fsebugoutzone.org:9999

       Post AaeItZ6KCd18Yd3su0 by cazabon@mindly.social
 (DIR) More posts by cazabon@mindly.social
 (DIR) Post #AadUODAUhdNvqhrrSS by lauren@mastodon.laurenweinstein.org
       2023-10-10T15:12:56Z
       
       0 likes, 2 repeats
       
       ***** Google is making their weak, flawed passkey system the default login method — I urge you NOT to use it! *****https://lauren.vortex.com/2023/10/10/dont-use-google-passkeys-now#Google continues to push ahead with its ill-advised scheme to force passkeys on users who do not understand their risks, and will try push all users into this flawed system starting imminently.In my discussions with Google on this matter (I have chatted multiple times with the Googler in charge of this), they have admitted that their implementation, by depending completely on device authentication security which for many users is extremely weak, will put many users at risk of their Google accounts being compromised. However, they feel that overall this will be an improvement for users who have strong authentication on their devices.And as for ordinary people who already are left behind by Google when something goes wrong? They&#39;ll get the shaft again. Google has ALWAYS operated on this basis -- if you don&#39;t fit into their majority silos, they just don&#39;t care. Another way for Google users to get locked out of their accounts and lose all their data, with no useful help from Google.With Google&#39;s deficient passkey system implementation -- they refuse to consider an additional authentication layer for protection -- anyone who has authenticated access to your device (that includes the creep that watched you access your phone in that bar before he stole it) will have full and unrestricted access to your Google passkeys and accounts on the same basis. And when you&#39;re locked out, don&#39;t complain to Google, because they&#39;ll just say that you&#39;re not the user that they&#39;re interested in -- if they respond to you at all, that is.&quot;Thank you for choosing Google.&quot; --Lauren--
       
 (DIR) Post #AaeItV2dIPgfy1Isam by Nazani@universeodon.com
       2023-10-11T02:59:26Z
       
       0 likes, 0 repeats
       
       @lauren Am I correct in thinking that I&#39;ll have to have my phone on hand to access passkeyed accounts?
       
 (DIR) Post #AaeItWV1sJzoUNb4Ua by lauren@mastodon.laurenweinstein.org
       2023-10-11T03:04:28Z
       
       0 likes, 0 repeats
       
       @Nazani Depends on implementations and configurations. But perhaps a more interesting question is what happens to people who don&#39;t use smartphones at all? Then you have to depend on other devices&#39; authentication. But many people don&#39;t use ANY authentication on their home systems. There are far more of these cases than Google would care to admit. And putting aside thefts, what happens when the phone just breaks down? Doesn&#39;t boot one day. Gets dropped and dies. Then you have to depend on Google&#39;s oh so much fun account recovery systems, that lock out vast numbers of users permanently for no valid reason.
       
 (DIR) Post #AaeItZ6KCd18Yd3su0 by cazabon@mindly.social
       2023-10-11T04:00:14Z
       
       1 likes, 1 repeats
       
       @lauren @Nazani It&#39;s also more than just Google regarding not using #smartphones.I run into a disturbing, and ever-growing, number of web-based #services that simply cannot be accessed without a #smartphone - they want a phone number rather than an #email address to register, they want to #SMS you a PIN (ugh, SS7) to create an account or log in or pretty much anything else.I choose not to have a #mobile phone - but I&#39;m starting to see even #government/#public services that require one.
       
 (DIR) Post #AafmviLG0YRPZzwln6 by feld@bikeshed.party
       2023-10-11T21:29:23.446140Z
       
       0 likes, 0 repeats
       
       Or just use a hardware passkey like a Yubikey and move on with your life.If you want a digital one unconnected to Google or Apple and synced across OSes and devices there&#39;s the 1Password implementation.There are many options that protect you from the &quot;if attacker gets your phone they have full access now&quot; scenario everyone is doomsdaying about
       
 (DIR) Post #AafqHNymhB9ueySdOq by lauren@mastodon.laurenweinstein.org
       2023-10-11T21:59:16Z
       
       0 likes, 0 repeats
       
       @feld Physical (e.g. FIDO) keys are my preferred mechanism. But basically none of this stuff works for most non-techies.