lingo.lol is one of the many independent Mastodon servers you can use to participate in the fediverse.
A place for linguists, philologists, and other lovers of languages.

Server stats:

67
active users

#passkey

2 posts2 participants0 posts today

Calling upon #Python developers. Have you implemented #Passkey authentication without using third-party services?

I'm trying to find some good reference material but all seem to include usage of third-party services for managing the authentication...

... but I want full "ownership" of the authentication stack before deciding to ship that to someone else. One of the most critical components is not something I feel entirely comfortable handing off to someone else.

So... anyone got something to share? I have come across this:

pypi.org/project/webauthn/

That seems to give me the server/backend stuff. If you have experience building the frontend/UX components using #Reflex then I would be even more excited to hear from you! 🙂

pypi.orgClient Challenge

I love #PocketID, a light weight #selfhosted #OIDC using only #Passkey.

After using it for several months with an LXC installation using Proxmox Helper Scripts, I noticed that the service runs as root. I also learned that a VM installation is more secure than an LXC. This article will guide you through installing Pocket-ID as a non-root service on Debian. Additionally, there's an upgrade script included.

#Proxmox #debian #selfhosting #homelab #openID #passkeys #SSO

lucasjanin.com/2025/06/02/pock

I need to better understand passkeys. And I need to develop guidance that I can explain to my dad.

On that note it was cool to see Costco app prompt to create a #passkey this morning.

Replied in thread

@sarahjamielewis I would like to hear answers to that question as well. I have not tried it myself, but I'm considering #Keycloak for something like that.

I would also suggest the hashtags #passkey #webauthn and #fido to gather the attention of the right people?

If you're ready to learn the technical details, then there is a Tour of WebAuthN here: imperialviolet.org/tourofwebau

www.imperialviolet.orgA Tour of WebAuthn

«Passkey technology is elegant, but it’s most definitely not usable security:
Just in time for holiday tech-support sessions, here's what to know about passkeys.»
– from @dangoodin

As always, the use of technology also involves its implementation and application. Consumers are a belief and a promise, but not a use.

🔓 arstechnica.com/security/2024/

Ars Technica · Passkey technology is elegant, but it’s most definitely not usable securityBy Dan Goodin
Continued thread

I've written a new blog post taking a moderately deep dive into "Threat Modeling YubiKeys and Passkeys"

yawnbox.is/blog/threat-modelin

I greatly welcome feedback as I want to make sure I'm not misrepresenting anything. I want to make it better if it can be improved. I'm happy to be wrong, just please provide details and links!

also, i need a job! if you like my work, maybe you know of something where i'd be a good fit.

yawnbox.isThreat modeling YubiKeys and passkeys

About a year ago I wrote about the inability to transfer a #Passkey from one vendor device to another was a major problem for deployment. Google has now announced they're the first of the big three to support syncing Passkeys from iPhone to Android, from MacOS to Windows -- as long as you're using Chrome, anyway. This is a major usability improvement making Passkeys far more viable - though still vendor locked.
corbado.com/blog/google-passke

www.corbado.comPasskey Revolution: Google Syncs Passkeys to Apple & Windows DevicesGoogle Password Manager now syncs passkeys across Chrome on Windows, macOS and Android, which is ground-breaking as Google solves cross-platform passkey issues.
Replied in thread

@jpsachse : or when your account gets pwned and the attacker does a better job proving that they are you than you - after all, *they* have access to your account - while you do not.

🔸 ANDROID PASSKEY BLACK HOLE
*Or* when you press a button "Clear data" (at the bottom of chrome.google.com/sync) which is accompanied by the text:

« This will clear your Chrome data that has been saved in your Google Account. This might clear some data from your devices. »

For you to subsequently find out that ALL OF YOUR PASSKEYS on (all of) your Android device(s) are IRRETRIEVABLE GONE (I reported this to Google in June 2023 and published it 6 months later in
seclists.org/fulldisclosure/20). It's still unfixed.

🔸 WHY NO EXPORT AND NO BACKUP
W.r.t. being able to export and/or backup all private keys belonging to all of your passkeys: that's a big dilemma (depending on your POV).

The main (advertised, not taking into account a possibly desired vendor lock-in) reason is simple: if *you* have direct access to such private keys, *malware* running on your device does too.

The compromise is that they are automatically synced to your cloud account, and from there to other devices (of the same brand, provided they run an OS version that's not too old), including a new device if you brick or lose your old device.

However, if there's serious malware on your device, then, even if the malware authors cannot steal all of your passkeys (that is, their private keys), then you're toast anyway; a RAT such as AnyDesk may fool you into believing that you're logging in to website A while in fact it's B and they steal it's session cookie - and pwn the webaccount.

🔸 SYNCING PRIVATE KEYS
BTW it's hardly being discussed, but being able to synchronize secrets between secure hardware enclaves in such a way that *you* are denied access, is quite an achievement (considering that, if you buy a new phone, the only available secrets to the transport system are your definitely weak passcode, and your, potentially weak, cloud password that may be used to encrypt the private keys in transit).

I *know* that it's complicated because I accidentally found out around June 2023 that Android can get confused: passkeys *seem* to sync just fine, but passkeys created on phone 1 do not work on phone 2 and vice versa. Somehow the phones had started using *different* encryption keys used to securily synchronize them (I also mentioned that issue in my reports to Google in the summer of 2023, and I mention it in the FD (seclists.org) message).

I don't know how Apple syncs secrets in iCloud keychain, and neither whether a situation may exist where passkey's private keys sync but are unusable (like may happen when using Android).

🔸 APPLE'S OWN PASSKEY MISERY
However, Apple has got their own bunch of problems with passkeys being usable *without* requiring biometrics or a passcode to unlock them from iCloud Keychain, see infosec.exchange/@ErikvanStrat and follow-up (it gets worse every time I look at it) infosec.exchange/@ErikvanStrat (more details in earlier toots in that thread).

In short: if you don't use biometrics to unlock your iPhone or iPad (OR you do, but you have -unlikely- disabled a specific configuration setting), then anyone with access to your iDevice in an unlocked condition (*), can sign in to:
appleid.apple.com
and/or
icloud.com
WITHOUT entering your passcode (or using biometrics).

(*) your child, spouse, someone you don't know (well) who borrows your phone to make a call (because their's battery is dead), NOTABLY including a thief who stole it while you were using it (or saw you type your passcode and can unlock it by themselves: youtu.be/QUYODQB_2wQ).

I'm not sure yet, but this may even render Apple's anti-theft system totally moot.

@rmondello @johnbrayton
@agl

myaccount.google.comAccount settings: Your browser is not supported.