HackerTrans
TopNewTrendsCommentsPastAskShowJobs

timmyc123

no profile record

Submissions

[untitled]

1 points·by timmyc123·3 месяца назад·0 comments

Please, please, please stop using passkeys for encrypting user data

blog.timcappalli.me
14 points·by timmyc123·5 месяцев назад·11 comments

comments

timmyc123
·3 месяца назад·discuss
We’re building an interactive resource to demystify passkeys for both the general public and more technical users.

We’re aggregating questions to ensure our FAQ and interactive guides cover "how do I use this?" type questions from non-technical users as well as the real-world edge cases that more technical people care about.

Some prompts:

• What questions do you get from friends and family?

• What are the biggest hurdles you've faced when using them?

• What are your technical "how does this actually work"-type questions?

We’d love your input. Any and all feedback is welcome!

Please submit your questions via this form: https://forms.gle/wmaydkzmUp2eKfJG7
timmyc123
·4 месяца назад·discuss
> The essay has a condescending attitude towards the normie computer user who can't possibly be expected to know, but it's precisely the normie computer user who would never get the stupid idea of "cleaning up" their passkeys in the first place -- that's something only a nerd with a neurotic attitude to their computer would do.

Thanks for the feedback. That certainly wasn't the intention. It was more about the average user not remembering specific details about their passkeys. Which I do stand by. If you have some suggested text to help clarify that, happy to update the post.
timmyc123
·4 месяца назад·discuss
You can use any credential manager you choose. It is an open ecosystem. If you don't want to use a cloud service, don't. You can self-host many credential managers. There are also many solutions that just use a local database.
timmyc123
·4 месяца назад·discuss
Hey

I'm the guy you're talking about. Always easy to crap on people when you selectively quote what they said. The core pieces you left out are:

> I don't quite understand why requiring file protection/encryption can't be a temporary minimum bar here.

> or at a minimum require file protection/encryption.

If you think helping users to be safe online (which includes putting basic safeguards in place, like not leaving hundreds of unencrypted private keys on someone's desktop or downloads folder in plain text) isn't an important part of designing solutions for global scale, then we think about things very differently.
timmyc123
·4 месяца назад·discuss
> Too bad the spec is stupid and requires password managers to be identifiable so servers can deny the "insecure ones".

There is no requirement that credential managers identify themselves. Please stop spreading misinformation.
timmyc123
·5 месяцев назад·discuss
Not sure what you mean. In most cases, passkeys sync across your devices.
timmyc123
·7 месяцев назад·discuss
> stored on a YubiKey/Secure Enclave/TPM and that was what made them resident.

Stored in an authenticator/credential manager in general, not specific to a security key, secure enclave, or TPM.
timmyc123
·7 месяцев назад·discuss
Not really. The attestation model defined for workforce (enterprise) credential managers/authenticators doesn't really work in practice for consumer credential managers.
timmyc123
·7 месяцев назад·discuss
A passkey is a discoverable credential (aka resident key) in spec terminology. But the type of credential has no relationship to attestation (which is not used in the consumer passkey ecosystem).
timmyc123
·7 месяцев назад·discuss
The dialog provided by the browser or OS usually tells you where the passkey is saved.
timmyc123
·7 месяцев назад·discuss
Copy and paste in clear text? Yes, I don't think that's a good idea. Download to disk in clear text? Yes, I don't think that's a good idea.

Years and years of security incidents with consumer data show that this is a really bad idea.

At minimum, a credential manager distributed for wide use should encrypt exported/copied keys with a user selected secret or user generated key.
timmyc123
·7 месяцев назад·discuss
If a website were to attempt to do this, you (or your credential manager) could simply change the AAGUID to match another credential manager.
timmyc123
·7 месяцев назад·discuss
Attestation is not used in the consumer passkey ecosystem.
timmyc123
·7 месяцев назад·discuss
Hi, Tim Cappalli here.

Not sure how stating that my (an individual) opinions on a topic are evolving is interpreted as "threatened the KeypassXC developers".

If you've been following along, you'll have seen that I am actually one of the biggest advocates of the open passkey ecosystem, and have been working really hard to make sure all credential managers have a level playing field.

Always happy to chat directly if you have concerns!
timmyc123
·7 месяцев назад·discuss
This is one of the core use cases for why FIDO Cross-Device Authentication was created. To be able to use a passkey to sign in on a shared device, a device you don't control, or a device where you just need temporary access to something.
timmyc123
·7 месяцев назад·discuss
> it’s discouraged

Why do you say that? There are billions of synced passkeys being used by users with some of the largest sites and services in the world.
timmyc123
·7 месяцев назад·discuss
Not exactly. For example, the default credential manager on Android is Google Password Manager, which works on Windows, macOS, iOS, and Ubuntu. There are also dozens of other third party choices.
timmyc123
·7 месяцев назад·discuss
I used the technical name for the capability, but you've likely run into it before.

If there is no passkey on the local device, a QR code will appear which you can scan with your phone or tablet, and use the passkey for the account from that device. It just kind of happens, typically without the user having to do anything special.

I will say though, corporate devices can be a bit of a wildcard as they are usually configured and locked down for a specific purpose. But the cross-device flow is generally not blocked by organizations.
timmyc123
·7 месяцев назад·discuss
Unclear how this quoted comment relates to what I was replying to (which was about exporting / backing up your credentials).

But I'll respond.

> Will I always be able to use any credential manager of my choice? Any naturally also includes software that I might have written myself. And would you be in support of an ecosystem where RPs might block my implementation based on my AAGUID?

If a website were to block your custom software's AAGUID for some reason, you can change your AAGUID.

AAGUIDs in the consumer passkey ecosystem are used to name your credential manager in account settings so you remember where you saved your passkey.
timmyc123
·7 месяцев назад·discuss
You're quoting the first post of a long discussion, where the importance of protecting your data on disk was highlighted, and a proposal was made that at minimum, the default should be encrypting the backup with a user selected secret or key.

> But I want to use Apple Passwords.

You're choosing to use an app that doesn't meet your needs, when there are numerous apps out there that do meet your needs. I'm not sure how anyone is supposed to solve that for you.