fsebugoutzone.org:9999

       Post AarUtQiE64j4Yx5iAS by erlenmayr@chaos.social
 (DIR) More posts by erlenmayr@chaos.social
 (DIR) Post #AarOtxD2fsAFcqN6Ya by GossiTheDog@cyberplace.social
       2023-10-17T09:53:26Z
       
       0 likes, 1 repeats
       
       Going to be interesting to see if this happens:1) Google and Apple integrate Passkeys in a way which is recoverable for device swaps, ie keys are backed up centrally and it is required - both US companies 2) services like WhatsApp etc require all accounts to use Passkeys 3) National Security letters or the like https://en.wikipedia.org/wiki/National_security_letter
       
 (DIR) Post #AarOu4wJvvXfbIbrbU by saper@mastodon.social
       2023-10-17T09:58:47Z
       
       0 likes, 0 repeats
       
       @GossiTheDog can you provide some context? I am not sure I get this...
       
 (DIR) Post #AarOu9AIDv5yhnB4wC by PlaneSailingGames@chirp.enworld.org
       2023-10-17T10:22:20Z
       
       0 likes, 0 repeats
       
       @GossiTheDog @saper I think he is saying that if the passkeys leave the device and are stored centrally, then the government could gain access to them and thus all your stuff
       
 (DIR) Post #AarOuR6hW0uwLrdSq0 by saper@mastodon.social
       2023-10-17T11:25:03Z
       
       1 likes, 0 repeats
       
       @PlaneSailingGames @GossiTheDog I am no expert on #Webauthn but maybe some &quot;pure-device-based-no-backup&quot; attestation type could be added. But then, in turn, the relying party would need to require that and only that. Unlikely to happen. Does this mean that relying parties might need to maintain &quot;trusted&quot; lists of attestation CAs in the future?Here it would be unlikely that Google, Apple and Microsoft certificates will not be included on those lists by default.pls help @kravietz :)
       
 (DIR) Post #AarOuUfCIDIHNinYWW by kravietz@agora.echelon.pl
       2023-10-17T11:56:59.411746Z
       
       0 likes, 0 repeats
       
       @saperUnder FIDO, to which Google declares compliance for passkeys[^1], the private key should never leave the client device so they shouldn’t be stored on the server… but that applies to the service provider (e.g. Shopify website). Identity provider, in this case Google or Apple, of course do store private keys on their servers for backup purposes, only they declare them to be encrypted by the sync passphrase.I guess there are two workflows here: one under normal usage scenarios, one under TAO[^2] or other “law enforcement love letter” scenarios.Granted that identity like Google provider controls all data flows for any software keys, from storage (Android), sync passphrase entry (Android) to operating system and application updates (especially after hosted developer keys were introduced to Android[^3]), it would be naive to have any illusions that under TAO scenario they won’t retrieve that one way or another.This shouldn’t be the case with hardware authenticators, of course, which are also allowed by Passkeys. Or at least building a side channel for private key retrieval will be much more difficult even in TAO scenario.[^1]: https://developers.google.com/identity/passkeys[^2]: https://en.wikipedia.org/wiki/Tailored_Access_Operations[^3]: https://www.theregister.com/2021/07/01/android_app_bundle/@PlaneSailingGames @GossiTheDog
       
 (DIR) Post #AarSqEzwzfBFSGjVwW by GossiTheDog@cyberplace.social
       2023-10-17T12:32:33Z
       
       0 likes, 0 repeats
       
       @kravietz @saper @PlaneSailingGames yeah.. you might want to look at how Passkeys has been implemented compared to FIDO.
       
 (DIR) Post #AarSqJIX0WQ6n3SPSa by kravietz@agora.echelon.pl
       2023-10-17T12:41:06.861888Z
       
       0 likes, 0 repeats
       
       @GossiTheDog Maybe I got something wrong, but they seem to be FIDO credentials per https://fidoalliance.org/passkeys/#faq with all the consequences, especially options for storage:From a technical standpoint, passkeys are FIDO credentials that are discoverable by browsers or housed within native applications or security keys for passwordless authentication. Passkeys replace passwords with cryptographic key pairs for phishing-resistant sign-in security and an improved user experience. The cryptographic keys are used from end-user devices (computers, phones, or security keys) for user authentication.Most importantly:Passkeys that are managed by phone or computer operating systems are automatically synced between the user’s devices via a cloud service. The cloud service also stores an encrypted copy of the FIDO credential. Passkeys can also by design be available only from a single device from which they cannot be copied. Such passkeys are sometimes referred to as “single-device passkeys”. For example, a physical security key could contain multiple single-device passkeys.@saper @PlaneSailingGames
       
 (DIR) Post #AarUtP8NxqSjfVJZfE by bontchev@infosec.exchange
       2023-10-17T09:55:42Z
       
       0 likes, 0 repeats
       
       @GossiTheDog Well, at least for now, the passkeys backed up to the cloud are end-to-end encrypted.
       
