Passkeys

Do you use them?

Homeless People Are Sexy Shirt $21.68

UFOs Are A Psyop Shirt $21.68

Homeless People Are Sexy Shirt $21.68

  1. 4 weeks ago
    Anonymous

    yep i do, passwords are flawed and i hope i never have to type, remember, or use a shitty password manager again

    • 4 weeks ago
      Anonymous

      How the frick would you use passkeys without a manager?

      • 4 weeks ago
        Anonymous

        >How the frick would you use passkeys without a manager?
        You remember the private key in your in your head.

        Simple as.

        • 4 weeks ago
          Anonymous

          >the private key
          >the
          see

          >Few websites allow it
          so practically its the same old "reusing same password on every site" but the breach responsibility is on the users side? why not generate a new key-pair for every login

    • 4 weeks ago
      Anonymous

      Passwords are protected under the 5th amendment. Passkeys and biometrics aren't.

      • 4 weeks ago
        Anonymous

        i'm not american and i don't care

  2. 4 weeks ago
    Anonymous

    Of course not

  3. 4 weeks ago
    Anonymous

    i still honestly have no clue what passkeys are

    • 4 weeks ago
      Anonymous

      Like an ssh key for your web browser but tied to your device

      • 4 weeks ago
        Anonymous

        >Tied
        So what happens when your device is stolen and shattered into a trillion pieces by the people you oppress?

        • 4 weeks ago
          Anonymous

          Better have some glue on you, homie.

        • 4 weeks ago
          Anonymous

          I've not seen any implementation without forcing a recovery backup, so that means if you have no recover AND lose your device, you're fricked. Remember to practice proper backups of recovery things

        • 4 weeks ago
          Anonymous

          The same thing that happens when you lose your password, you reset it.

        • 4 weeks ago
          Anonymous

          generally the organizations pushing for this all have some kind of cloud-synced password backup system (Google, Apple, 1Password)

          https://i.imgur.com/4McZYy8.png

          Do you use them?

          no, I don't see what the benefit is over 60+-character password + one-time password (the 2FA kind of thing)

          • 4 weeks ago
            Anonymous

            Passkeys are meant as a convenience alternative to a normal username as password. It means once you log in on a trusted device / account you don't ever have to log in again because it's an authentication method that cannot be hijacked.

          • 4 weeks ago
            Anonymous

            >Passkeys are meant as a convenience alternative to a normal username as password. It means once you log in on a trusted device / account you don't ever have to log in again because it's an authentication method that cannot be hijacked.
            NTA okay but what happens when said trusted device fails? And what's the point if multiple devices can be registered?

          • 4 weeks ago
            Anonymous

            What happens when you delete your password database? Same shit. Have a backup login method.

          • 4 weeks ago
            Anonymous

            >Passkeys are meant as a convenience alternative to a normal username as password. It means once you log in on a trusted device / account you don't ever have to log in again because it's an authentication method that cannot be hijacked.
            NTA okay but what happens when said trusted device fails? And what's the point if multiple devices can be registered?

            Also NTA, but what makes you think I want anyone who is handling my device to have access to every single account on that device?
            If I have a niece coming over that wants to play roblox on my computer I don't mind. But now I have to be paranoid because she can log into my paypal for robux? Not that she would, just a scenario.

          • 4 weeks ago
            Anonymous

            Passkeys require a pin or biometric authentication for every login.

          • 4 weeks ago
            Anonymous

            wrong

          • 4 weeks ago
            Anonymous

            Sign out of your password manager dumb dumb.

            >I have to be paranoid because she can log into my paypal for robux?
            Question isn't whether she would, question is whether you inadvertently executed a script and/or have a keylogger running.

            What are any of you on about, the way passkeys were described were as a SSO in a SSH formfactor.
            SSO = single sign on
            that means if I've signed into any website, then all the other websites that use passkeys are also logged in.
            And as other people have said in the thread, you cannot use different passkeys for different websites, and anyways what would even be the point then? my password manager has 20+ character randomized passwords and is self hosted.

            What you have is a shared device, you homosexual. What if your niece opens your web browser and sees all your Black person porn? At a certain point you choose whether it's a private device or shared device. Passkeys are for keeping you logged in forever except they can't be hijacked because there's no session. You wouldn't use them on a shared device.

