HackerTrans
TopNewTrendsCommentsPastAskShowJobs

snagg

no profile record

Submissions

Harnesses and post-training close the open-weight bug-finding gap

vincenzoiozzo.com
3 points·by snagg·2 ay önce·0 comments

The AlphaGo moment for vulnerability research?

vincenzoiozzo.com
2 points·by snagg·3 ay önce·0 comments

Deepfake Impersonation Attacks (Part 1): Anatomy of Modern Deepfakes

slashid.com
1 points·by snagg·4 ay önce·0 comments

Protecting third-party credentials: Credential Tokenzation

slashid.com
2 points·by snagg·2 yıl önce·0 comments

Secure API and M2M Access with OAuth2 Client Credentials

slashid.com
2 points·by snagg·2 yıl önce·0 comments

Building a globally distributed Identity Platform

slashid.com
3 points·by snagg·2 yıl önce·0 comments

Passkeys Adoption Trends: Survey from Large Deployments

slashid.com
1 points·by snagg·2 yıl önce·0 comments

Single Sign-On Implementation: Security Issues and Best Practices

slashid.com
2 points·by snagg·3 yıl önce·0 comments

Exploiting Undocumented API to Regenerate Google Service Cookies

cloudsek.com
47 points·by snagg·3 yıl önce·7 comments

GPT in 500 Lines of SQL

explainextended.com
5 points·by snagg·3 yıl önce·0 comments

Firebase Authentication User Enumeration Bug

slashid.com
4 points·by snagg·3 yıl önce·1 comments

Show HN: OpenAPI OAuth 2.0 scopes enforcement for APIs

github.com
7 points·by snagg·3 yıl önce·0 comments

OAuth 2.0 Scopes enforcement on APIs

slashid.dev
2 points·by snagg·3 yıl önce·0 comments

Rate Limiting for Large-Scale, Distributed Applications Using GCRA

slashid.dev
5 points·by snagg·3 yıl önce·0 comments

To Schnorr and Beyond

blog.cryptographyengineering.com
2 points·by snagg·3 yıl önce·0 comments

Context-Aware Authentication

slashid.dev
2 points·by snagg·3 yıl önce·0 comments

On the Future of Cloud Services and BYOC

jack-vanlightly.com
2 points·by snagg·3 yıl önce·0 comments

Back End Authentication and Authorization Patterns

slashid.dev
1 points·by snagg·3 yıl önce·0 comments

Getting RCE in Chrome with incorrect side effect in the JIT compiler

github.blog
1 points·by snagg·3 yıl önce·0 comments

NSA, FBI, and CISA Release Cybersecurity Information Sheet on Deepfake Threats

cisa.gov
167 points·by snagg·3 yıl önce·179 comments

comments

snagg
·2 yıl önce·discuss
Hey,

Co-founder of SlashID here (one of the companies mentioned above). I think we have exactly what you are looking for:

https://www.slashid.dev/blog/anonymous-users/

https://developer.slashid.dev/docs/access/concepts/anonymous...

Hit me up if you want to chat more: [email protected]
snagg
·3 yıl önce·discuss
Worth noting that implementing FIDO2/Passkeys is more challenging than it looks both from a UX standpoint and from a threat modeling standpoint. We tried to cover some of this in a blog post, in case anybody is interested: https://www.slashid.dev/blog/passkeys-security-implementatio...
snagg
·3 yıl önce·discuss
We are big proponent of app-layer encryption as well. We wrote extensively about how we do it for our specific use case: https://www.slashid.dev/blog/app-layer-encryption/
snagg
·3 yıl önce·discuss
Hi,

sorry for the late reply, just saw this. Do you mean to have certain pages public while others are private?

If so, yes. You can make login optional (using the slashID.forceLogin parameter. See here: https://github.com/slashid/docusaurus-slashid-login/blob/mai...) and restrict certain pages to only logged-in users. You can also use user groups/roles to further segment access to pages (https://www.slashid.dev/blog/groups-react/).

To get the slashID.orgID parameter for the theme you can sign-up here: https://console.slashid.dev/signup

If you send me an email at [email protected] and we can add you to our Slack in case you have any issues with it.
snagg
·3 yıl önce·discuss
The short answer is that it's non standard and it depends on where the passkeys are stored. To be precise, the original WebAuthn standard did not account for a recovery mechanism at all and instead recommended adding multiple credentials to an account.

