if person logged in with #digitalid on #ato site to do #tax return person cannot then login with #passkey as it is deemed downgrading #security
if person logged in with #digitalid on #ato site to do #tax return person cannot then login with #passkey as it is deemed downgrading #security
#PassKey question. If you use a managed Chrome profile (aka corporate IT managed), can IT view your saved passwords/passkeys? Searching only says Yes and No, so I'm asking you folks who know better than randos. Thanks...
Calling upon #Python developers. Have you implemented #Passkey authentication without using third-party services?
I'm trying to find some good reference material but all seem to include usage of third-party services for managing the authentication...
... but I want full "ownership" of the authentication stack before deciding to ship that to someone else. One of the most critical components is not something I feel entirely comfortable handing off to someone else.
So... anyone got something to share? I have come across this:
https://pypi.org/project/webauthn/
That seems to give me the server/backend stuff. If you have experience building the frontend/UX components using #Reflex then I would be even more excited to hear from you!
I love #PocketID, a light weight #selfhosted #OIDC using only #Passkey.
After using it for several months with an LXC installation using Proxmox Helper Scripts, I noticed that the service runs as root. I also learned that a VM installation is more secure than an LXC. This article will guide you through installing Pocket-ID as a non-root service on Debian. Additionally, there's an upgrade script included.
#Proxmox #debian #selfhosting #homelab #openID #passkeys #SSO
https://www.lucasjanin.com/2025/06/02/pocket-id-bare-metal-installation-on-debian
@BleepingComputer : unless the verifying server thoroughly checks the domain name of the server the user authenticated to, this could put users of passkeys at risk of phishing attacks.
See https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 why.
I need to better understand passkeys. And I need to develop guidance that I can explain to my dad.
On that note it was cool to see Costco app prompt to create a #passkey this morning.
Welt-Passwort-Tag: Menschen wollen Zwei-Faktor-Authentifizierung
Am Welt-Passwort-Tag haben GMX und web.de eine Umfrage herausgebracht. Die zeigt, es gibt Fortschritte im Hinblick auf Sicherheit.
Some say passkeys are clunky — this startup wants to change that
https://techcrunch.com/2025/03/11/some-say-passkeys-are-clunky-this-startup-wants-to-change-that/
@itsfoss Good so far.
On a side note it should have added passkey support at level,shouldn't it?
#ubuntu #opensource #foss #passkey
@sarahjamielewis I would like to hear answers to that question as well. I have not tried it myself, but I'm considering #Keycloak for something like that.
I would also suggest the hashtags #passkey #webauthn and #fido to gather the attention of the right people?
If you're ready to learn the technical details, then there is a Tour of WebAuthN here: https://www.imperialviolet.org/tourofwebauthn/tourofwebauthn.html
GitHub - yackermann/awesome-webauthn: A curated list of awesome WebAuthn and Passkey resources https://github.com/yackermann/awesome-webauthn #OpenSource #WebAuthn #resource #awesome #passkey #GitHub #list
@ErikvanStraten @thedoctor @robin
We all know if possible Joan Average would opt for the “Sign in with Google” button, an important point when talking about #passkey vendor lock-in.
I use “Sign in with GitHub” too occasionally.
«Passkey technology is elegant, but it’s most definitely not usable security:
Just in time for holiday tech-support sessions, here's what to know about passkeys.»
– from @dangoodin
As always, the use of technology also involves its implementation and application. Consumers are a belief and a promise, but not a use.
NordPass has published their 2024 most common passwords list.
The list identifies the top 200 most common passwords from 44 countries.
Filter list by individual country or all countries.
Corporate passwords list.
Individual passwords list.
View password.
View time to crack password.
View amount of times password was used.
I've written a new blog post taking a moderately deep dive into "Threat Modeling YubiKeys and Passkeys"
https://yawnbox.is/blog/threat-modeling-yubikeys-and-passkeys/
I greatly welcome feedback as I want to make sure I'm not misrepresenting anything. I want to make it better if it can be improved. I'm happy to be wrong, just please provide details and links!
also, i need a job! if you like my work, maybe you know of something where i'd be a good fit.