            >homosexual homosexual Black person Black person
            I have 1 main computer. I don't mind sharing it because my shit is password protected. Passkeys are SSOs for all passkey'd accounts. I wasn't sure if thats how it works, because that sounds utterly moronic, and thats why i asked the scenario you moronic Black person homosexual.

          • 4 weeks ago
            Anonymous

            you couldn't be more wrong, its kind of impressive

          • 4 weeks ago
            Anonymous

            Sign out of your password manager dumb dumb.

          • 4 weeks ago
            Anonymous

            >I have to be paranoid because she can log into my paypal for robux?
            Question isn't whether she would, question is whether you inadvertently executed a script and/or have a keylogger running.

          • 4 weeks ago
            Anonymous

            What you have is a shared device, you homosexual. What if your niece opens your web browser and sees all your Black person porn? At a certain point you choose whether it's a private device or shared device. Passkeys are for keeping you logged in forever except they can't be hijacked because there's no session. You wouldn't use them on a shared device.

          • 4 weeks ago
            Anonymous

            >because there's no session
            false, after the passkey handshake its just a regular old semmetric encryption https connection with a session cookie.
            asymmetrical encryption on every request is too computationally expensive

          • 4 weeks ago
            Anonymous

            >cannot be hijacked
            It absolutely can be hijacked. Just take the device while its unlocked. Or some eventual bug in tpm/attestation hw.

          • 4 weeks ago
            Anonymous

            >bro just be robbed while your device is unlocked
            I'll take my chances

        • 4 weeks ago
          Anonymous

          Ideally websites would let you associate more than one passkey with your account. Few websites allow it unfortunately.

          • 4 weeks ago
            Anonymous

            >Few websites allow it
            so practically its the same old "reusing same password on every site" but the breach responsibility is on the users side? why not generate a new key-pair for every login

          • 4 weeks ago
            Anonymous

            >How the frick would you use passkeys without a manager?
            You remember the private key in your in your head.

            Simple as.

            Are you being moronic on purpose?

          • 4 weeks ago
            Anonymous

            Meant for

            >the private key
            >the
            see [...]

        • 4 weeks ago
          Anonymous

          you download the backup from icloud

      • 4 weeks ago
        Anonymous

        https://i.imgur.com/4McZYy8.png

        Do you use them?

        Why not just use an ssh key, then.

        • 4 weeks ago
          Anonymous

          because that requires manually encrypting the proof of work that gets send, plus its too complicated for normalgays. same thing with the windows 11 TPM shenanigans, its just an ssh key, but automated and managed for you

          • 4 weeks ago
            Anonymous

            if I saw a "your device supports passkeys" message like that, I'd start looking into what I have to deselect in my kernel configuration to make it not support that.

            >but automated and managed for you
            this is exactly why I don't want it. Computers break so eventually one day I'm going to need to know how the magic works and what's really going on. With a conventional password there is no magic, I just have some text strings, and they have to be unique and unguessable. That's simple and easy, and I'll never have to dig into obscure "where does my device/browser/etc store cryptographic material and how can I extract it/change it/etc" bullshit.

          • 4 weeks ago
            Anonymous

            Passkeys are an alternative way to log in, they're not meant to be the only way.

          • 4 weeks ago
            Anonymous

            That is not what big tech wants.
            They are pushing this as the replacement for passwords

          • 4 weeks ago
            Anonymous

            I don't give a frick what you think they want, the technology doesn't work that way.

          • 4 weeks ago
            Anonymous

            good, I hope they succeed
            t. KeepAss chad

    • 4 weeks ago
      Anonymous

      It’s a password that you aren’t allowed to type in. Your browser, password manager, OS has to type it for you.

      It’s trash.

    • 4 weeks ago
      Anonymous

      It locks your online accounts to a hardware device. If you lose the device, it's damaged or no longer can communicate then you can't access or recover anything. It also allows a state actor to pull your key using the hardware backdoors in all processors that can take the key from an device that is turned off but is still connected to power.

      • 4 weeks ago
        Anonymous

        >It locks your online accounts to a hardware device. If you lose the device, it's damaged or no longer can communicate then you can't access or recover anything.
        You can export, syncronise and save passkeys on password managers, even user controlled ones.
        They are not airgapped on the device in which they were created.