Practically if the passkeys are stored in your iCloud Keychain, they are automatically synced across your Apple devices and the recovery mechanism is the recovery mechanism for iCloud.

Similar consideration for Google/Chrome and other password managers.

We wrote a relatively long blogpost about this + implementation and threat modeling considerations in case it's interesting: https://www.slashid.dev/blog/passkeys-security-implementatio...
snagg
·3 yıl önce·discuss
We spent some time putting together a threat-model and taxonomy of attacks paths for Passkeys in case anybody is interested: https://www.slashid.dev/blog/passkeys-security-implementatio...

Passkeys are definitely a leap forward in that we are shifting the bulk of the account takeover risk from the end users using weak passwords or clicking on phishing links to: 1) The server side implementation, including any mechanism for account recovery and support for multiple passkeys/auth factors

2) The browser enforcement checks (eg: this is what Chrome does: https://www.slashid.dev/blog/webauthn-antiphishing/)

3) The wallet/keychain/password manager holding the keys (there's a lot of variance here in terms of security guarantees, see recent password managers breaches. We wrote a bit about how Apple does it: https://www.slashid.dev/blog/passkeys-deepdive/#the-technica...)

4) The authenticator itself (again, lots of variance here)

All of which are harder to compromise vs the average end-user.

There are still scenarios where the end-user could be targeted/tricked but they are fewer and harder to pull off (to name some: malware stealing the private keys and account takeovers on the password manager).
snagg
·3 yıl önce·discuss
This is an area with the specs contrast with the vendors.

The WebAuthn specs recommends to register multiple passkeys/credentials per device and assume that once a credential is lost it might not be recoverable.

Apple and other vendors using keychains/wallets are effectively offering the option to delegate the recovery of the passkey to the recovery of the account with them (eg: the iCloud account).

In case it is of interest, we wrote a long blogpost on the topic: https://www.slashid.dev/blog/passkeys-security-implementatio...
snagg
·3 yıl önce·discuss
Hi,

I'm the author of the SlashID blogpost. You are right, the WebAuthn standard doesn't provide any guarantees on the authenticator storage security hence passkeys (and WebAuthn creds) can be stored in anything that speaks CTAP2.

We wrote a follow-up blogpost talking about the threat model in which we touch on the above: https://www.slashid.dev/blog/passkeys-security-implementatio...
snagg
·3 yıl önce·discuss
Hi,

I'm the author of the blogpost. You are spot on, Passkeys are exportable so the private key ends up both on iCloud and the Enclave/authenticator.

My understanding is that there's chatter about cross-vendor synchronization of passkeys but nothing concrete yet.

Meanwhile Apple allows people to share Passkeys via AirDrop (Settings > Passwords - select the passkey you want and click the "Share" icon to send it over Airdrop) so it should be possible with some effort to obtain the private key with something like this: https://github.com/seemoo-lab/opendrop. Haven't done extensive testing yet though, so I can't confirm.

Would love to hear if anybody knows more about how the sharing via AirDrop is implemented/protected.
snagg
·3 yıl önce·discuss
Thank you! 100% agree - realistically, given their scale, the tradeoff made sense. The UI would have been fairly un-intuitive for users had they left the option to do both device-bound keys and passkeys.
snagg
·3 yıl önce·discuss
Happy to chat more about it if you'd like!
snagg
·3 yıl önce·discuss
We wrote a long post on Passkeys, in particular how they are implemented by Apple[0] that might be interesting.

Technically a Passkey is just a multi-device FIDO credential that is compatible with WebAuthn (which is an official W3C and FIDO spec).

However, vendors implementations of Passkeys/FIDO credentials differ quite widely. The Apple implementation of Passkeys, as an example, doesn't provide attestation information which reduces the ability to do device verification. Similarly, even though it's not technically part of Passkeys, Apple removed the possibility to create device-bound WebAuthn keys which significantly weakens the security guarantees you'd normally get with WebAuthn.

[0]https://www.slashid.dev/blog/passkeys-deepdive/