HackerTrans
TopNewTrendsCommentsPastAskShowJobs

timmyc123

no profile record

Submissions

[untitled]

1 points·by timmyc123·3 เดือนที่ผ่านมา·0 comments

Please, please, please stop using passkeys for encrypting user data

blog.timcappalli.me
14 points·by timmyc123·5 เดือนที่ผ่านมา·11 comments

comments

timmyc123
·3 เดือนที่ผ่านมา·discuss
We’re building an interactive resource to demystify passkeys for both the general public and more technical users.

We’re aggregating questions to ensure our FAQ and interactive guides cover "how do I use this?" type questions from non-technical users as well as the real-world edge cases that more technical people care about.

Some prompts:

• What questions do you get from friends and family?

• What are the biggest hurdles you've faced when using them?

• What are your technical "how does this actually work"-type questions?

We’d love your input. Any and all feedback is welcome!

Please submit your questions via this form: https://forms.gle/wmaydkzmUp2eKfJG7
timmyc123
·4 เดือนที่ผ่านมา·discuss
> The essay has a condescending attitude towards the normie computer user who can't possibly be expected to know, but it's precisely the normie computer user who would never get the stupid idea of "cleaning up" their passkeys in the first place -- that's something only a nerd with a neurotic attitude to their computer would do.

Thanks for the feedback. That certainly wasn't the intention. It was more about the average user not remembering specific details about their passkeys. Which I do stand by. If you have some suggested text to help clarify that, happy to update the post.
timmyc123
·4 เดือนที่ผ่านมา·discuss
You can use any credential manager you choose. It is an open ecosystem. If you don't want to use a cloud service, don't. You can self-host many credential managers. There are also many solutions that just use a local database.
timmyc123
·4 เดือนที่ผ่านมา·discuss
Hey

I'm the guy you're talking about. Always easy to crap on people when you selectively quote what they said. The core pieces you left out are:

> I don't quite understand why requiring file protection/encryption can't be a temporary minimum bar here.

> or at a minimum require file protection/encryption.

If you think helping users to be safe online (which includes putting basic safeguards in place, like not leaving hundreds of unencrypted private keys on someone's desktop or downloads folder in plain text) isn't an important part of designing solutions for global scale, then we think about things very differently.
timmyc123
·4 เดือนที่ผ่านมา·discuss
> Too bad the spec is stupid and requires password managers to be identifiable so servers can deny the "insecure ones".

There is no requirement that credential managers identify themselves. Please stop spreading misinformation.
timmyc123
·5 เดือนที่ผ่านมา·discuss
Not sure what you mean. In most cases, passkeys sync across your devices.
timmyc123
·7 เดือนที่ผ่านมา·discuss
> stored on a YubiKey/Secure Enclave/TPM and that was what made them resident.

Stored in an authenticator/credential manager in general, not specific to a security key, secure enclave, or TPM.
timmyc123
·7 เดือนที่ผ่านมา·discuss
Not really. The attestation model defined for workforce (enterprise) credential managers/authenticators doesn't really work in practice for consumer credential managers.
timmyc123
·7 เดือนที่ผ่านมา·discuss
A passkey is a discoverable credential (aka resident key) in spec terminology. But the type of credential has no relationship to attestation (which is not used in the consumer passkey ecosystem).
timmyc123
·7 เดือนที่ผ่านมา·discuss
The dialog provided by the browser or OS usually tells you where the passkey is saved.
timmyc123
·7 เดือนที่ผ่านมา·discuss
Copy and paste in clear text? Yes, I don't think that's a good idea. Download to disk in clear text? Yes, I don't think that's a good idea.

Years and years of security incidents with consumer data show that this is a really bad idea.

At minimum, a credential manager distributed for wide use should encrypt exported/copied keys with a user selected secret or user generated key.
timmyc123
·7 เดือนที่ผ่านมา·discuss
If a website were to attempt to do this, you (or your credential manager) could simply change the AAGUID to match another credential manager.
timmyc123
·7 เดือนที่ผ่านมา·discuss
Attestation is not used in the consumer passkey ecosystem.
timmyc123
·7 เดือนที่ผ่านมา·discuss
Hi, Tim Cappalli here.

Not sure how stating that my (an individual) opinions on a topic are evolving is interpreted as "threatened the KeypassXC developers".

If you've been following along, you'll have seen that I am actually one of the biggest advocates of the open passkey ecosystem, and have been working really hard to make sure all credential managers have a level playing field.

Always happy to chat directly if you have concerns!
timmyc123
·7 เดือนที่ผ่านมา·discuss
This is one of the core use cases for why FIDO Cross-Device Authentication was created. To be able to use a passkey to sign in on a shared device, a device you don't control, or a device where you just need temporary access to something.
timmyc123
·7 เดือนที่ผ่านมา·discuss
> it’s discouraged

Why do you say that? There are billions of synced passkeys being used by users with some of the largest sites and services in the world.
timmyc123
·7 เดือนที่ผ่านมา·discuss
Not exactly. For example, the default credential manager on Android is Google Password Manager, which works on Windows, macOS, iOS, and Ubuntu. There are also dozens of other third party choices.
timmyc123
·7 เดือนที่ผ่านมา·discuss
I used the technical name for the capability, but you've likely run into it before.

If there is no passkey on the local device, a QR code will appear which you can scan with your phone or tablet, and use the passkey for the account from that device. It just kind of happens, typically without the user having to do anything special.

I will say though, corporate devices can be a bit of a wildcard as they are usually configured and locked down for a specific purpose. But the cross-device flow is generally not blocked by organizations.
timmyc123
·7 เดือนที่ผ่านมา·discuss
Unclear how this quoted comment relates to what I was replying to (which was about exporting / backing up your credentials).

But I'll respond.

> Will I always be able to use any credential manager of my choice? Any naturally also includes software that I might have written myself. And would you be in support of an ecosystem where RPs might block my implementation based on my AAGUID?

If a website were to block your custom software's AAGUID for some reason, you can change your AAGUID.

AAGUIDs in the consumer passkey ecosystem are used to name your credential manager in account settings so you remember where you saved your passkey.
timmyc123
·7 เดือนที่ผ่านมา·discuss
You're quoting the first post of a long discussion, where the importance of protecting your data on disk was highlighted, and a proposal was made that at minimum, the default should be encrypting the backup with a user selected secret or key.

> But I want to use Apple Passwords.

You're choosing to use an app that doesn't meet your needs, when there are numerous apps out there that do meet your needs. I'm not sure how anyone is supposed to solve that for you.