        >It also allows a state actor to pull your key using the hardware backdoors in all processors that can take the key from an device that is turned off but is still connected to power.
        Schizo moron, they don't need your device access to get information that is stored outside your device, they simply ask the online platforms. And if what you said were true, it would apply to normal passwords too.

        • 4 weeks ago
          Anonymous

          moron shill, you conveniently don't mention how you can't export passkeys in Chrome or Safari, which is what normies will use, not your (actually insecure, it doesn't have most of the benefits you talk about) moronic 3rd party password manager

          • 4 weeks ago
            Anonymous

            >bro you can't export your "remember me" cookies
            Passkeys are a per device remember me that can't be hijacked, nothing more. It's such a moronic thing to want to export. Passkeys do NOT replace a username and password. They replace autocompleting passwords.

  4. 4 weeks ago
    Anonymous

    Probably not until forced to or the attestation/portability situation somehow improves, or at least matures to a point where it's clear it's over and it won't get better, as it seems to be at least a WIP/early days. All I can do is hope that no sites I use require attestation, but I'm pretty fricking cynical at this point considering other areas like safetynet/play integrity on android or the prior WEI push.
    I wish the standard was as simple as "SSH keys for the web", because that would be genuinely cool.

  5. 4 weeks ago
    Anonymous

    so long as it’s not used to keep you leashed to a big tech account, like using keepassxc’s implementation.

    • 4 weeks ago
      Anonymous

      explain?

  6. 4 weeks ago
    Anonymous

    For low value, everyday use, blending in with plebs? Yes why not? Anything personal, dox, high value? Frick no!

  7. 4 weeks ago
    Anonymous

    Never. israelites will not trick me.

  8. 4 weeks ago
    Anonymous

    >a password replacement that validates your identify using [...] password, or a pin
    mental illness

    • 4 weeks ago
      Anonymous

      >passkey cannot be phished
      Basically you are immune to phishing and shit unless you give someone your password database and master password.

  9. 4 weeks ago
    Anonymous

    Transvestites really think I'm going to sell off MY personal data for their shitty testosteroneless ballskey

    • 4 weeks ago
      Anonymous

      >everything i don't understand is a botnet
      go to /x/ at this point

  10. 4 weeks ago
    Anonymous

    I do but with a yubikey. Not attaching that shit to a phone or on-device tpm.

  11. 4 weeks ago
    Anonymous

    https://github.com/keepassxreboot/keepassxc/issues/10407

    • 4 weeks ago
      Anonymous

      Imagine using Our Passkeys

    • 4 weeks ago
      Anonymous

      sometimes I assume people are just being anti-change but jesus christ the khazars are really playing hardball with this

    • 4 weeks ago
      Anonymous

      There are a few weird issues surrounding them at the moment, mainly related to import/export between different authenticators. See
      The general impression I get is that they're an improvement for the average normie (and for the IT depts who manage said normies), but technically knowledgeable people are probably better off sticking with passwords for now.

  12. 4 weeks ago
    Anonymous

    glowBlack person ploy. they can compel you to hand over a dongle or provide your finger print or face scan, but the 5th amendment means they can't compel you to tell them a password.

  13. 4 weeks ago
    Anonymous

    It's so much more "complicated" than passwords are for the average user.
    + the current implementation allows all the separate device and browser makers to use passkey storage as a vendor/ecosystem lock-in mechanism.

    Think about it, if youve stored all your passkey login credentials in Apples keychain, you literally cannot sign into anything from outside the Apple ecosystem.

    The only device/ecosystem agnostic way to store passkeys is to store them in a 3rd-party password manager... But then its literally no better or more secure than passwords+2FA

    • 4 weeks ago
      Anonymous

      >But then its literally no better or more secure than passwords+2FA
      they are still phishing resistant, whereas TOTP isn't

    • 4 weeks ago
      Anonymous

      It appals me how even the 'technically inclined' folk cannot wrap their mind around passkeys. I read the Google report on how most users find it difficult to understand and use passkeys, even the types who self describe as 'computer nerds' but I'm just hoping that you guys are pretending to be moronic and not actually 80 IQ. You can add multiple passkeys to a single account, meaning, had you ever used it, you would have the option to log into the same account not only from passkeys stored at the platform level (android, ios, windows, macos) you can also use third party password managers (bitwarden, 1password).

