We’ve had certificate authentication (backed by hardware) for ages. We could fix the UX there and be done with it, but nooooo, we are reinventing everything again. (Tangentially related: JWT, OIDC and SAML are basically kerberos with extra steps.)
I’ve been using certificate based auth on https for ages on my ops stuff. Most devices support just slapping an SSL/TLS key into their os, but not everything.
But when I wanted to use it for Jellyfin, I found TVs and sticks aren’t all straightforward.
I mean, the passkey is still in there. It’s protected by convention. It’s a bearer token wrapped in a password manager, presented as a revolution.
We have the technology, can we please pour the same amount of resources into what we’ve already had for decades? Passkeys solve the UX issue for ”normal people”, that’s the selling point.
a very long password that (ideally) is only bound to a single device, requires a second identifier (biometric, PIN, password) and that is phishing resistant.
thus rendering them redundant, because their strength is being bound to a single physical device. if they’re portable, they’re as good as asymmetric key pairs.
Their strength is being half a cryptographic key, not that they’re device bound.
That was a “requirement” that big tech wanted, to force you to be dependent on TPM storage, so you’d be forced to use a Trusted™ device and OS. It was made optional after pushback from basically everyone else.
Password managers support Passkeys now. Bitwarden and KeePassX among others.
As long as I trust that my password manager is secure, and as long as I use a strong master password or (better) have a hardware key to unlock it, it is way more secure than a password, and I can still install Linux without losing my logins.
that’s not the point, passkeys are not vendor centric, they are a standard. you don’t want to duplicate a passkey for the same reason you don’t want to copy an SSH private key on multiple devices. it’s a security feature that allows disabling the account access in case the device becomes compromised (lost, stolen, infected, etc.)
exactly, but are people using it outside of proprietary apps like whatsapp? not really that much.
no use in being open if in practice its still controlled by monopolistic corporations.
i could use chrome or android as an example too. are there people using custom roms or forks and exercising their openness? yeah, but not that much either.
i refuse to give my phone my thumbprint or do a face unlock. i’m not sure if it’s still collecting a biometric bullshit on my face, but i have not done it myself. I’m a luddite here and i insist on it so no one (especially no one trying to violate the united states 4th amendment) can get into my phone without my permission or hacking into it.
i refuse to give my phone my thumbprint or do a face unlock. i’m not sure if it’s still collecting a biometric bullshit on my face, but i have not done it myself.
Then get a Yubikey. Replace “something you are” with “something you have”. It’s not ideal to have two somethings you have as your two factors, but a password to get into the computer to get to the passkey adds an extra layer that makes me comfortable with it.
I’m a luddite here and i insist on it so no one (especially no one trying to violate the united states 4th amendment) can get into my phone without my permission or hacking into it.
In the context of this discussion, it’s one of two factors. But I agree with you when it’s the only factor.
Passkeys, more likely.
so passwords (that you can’t memorize) with extra steps
Half a cryptographic key that you can’t easily give to someone over the phone by accident.
By convention. See for example: https://github.com/keepassxreboot/keepassxc/issues/10407
We’ve had certificate authentication (backed by hardware) for ages. We could fix the UX there and be done with it, but nooooo, we are reinventing everything again. (Tangentially related: JWT, OIDC and SAML are basically kerberos with extra steps.)
I’ve been using certificate based auth on https for ages on my ops stuff. Most devices support just slapping an SSL/TLS key into their os, but not everything.
But when I wanted to use it for Jellyfin, I found TVs and sticks aren’t all straightforward.
In your link, they closed that ticket as not planned because they intend to implement FIDO’s secure exchange protocols. https://github.com/keepassxreboot/keepassxc/issues/11363
It should (hopefully) be secure when they get done.
I mean, the passkey is still in there. It’s protected by convention. It’s a bearer token wrapped in a password manager, presented as a revolution.
We have the technology, can we please pour the same amount of resources into what we’ve already had for decades? Passkeys solve the UX issue for ”normal people”, that’s the selling point.
a very long password that (ideally) is only bound to a single device, requires a second identifier (biometric, PIN, password) and that is phishing resistant.
yay vendor lock in. google or meta password manager salivating.
Bitwarden has been working great with me as sits transition to passkeys, even big corporate ones.
But yeah in practice, google and facebook are going to probably dominate because they are the easy + free option.
KeepassXC supports passkeys as well.
thus rendering them redundant, because their strength is being bound to a single physical device. if they’re portable, they’re as good as asymmetric key pairs.
Their strength is being half a cryptographic key, not that they’re device bound.
That was a “requirement” that big tech wanted, to force you to be dependent on TPM storage, so you’d be forced to use a Trusted™ device and OS. It was made optional after pushback from basically everyone else.
Password managers support Passkeys now. Bitwarden and KeePassX among others.
As long as I trust that my password manager is secure, and as long as I use a strong master password or (better) have a hardware key to unlock it, it is way more secure than a password, and I can still install Linux without losing my logins.
i’m assuming most people will use the default, which will probably be google lock in anyway.
that’s not the point, passkeys are not vendor centric, they are a standard. you don’t want to duplicate a passkey for the same reason you don’t want to copy an SSH private key on multiple devices. it’s a security feature that allows disabling the account access in case the device becomes compromised (lost, stolen, infected, etc.)
they are standard, but so did xmpp or many others before.
xmpp is still alive and is still an open standard
exactly, but are people using it outside of proprietary apps like whatsapp? not really that much.
no use in being open if in practice its still controlled by monopolistic corporations.
i could use chrome or android as an example too. are there people using custom roms or forks and exercising their openness? yeah, but not that much either.
Bitwarden let’s you sync your passkeys between devices. And you can also unlock your vault with one stored on a physical security key.
i refuse to give my phone my thumbprint or do a face unlock. i’m not sure if it’s still collecting a biometric bullshit on my face, but i have not done it myself. I’m a luddite here and i insist on it so no one (especially no one trying to violate the united states 4th amendment) can get into my phone without my permission or hacking into it.
Then get a Yubikey. Replace “something you are” with “something you have”. It’s not ideal to have two somethings you have as your two factors, but a password to get into the computer to get to the passkey adds an extra layer that makes me comfortable with it.
In the context of this discussion, it’s one of two factors. But I agree with you when it’s the only factor.
Ooh-la-la, someone’s gonna get laid in college.
Edit: This is a joking reference from a Rick and Morty episode (S02E06).
You forgot, you descended into the lemmy-verse powering your car where the concept of Rick and Morty humor is not appreciated and often not tolerated.
;)
WUBBU-LUBBA-DUB-DUB!!!
i don’t get what this has to do with college, or getting laid at all but sure.
Oh, I’m sorry. It’s a reference to a Rick and Morty episode. I thought that’s what you were referring to.
ha, the episode where they have a mini universe powering their car.