (DIR) Post #AVHpG5bEn0ooCoBjZA by LarsFosdal@mastodon.social
       2023-05-03T18:42:02Z
       
       0 likes, 0 repeats
       
       @lauren @bhawthorne My device still needs my pin or fingerprint.
       
 (DIR) Post #AVHpJGjtpRnjcikvuy by lauren@mastodon.laurenweinstein.org
       2023-05-03T18:42:38Z
       
       0 likes, 0 repeats
       
       @LarsFosdal @bhawthorne Have you been reading what I&#39;ve been writing this morning? If so, please read it again.
       
 (DIR) Post #AVHpjT5KYBtdRTGyn2 by LarsFosdal@mastodon.social
       2023-05-03T18:47:18Z
       
       0 likes, 0 repeats
       
       @lauren @bhawthorne I did. You can disable the passkeys from the start if you feel that you need to. Passkeys are IMO no worse than Physical keys.
       
 (DIR) Post #AVHpsVkpzjqAKN02Ea by lauren@mastodon.laurenweinstein.org
       2023-05-03T18:48:58Z
       
       0 likes, 0 repeats
       
       @LarsFosdal @bhawthorne They are worse than physical keys in that physical keys aren&#39;t, ya know, usually taped to the back of the phone when the phone is stolen.
       
 (DIR) Post #AVHq0VXWg1uHyiaPLc by LarsFosdal@mastodon.social
       2023-05-03T18:50:25Z
       
       0 likes, 0 repeats
       
       @lauren @bhawthorne What is the difference between a stolen phone and a stolen security key?
       
 (DIR) Post #AVHq8ylVtu2cw8AUXQ by BoredomFestival@sfba.social
       2023-05-03T18:51:55Z
       
       0 likes, 0 repeats
       
       @lauren I still don&#39;t understand what a passkey is, and I am a Googler
       
 (DIR) Post #AVHqAh3EjTCYZnH8sa by lauren@mastodon.laurenweinstein.org
       2023-05-03T18:52:02Z
       
       0 likes, 0 repeats
       
       @LarsFosdal @bhawthorne Because a thief is unlikely to get both a phone and a security key at the same time. A phone can be grabbed or left on a bar after being spied on. Security key is probably on a keychain in a pocket if carried. Physical separation matters.
       
 (DIR) Post #AVHqCSusFxs9JiD17I by lauren@mastodon.laurenweinstein.org
       2023-05-03T18:52:34Z
       
       0 likes, 0 repeats
       
       @BoredomFestival Q.E.D. (or maybe, WAI).