      • 4 weeks ago
        Anonymous

        >You can add multiple passkeys to a single account
        This is completely implementation dependent, sites have to explictly go out of their way to allow this.

        • 4 weeks ago
          Anonymous

          Any examples where a website only allows a single passkey? In my experience, I could add multiple passkeys to my account on websites that has passkey support, although I haven't really tested the upper limit on the passkeys you can add to each account.

          • 4 weeks ago
            Anonymous

            My point wasn't that you can only add one, its that it's a completely implementation dependent feature.
            The sites have to add that feature voluntarily, the same way that they COULD allow you to have multiple account passwords (but that would obviously be moronic).

            The second point being what this anon said:

            You're ignoring the fact that in a world where traditional passwords are entirely phased out, there would be literally no way to "sign-in" on a second (android) device if your first registration and account signup was done on on your iPhone.

            The method of assigning multiple passkeys only works in the current environment because every single website that supports passkeys still also supports underlying account email+password combinations.
            That means you can always switch to a different device, use your email+password to authenticate yourself, and then register the devices passkey for future logins from that same device.

            If the venerable email+password authentication combo is ever removed, you literally can't prove your identity from a new device.

            You literally cannot add multiple device-stored passkeys to an account without having another method of authentication to prove your identity from the other device fitst.

      • 4 weeks ago
        Anonymous

        You're ignoring the fact that in a world where traditional passwords are entirely phased out, there would be literally no way to "sign-in" on a second (android) device if your first registration and account signup was done on on your iPhone.

        The method of assigning multiple passkeys only works in the current environment because every single website that supports passkeys still also supports underlying account email+password combinations.
        That means you can always switch to a different device, use your email+password to authenticate yourself, and then register the devices passkey for future logins from that same device.

        If the venerable email+password authentication combo is ever removed, you literally can't prove your identity from a new device.

        • 4 weeks ago
          Anonymous

          That's a limitation of the Android implementation of passkeys, not the limitation of passkeys themselves. I have passkeys stored on my iOS and Android devices, and I tried to log into one of my accounts using the passkeys on the other platform. iOS has no issues presenting the QR code that you can scan on the Android to log in, while the other way around doesn't work at all because the Android implementation assumes the passkey lives on the platform keychain already, and completely disregards the possibility that the user might be migrating OR logging in from the Apple ecosystem. This is completely Google's fault, they didn't properly implement passkey support. So you're sort of right but not for the reason you think. But:

          A possible work around for now
          Log into your account on a desktop using your iOS device. Then, register a new passkey on your account, using your Android as the passkey holder. Then you can use the platform keychain on your Android to log in whenever you want, this is something you have to do only once.

          • 4 weeks ago
            Anonymous

            >Log into your account on a desktop using your iOS device. Then, register a new passkey on your account, using your Android as the passkey holder. Then you can use the platform keychain on your Android to log in whenever you want, this is something you have to do only once.
            This is clown car moronic and workarounds like this being used for something as simple as a password is absurd.
            Implementation details matter and if one of the giant providers out the gate totally fricks it up, then it's trash, DoA trash.

          • 4 weeks ago
            Anonymous

            >registering a passkey on the platform keychain just once and then pressing the fingerprint reader / looking at face scan when prompted
            is harder than
            >registering a password on a password manager
            >authenticating to the password manager each time you want to log in to a website
            >searching for that specific login information
            >copying the password
            >going back to the app you want to log in
            >pasting it in
            >now going into the totp app and copying your one time password
            >going back to the main app to paste your totp code
            for what reason exactly? the second authentication flow is much more tedious and still manages to be less secure at the same time.

        • 4 weeks ago
          Anonymous

          >you literally can't prove your identity from a new device.
          You can add a new device and be challenged on the new device, Microsoft, RIGHT NOW, allows passwordless login and multiple passkeys

          • 4 weeks ago
            Anonymous

            From another microsoft device?

      • 4 weeks ago
        Anonymous

        Export mechanisms are not being written, deliberately so, meaning vendor lock-in is the plan.
        If I can't host it myself, then it's a no-go.