Convenient and secure: Manage passkeys with KeePassXC - Tutorial
https://youtu.be/8p0CBE-mMYE
#linux #opensource #keepassxc #passkey #passkeys #password #passwordmanager #ITsecurity
Now with v1.8.0 I've added the ability to bypass the #passkey creation step.
https://example.stupidwebauthn.site/
Register with your email, open the link from the email, then click: "Login without passkey (with limited access)" button
Obviously you won't be able to run actions that require a double passkey check, and the auth cookie given is only valid for 24hours instead of 1 month
About a year ago I wrote about the inability to transfer a #Passkey from one vendor device to another was a major problem for deployment. Google has now announced they're the first of the big three to support syncing Passkeys from iPhone to Android, from MacOS to Windows -- as long as you're using Chrome, anyway. This is a major usability improvement making Passkeys far more viable - though still vendor locked.
https://www.corbado.com/blog/google-passkeys-sync-windows-macos
@jpsachse : or when your account gets pwned and the attacker does a better job proving that they are you than you - after all, *they* have access to your account - while you do not.
ANDROID PASSKEY BLACK HOLE
*Or* when you press a button "Clear data" (at the bottom of https://chrome.google.com/sync) which is accompanied by the text:
« This will clear your Chrome data that has been saved in your Google Account. This might clear some data from your devices. »
For you to subsequently find out that ALL OF YOUR PASSKEYS on (all of) your Android device(s) are IRRETRIEVABLE GONE (I reported this to Google in June 2023 and published it 6 months later in
https://seclists.org/fulldisclosure/2024/Feb/15). It's still unfixed.
WHY NO EXPORT AND NO BACKUP
W.r.t. being able to export and/or backup all private keys belonging to all of your passkeys: that's a big dilemma (depending on your POV).
The main (advertised, not taking into account a possibly desired vendor lock-in) reason is simple: if *you* have direct access to such private keys, *malware* running on your device does too.
The compromise is that they are automatically synced to your cloud account, and from there to other devices (of the same brand, provided they run an OS version that's not too old), including a new device if you brick or lose your old device.
However, if there's serious malware on your device, then, even if the malware authors cannot steal all of your passkeys (that is, their private keys), then you're toast anyway; a RAT such as AnyDesk may fool you into believing that you're logging in to website A while in fact it's B and they steal it's session cookie - and pwn the webaccount.
SYNCING PRIVATE KEYS
BTW it's hardly being discussed, but being able to synchronize secrets between secure hardware enclaves in such a way that *you* are denied access, is quite an achievement (considering that, if you buy a new phone, the only available secrets to the transport system are your definitely weak passcode, and your, potentially weak, cloud password that may be used to encrypt the private keys in transit).
I *know* that it's complicated because I accidentally found out around June 2023 that Android can get confused: passkeys *seem* to sync just fine, but passkeys created on phone 1 do not work on phone 2 and vice versa. Somehow the phones had started using *different* encryption keys used to securily synchronize them (I also mentioned that issue in my reports to Google in the summer of 2023, and I mention it in the FD (seclists.org) message).
I don't know how Apple syncs secrets in iCloud keychain, and neither whether a situation may exist where passkey's private keys sync but are unusable (like may happen when using Android).
APPLE'S OWN PASSKEY MISERY
However, Apple has got their own bunch of problems with passkeys being usable *without* requiring biometrics or a passcode to unlock them from iCloud Keychain, see https://infosec.exchange/@ErikvanStraten/113050312014160350 and follow-up (it gets worse every time I look at it) https://infosec.exchange/@ErikvanStraten/113053761440539290 (more details in earlier toots in that thread).
In short: if you don't use biometrics to unlock your iPhone or iPad (OR you do, but you have -unlikely- disabled a specific configuration setting), then anyone with access to your iDevice in an unlocked condition (*), can sign in to:
https://appleid.apple.com
and/or
https://icloud.com
WITHOUT entering your passcode (or using biometrics).
(*) your child, spouse, someone you don't know (well) who borrows your phone to make a call (because their's battery is dead), NOTABLY including a thief who stole it while you were using it (or saw you type your passcode and can unlock it by themselves: https://youtu.be/QUYODQB_2wQ).
I'm not sure yet, but this may even render Apple's anti-theft system totally moot.