 (DIR) Post #AarUtQ0ygs8COorAky by GossiTheDog@cyberplace.social
       2023-10-17T09:57:09Z
       
       0 likes, 0 repeats
       
       @bontchev are they though? Eg if I throw my phone in the bin and get a new one, I get all my passkeys back - I just recently did this
       
 (DIR) Post #AarUtQiE64j4Yx5iAS by erlenmayr@chaos.social
       2023-10-17T10:05:53Z
       
       0 likes, 0 repeats
       
       @GossiTheDog @bontchev Recovery via help desk can be disabled. If you then lose all your iPhones, Macs, iPads etc. at the same time, you will lose everything. It is always syncing end-to-end between your devices.At least that&#39;s what Apple says. Of course you never know what non-free software actually does.
       
 (DIR) Post #AarUtRYKyKPTAZTKOO by WPalant@infosec.exchange
       2023-10-17T13:01:26Z
       
       1 likes, 0 repeats
       
       @erlenmayr @GossiTheDog @bontchev “Can be disabled” is an excuse, not a design choice. 99% of the people will never do it, and whoever designed this system knows that perfectly well. Ergo, US effectively has access to 99% of the passkeys.
       
 (DIR) Post #Aarm7sdkl0AoSETWAS by saper@mastodon.social
       2023-10-17T13:04:38Z
       
       0 likes, 0 repeats
       
       @GossiTheDog @kravietz @PlaneSailingGames got it! in short: FIDO good, passkey bad
       
 (DIR) Post #Aarm7tUvZIhx79Lz3A by vpz@infosec.exchange
       2023-10-17T16:16:24Z
       
       1 likes, 0 repeats
       
       @saper @GossiTheDog @kravietz @PlaneSailingGames What it sounds like is that how a user configures the security around passkeys is important. Using the Apple example mentioned previously, iCloud Keychain security1 is what protects passkeys, if I&#39;m reading this stuff correctly. So a user who cares more about security than convenience is going to take extra steps to secure iCloud Keychain like using two-factor with Yubikeys. And by NOT doing that, the security of Keychain isn&#39;t that great.  [1] https://support.apple.com/guide/security/icloud-keychain-security-overview-sec1c89c6f3b/1/web/1
       
 (DIR) Post #AasA8PvTOnrAaXYJDE by saper@mastodon.social
       2023-10-17T20:45:49Z
       
       1 likes, 0 repeats
       
       @vpz @GossiTheDog @kravietz @PlaneSailingGames (i)Cloud accounts have been targeted for hijack for quite a long time.what is the point of cloud-based passkeys?so I am going to protect myself against hijacking, say, my Github account, but my Apple account stays less protected?But if I go ahead and buy a real hardware fido key, I can use it for all services, including Github and (probably) Apple, so why bother with the cloud-based solution?
       
 (DIR) Post #AasAMNHM2OKMQtRUuW by kravietz@agora.echelon.pl
       2023-10-17T20:48:47.558957Z
       
       0 likes, 0 repeats
       
       @saper You are not the target audience 😉Developers and users both hate passwords: they give a poor user experience, they add conversion friction, and they create security liability for both users and developers.https://developers.google.com/identity/passkeys@vpz @GossiTheDog @PlaneSailingGames
       
 (DIR) Post #AasB5VM2rKbOVh9kgK by feld@bikeshed.party
       2023-10-17T20:56:46.924916Z
       
       1 likes, 0 repeats
       
       &gt; but my Apple account stays less protectedHow? They can&#39;t get into the account without your passkey. It&#39;s not actually stored &quot;in the cloud&quot;, so they can&#39;t steal it from there. They&#39;d need physical access to one of your devices to get it.
       
 (DIR) Post #AasCHwVVpdKM9U4yf2 by feld@bikeshed.party
       2023-10-17T21:10:00.999564Z
       
       0 likes, 0 repeats
       
       &gt; So a user who cares more about security than convenience is going to take extra steps to secure iCloud Keychain like using two-factor with Yubikeys.iCloud Keychain since the initial deployment of E2E encryption always had its own built-in 2FA protection outside your Apple account&#39;s own 2FA. You have to approve adding iCloud Keychain to another device with an existing trusted device OR you have to use your iCloud Security Code that you were prompted for when you initially activated iCloud Keychain.https://support.apple.com/guide/iphone/passkeys-passwords-devices-iph82d6721b2/ios