        >But then its literally no better or more secure than passwords+2FA
        they are still phishing resistant, whereas TOTP isn't

        >muh phishing
        Phishing being a possibility is less important a concern than megacorps taking over all forms of auth in a fundamentally user-hostile manner.

        • 4 weeks ago
          Anonymous

          >megacorps taking over all forms of auth in a fundamentally user-hostile manner.
          Keepass is not a megacorp

          • 4 weeks ago
            Anonymous

            the idea is that gayMAN might blacklist keepassxc down the line, but in practice that's very difficult because keepassxc can trivially pretend to be whatever

          • 4 weeks ago
            Anonymous

            the MS dev in the keepassxc github issue link in this thread threatens to blacklist the use of keepass through his position on the passkey steering committee because it isn't sufficiently anti-user for his vision of what passkeys are.

            >registering a passkey on the platform keychain just once and then pressing the fingerprint reader / looking at face scan when prompted
            is harder than
            >registering a password on a password manager
            >authenticating to the password manager each time you want to log in to a website
            >searching for that specific login information
            >copying the password
            >going back to the app you want to log in
            >pasting it in
            >now going into the totp app and copying your one time password
            >going back to the main app to paste your totp code
            for what reason exactly? the second authentication flow is much more tedious and still manages to be less secure at the same time.

            Ease of use isn't the argument you think it is.
            I've used keepassxc for years and have never found it to be tedious or difficult.

          • 4 weeks ago
            Anonymous

            Bitwarden is also not a mega corp, also
            >MS dev
            who?

          • 4 weeks ago
            Anonymous

            >bitwarden
            fair enough, but unless I can control / export passkeys and store them however I want, I consider the tech to be fundamentally user-hostile.

            https://github.com/keepassxreboot/keepassxc/issues/10407
            Tim Cappalli.
            Read the thread, it'll give you a great idea of why this stuff bothers me so much.

          • 4 weeks ago
            Anonymous

            I read the thread, he's basically saying to the KeepassXC devs that they should require at least a PIN before relaying WebAuthn attestation to the attester, the website you're logging in in this case. Imho, he seems a bit moronic and I personally wouldn't mind if he took a beating for being such a homosexual in behavior, but it's also important not to reduce passkey security to basically copypasting passwords from a text file on your desktop, which makes sense.

          • 4 weeks ago
            Anonymous

            they're at Okta (le fricking mao), not MS

      • 4 weeks ago
        Anonymous

        >You can add multiple passkeys to a single account
        Awesome, now I can give the website statistics on exactly which manager I'm using to log in at any given time. It's not enough to let them fingerprint my browser (at least legitimate vendors TRY to pretend they're not doing that), but now I gotta let them trivially cross-reference which key I'm using to log in at any given time.

        [...]

        >You can use any provider, even open source ones.
        Until they implement TPM attestation and block KeepAss for allowing users to own their cryptographic material.

        • 4 weeks ago
          Anonymous

          >Awesome, now I can give the website statistics on exactly which manager I'm using to log in at any given time. It's not enough to let them fingerprint my browser (at least legitimate vendors TRY to pretend they're not doing that), but now I gotta let them trivially cross-reference which key I'm using to log in at any given time.
          Why are you bothered by about your browser fingerprint and potential key-tracking, when you will just let track you through your account?

          • 4 weeks ago
            Anonymous

            *let them

          • 4 weeks ago
            Anonymous

            Because it's none of their business what external software I have on which machines when I'm logging in to their website. At best they should know the browser I'm using (because besides UA masking, there's tons of easy ways to tell the difference, even outside of outright fingerprinting), otherwise they shouldn't have any more info than "new session" vs. "existing session".

          • 4 weeks ago
            Anonymous

            Omg can you people stop being such morons?
            If a company is going to actually track through password manager then will also extensively track you through your account and vice versa, but the data they will get from your password manager is minuscule compared to everything else.
            Stop using their service at all if you care about your privacy you fricking shithead.

    • 4 weeks ago
      Anonymous

      this isn't true. depending on the service there are multiple options for sign in. password+authenticator app for desktop and passkey for phone is what I use. I find passkeys convenient.

  14. 4 weeks ago
    Anonymous

    instead of making more moron-proof authentication schemes have they tried making less moronic people

    • 4 weeks ago
      Anonymous

      progressive policy would like to have a word with you

  15. 4 weeks ago
    Anonymous

    No, because it becomes an auth system that I cannot control.
    Don't you remember the flurry of threads after some MS dev shit his britches about keepassxc exporting the contents of the passkey to the user?

