@stormii
TNX
Damit landet tatsächlich ein #Passkey in #KeepassXC und es tut auch mit dem #Yubikey, aber auf dem Yubikey landen die Daten nicht dort, wo ich sie erwarten würde:
$ fido2-token -L -r /dev/hidraw1
Enter PIN for /dev/hidraw1:
00: dKbqkhPJnC90siSSsyDPQCYqlMGpUKA5fyklC2CEHvA= webauthn.io
01: IteEK9B+kZFJE+tmeQE0fTb9NToEt+/PeXqSq0tlVNc= www.passkeys.io
if person logged in with #digitalid on #ato site to do #tax return person cannot then login with #passkey as it is deemed downgrading #security
#PassKey question. If you use a managed Chrome profile (aka corporate IT managed), can IT view your saved passwords/passkeys? Searching only says Yes and No, so I'm asking you folks who know better than randos. Thanks...
Calling upon #Python developers. Have you implemented #Passkey authentication without using third-party services?
I'm trying to find some good reference material but all seem to include usage of third-party services for managing the authentication...
... but I want full "ownership" of the authentication stack before deciding to ship that to someone else. One of the most critical components is not something I feel entirely comfortable handing off to someone else.
So... anyone got something to share? I have come across this:
https://pypi.org/project/webauthn/
That seems to give me the server/backend stuff. If you have experience building the frontend/UX components using #Reflex then I would be even more excited to hear from you!
I love #PocketID, a light weight #selfhosted #OIDC using only #Passkey.
After using it for several months with an LXC installation using Proxmox Helper Scripts, I noticed that the service runs as root. I also learned that a VM installation is more secure than an LXC. This article will guide you through installing Pocket-ID as a non-root service on Debian. Additionally, there's an upgrade script included.
#Proxmox #debian #selfhosting #homelab #openID #passkeys #SSO
https://www.lucasjanin.com/2025/06/02/pocket-id-bare-metal-installation-on-debian
@BleepingComputer : unless the verifying server thoroughly checks the domain name of the server the user authenticated to, this could put users of passkeys at risk of phishing attacks.
See https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 why.
I need to better understand passkeys. And I need to develop guidance that I can explain to my dad.
On that note it was cool to see Costco app prompt to create a #passkey this morning.
Welt-Passwort-Tag: Menschen wollen Zwei-Faktor-Authentifizierung
Am Welt-Passwort-Tag haben GMX und web.de eine Umfrage herausgebracht. Die zeigt, es gibt Fortschritte im Hinblick auf Sicherheit.
Some say passkeys are clunky — this startup wants to change that
https://techcrunch.com/2025/03/11/some-say-passkeys-are-clunky-this-startup-wants-to-change-that/
@itsfoss Good so far.
On a side note it should have added passkey support at level,shouldn't it?
#ubuntu #opensource #foss #passkey
@sarahjamielewis I would like to hear answers to that question as well. I have not tried it myself, but I'm considering #Keycloak for something like that.
I would also suggest the hashtags #passkey #webauthn and #fido to gather the attention of the right people?
If you're ready to learn the technical details, then there is a Tour of WebAuthN here: https://www.imperialviolet.org/tourofwebauthn/tourofwebauthn.html
GitHub - yackermann/awesome-webauthn: A curated list of awesome WebAuthn and Passkey resources https://github.com/yackermann/awesome-webauthn #OpenSource #WebAuthn #resource #awesome #passkey #GitHub #list
@ErikvanStraten @thedoctor @robin
We all know if possible Joan Average would opt for the “Sign in with Google” button, an important point when talking about #passkey vendor lock-in.
I use “Sign in with GitHub” too occasionally.
«Passkey technology is elegant, but it’s most definitely not usable security:
Just in time for holiday tech-support sessions, here's what to know about passkeys.»
– from @dangoodin
As always, the use of technology also involves its implementation and application. Consumers are a belief and a promise, but not a use.
NordPass has published their 2024 most common passwords list.
The list identifies the top 200 most common passwords from 44 countries.
Filter list by individual country or all countries.
Corporate passwords list.
Individual passwords list.
View password.
View time to crack password.
View amount of times password was used.
I've written a new blog post taking a moderately deep dive into "Threat Modeling YubiKeys and Passkeys"
https://yawnbox.is/blog/threat-modeling-yubikeys-and-passkeys/
I greatly welcome feedback as I want to make sure I'm not misrepresenting anything. I want to make it better if it can be improved. I'm happy to be wrong, just please provide details and links!
also, i need a job! if you like my work, maybe you know of something where i'd be a good fit.
Convenient and secure: Manage passkeys with KeePassXC - Tutorial
https://youtu.be/8p0CBE-mMYE
#linux #opensource #keepassxc #passkey #passkeys #password #passwordmanager #ITsecurity
Now with v1.8.0 I've added the ability to bypass the #passkey creation step.
https://example.stupidwebauthn.site/
Register with your email, open the link from the email, then click: "Login without passkey (with limited access)" button
Obviously you won't be able to run actions that require a double passkey check, and the auth cookie given is only valid for 24hours instead of 1 month