  16. 4 weeks ago
    Anonymous

    I use a yubikey. Its expensive, and I had to buy multiple for backups, but they're excellent. I feel extremely secure while also enjoying the convenience of just tapping a button after using my password manager.
    The fact that the yubikey locks up my password manager itself makes me beyond comfy. I don't even think about what I'd do if I was hacked bc every critical account it's protected by a physical yubikey. good luck hacker known as IQfy.

    • 4 weeks ago
      Anonymous

      Is no one else using Yubikeys? What are your issues with them, besides price of course? They seem to me to have the highest security and the highest convenience. What's the downside exactly

      How do you handle backups or losing the device?

    • 4 weeks ago
      Anonymous

      would a yubikey plus bitlocker be enough to keep the three letter agencies out?

      • 4 weeks ago
        Anonymous

        I’m pretty sure they could compel the production of the Yubikey. If you unlock your phone with biometrics the US has ruled its within the police’s rights to force you to unlock it because your fingerprints aren’t speech, whereas the password or pin is. Making you turn over a physical device would be even simpler. If you microwave or shred the key though you’d be fine.

  17. 4 weeks ago
    Anonymous

    passkey? nah, i'll pass

  18. 4 weeks ago
    Anonymous

    yes its fun having a hardware security key and then using stupid simple passwords for online accounts

    also theres a pam module for u2f keys, so you can put sudo behind a fido key, also you can encrypt drives using them, pass them over ssh...etc

  19. 4 weeks ago
    Anonymous

    I use this:
    username = base36(tuplehash(31, masterpassword, domain))
    password = z85(tuplehash(128, masterpassword, domain, username))
    keypair = ed25519(tuplehash(256, masterpassword, "ed25519", identity))
    tuplehash(output_bits, t_1, ..., t_n) = shake128(t_1 || length(t_1) || ... || t_n || length(t_n) || n || output_bits)

    Using this scheme you can derive all your passwords and secret keys (ssh, pgp, etc.) from a single master password in a secure way.

    • 4 weeks ago
      Anonymous

      trolling is against the rules

      • 4 weeks ago
        Anonymous

        I'm not trolling though

        • 4 weeks ago
          Anonymous

          how do you handle per-service password length/composition requirements, services with multiple domains, tlds hosting multiple distinct services on different subdomains, tld changes and proper storage of non-password keys?

          • 4 weeks ago
            Anonymous

            >per-service password length/composition requirements
            hasn't been a problem yet
            >services with multiple domains
            I just use the canonical domain
            >tlds hosting multiple distinct services on different subdomains
            just use the name of the service instead of the domain
            >tld changes
            hasn't been a problem yet
            >proper storage of non-password keys
            Do you mean ssh/pgp keys? I have a nitrokey.

  20. 4 weeks ago
    Anonymous

    yes, they work really well

  21. 4 weeks ago
    Anonymous

    Is no one else using Yubikeys? What are your issues with them, besides price of course? They seem to me to have the highest security and the highest convenience. What's the downside exactly

    • 4 weeks ago
      Anonymous

      >no backups allowed
      >just buy multiple yubikeys and associate all your accounts with all your yubikeys :^)
      epic

      • 4 weeks ago
        Anonymous

        [...]
        How do you handle backups or losing the device?

        You need to buy multiple Yubikeys and set them all up with each service. The. You should store one off-site and have 2 on-site. Also you can put a simple password on the key itself which I do.

        Yes, it's expensive, but it seems the most convenient and secure

        • 4 weeks ago
          Anonymous

          Yubikeys seem nice, I always wanted to get one of these but with the industry wide passkey rollout, I'm having a hard time justifying the price of at least 3 yubikeys. Maybe I'll use them for ssh in the future? Also maybe if I ever become a maintainer of a npm/pip package?

          • 4 weeks ago
            Anonymous

            In my opinion its worth every penny. I have crypto on exchanges secured by the yubikey. I also have expensive domains on Namecheap protected by the Yubikeys. It's just too comfy

            I love Akari so much it's unreal

            Based

        • 4 weeks ago
          Anonymous

          I love Akari so much it's unreal

  22. 4 weeks ago
    Anonymous

    Yes and it's not some vendor lock in thing like I first imagined when I saw it (well it is if you use Apple or Google password manager).
    I use proton pass which works on any device with passkeys and also lets me export them if I want to switch. And the passkey itself is just a catchier term for a public/private key pair to get tech illiterates to use it, so it's a lot better than a password

  23. 4 weeks ago
    Anonymous

    IDGAF just let me log in

  24. 4 weeks ago
    Anonymous

    [...]

    >Passkeys are always unique (unlike passwords) and are not prone to phishing because they are tied to a specific website or app, your browser or your device will not send and will never prompt you to send your real site passkey to a phishing site because the URLs are different.
    not really seeing the advantage here. any decent password manager will generate sufficiently randomized passwords and will have some kind of phishing protection to make sure you're putting your password into google.com and not googIe.com (although i guess passkeys would be more moron proof in this regard). i guess it would be more secure in case of a server breach since only your public key gets leaked, though?

    also, wouldn't 2FA still be a worthwhile additional layer of security?

    • 4 weeks ago
      Anonymous

      >not really seeing the advantage here. any decent password manager will generate sufficiently randomized passwords and will have some kind of phishing protection to make sure you're putting your password into google.com and not googIe.com (although i guess passkeys would be more moron proof in this regard).
      The point of passkeys is that they cannot be manually typed into forms, thus the secret value never enters the user space. If the user has no control over the secret, it can be handled by the passkey manager or by the OS in a secure way.

      >i guess it would be more secure in case of a server breach since only your public key gets leaked, though?
      Yes, but only if the site didn't hashed and salted the passwords, which is always really bad.

      >also, wouldn't 2FA still be a worthwhile additional layer of security?
      There is no need for additional 2FA because passkeys have already that baked in. Users needs something that they know (their device pin/biometrics/password) and something that they have (their device with the passkeys stored in secure context), these are already 2 factors.

      • 4 weeks ago
        Anonymous

        >and something that they have (their device with the passkeys stored in secure context), these are already 2 factors.
        That's not that different from a password manager database though, and yet nobody consider password-manager-managed passwords to be 2FA just because "you need to know your master password" and "you need to have your DB".

        • 4 weeks ago
          Anonymous

          youre correct, each "factor" needs to be an input to the party authorization is requested from

          • 4 weeks ago
            Anonymous

            I can't figure out what you're agreeing or disagreeing with

  25. 4 weeks ago
    Anonymous

    Passkeys is just a way to make morons use password managers.

  26. 4 weeks ago
    Anonymous

    >yubikeys are shit and limited to like 25 creds and have no good story for reliable cloning
    >I know, we'll make a new standard that allows us to force goyim to use our hardware attestation and cloud backed garbage instead!

    Frick off. I won't fall for attestation bullshit. Yubikeys were a meme, this is a slightly less moronic one, but still just a trap to force you to kneel to a non governmental organization.

    • 4 weeks ago
      Anonymous

      passkeys is just a handshake protocol to encrypt some data with a private+public key pair anon, it works fine on a local password manager like keepass. unless you also think an ssh key is vendor lockin somehow

      • 4 weeks ago
        Anonymous

        Ya ok moron. Tell me again when the passkey groups start blacklisting all foss, self-hosted ones.

        • 4 weeks ago
          Anonymous

          >a protocol blacklisting an implementation
          lol, lmao even

        • 4 weeks ago
          Anonymous

          Why would anyone go through all the hastle with their self-hosted freetard password manager only to use it for unfree services?

      • 4 weeks ago
        Anonymous

        Also ssh key auth and their shitty cert auth is lock in. It's inferior to X.509 and while it's FOSS, it's still a custom NIH format and auth scheme. Why yes I enjoy keeping my CA cert unlocked to sign every single host/client if I want certificate based auth. These moronic OpenBSD clowns still haven't fixed this.

    • 4 weeks ago
      Anonymous

      I only use mine as a PGP smartcard for SSH and for 2FA where supported because SMS is not secure and I’m more likely to lose or break my phone than the key. Yubikeys aren’t useful for hardware attestation as far as I’m aware, they’re just smart cards with a few extra features, not USB TPMs, and the inability to clone them is intentional, the private keys never leave the device itself. You can load private keys to them though, and that lets you clone them if you keep the private key stored somewhere else.

  27. 4 weeks ago
    Anonymous

    I actively refuse to use them and would rather have to jump through three 2fa calls every time than use it.

  28. 4 weeks ago
    Anonymous

    pass, the standard unix password manager, is all you need

    • 4 weeks ago
      Anonymous

      A fellow passbro, pass is just so good.

    • 4 weeks ago
      Anonymous

      A fellow passbro, pass is just so good.

      Uhm no
      https://rot256.dev/post/pass/

  29. 4 weeks ago
    Anonymous

    no

    they are worthless until the day everyone has a computer brain implant with ~100% reliability

  30. 4 weeks ago
    Anonymous

    >Do you use them?
    No. Never will.

  31. 4 weeks ago
    Anonymous

    Yes, I have buried the password for passkeys that contains a master key, for another passkeys for all my passwords.

  32. 4 weeks ago
    Anonymous

    >Anons here are unironically shilling against glorified ssh keys.
    Just store your passkeys in keepassxc if you are that paranoid and call it a day.

    • 4 weeks ago
      Anonymous

      It's bad because it has a chance of being mainstream.
      t. Linoox installer turbo power yuuuuza

  33. 4 weeks ago
    Anonymous

    Frick no. I'm not tying my logins to a device.

    • 4 weeks ago
      Anonymous

      Do you have a Yubikey?
      Do you have a banking card?
      Then you have your logins tied to a device already.
      I swear you people are fricking stupid.

      • 4 weeks ago
        Anonymous

        > Tuniken
        No, I use pass and pass-otp for all my logins.
        GPG and SSH keys for everything else.
        > banking card
        Kinda. We have an EC Card here in Germany. No number, I do direct transfers via web interface instead.
        There is also PayPal if I need to pay outside EU.
        Additionally, when I can, I pay with monero, because frick banks with their moronic TAN requirements.
        > you have logins tied to a device
        Which one?

        • 4 weeks ago
          Anonymous

          >Anti tech moron is a german
          Ja moin

          • 4 weeks ago
            Anonymous

            Servus.
            > anti tech
            Care to elaborate how my solution isn't technological?
            What I'm strictly against is Big Tech. Already self host everything I can and moving to GrapheneOS or SailfishOS soon.

          • 4 weeks ago
            Anonymous

            >Anons here are unironically shilling against glorified ssh keys.
            Just store your passkeys in keepassxc if you are that paranoid and call it a day.

          • 4 weeks ago
            Anonymous

            > just change a password manager
            > first GitHub issue in this thread talks about how it can be "excluded" due to being too open source and not corporate enough
            Yeah, put a cage on my dock as well, why the frick not.

          • 4 weeks ago
            Anonymous

            >first GitHub issue in this thread talks about how it can be "excluded" due to being too open source and not corporate enough
            Literally not how it works lol

          • 4 weeks ago
            Anonymous

            According to the guy on GitHub and the devs, it is.

          • 4 weeks ago
            Anonymous

            >Once certification and attestation goes live, there will be a minimum functional and security bar for providers.
            https://github.com/keepassxreboot/keepassxc/issues/10406#issuecomment-1994313373

  34. 4 weeks ago
    Anonymous

    >it's not a password, it's a key file with a password!!
    "tongue shoe bonding wrist photography"
    You're fricking welcome.
    Frick I hate people.

    • 4 weeks ago
      Anonymous

      >it's a key file with a password!!
      moron

      • 4 weeks ago
        Anonymous

        >Unlike a password, a passkey relies on a string of encrypted data stored in your phone or laptop
        KEY FILE, FRICKTARD
        >and verification from you, through a face scan, a fingerprint scan or a PIN code
        PASSWORD, FRICKTARD.

  35. 4 weeks ago
    Anonymous

    >handing out your personal biometrics to the israelites
    LMAO

  36. 4 weeks ago
    Anonymous

    Is passage(a fork of pass that uses age under the hood) safe to use? It doesn't require you to enter a password unlike with pass which seems insecure. Maybe I can encrypt the store using something like tomb

  37. 4 weeks ago
    Anonymous

    No, I use passphrases, a different one per service.

Your email address will not be published. Required fields are marked *