@kubikpixel@chaos.social»Yep, Passkeys Still Have Problems«
What is your opinion about this article? Regardless of whether from a developer or user position. :BoostOK:
🤔 https://fy.blackhats.net.au/blog/2025-12-17-yep-passkeys-still-have-problems/
@tante@tldr.nettime.orgSo I think I'll need to read up on it a bit. I understand that "Passkeys" try to do something similar as SSH pubkeys.
But do you know a good technical explainer of what's going on and how it works?
(Yes, I could search myself but I am looking for recommendations of articles you have read that you found helpful and clear.)
EDIT: https://
@philip@mastodon.mallegolhansen.com@…
That doesn't mean passkeys are worse, those are your words not mine. I've made no judgement call about the relative qualities of these options.
All I am saying is, it matters.
If I store all my passkeys on my Apple account only, and then get locked out tomorrow because I broke Apple's TOS, that would suck.
That's not a con…
@kubikpixel@chaos.social
@publicvoit@graz.socialLeute, wenn ihr für eure Liebsten sinnvolle #Weihnachtsgeschenke sucht, dann überlegt euch, #FIDO2-USB-Tokens zu schenken:
https://karl-voit.a…
@pimterry@toot.cafeAfter the recent npm attacks, really feels like the wind is in the sails of passkeys. Unphishable auth suddenly seems like a core requirement!
Currently going through providers to make sure I've got my yubikeys everywhere... Surprisingly limited options even in pure infra providers like @https://bunny.net.
@qurlyjoe@mstdn.socialI have a question about #passkeys. I haven’t changed any of my accounts over to passkeys—don’t @ me, ok—because I’m old or some such, but there’s a google account I use for a club I’m a member of. With a password, if I wanna hand over the account to someone I just give them the password. Is it that simple with a passkey? I just give them the passkey? Sounds too easy.
@nohillside@smnn.ch @philip@mastodon.mallegolhansen.com@…
So to reiterate this conversation:
You: Passkeys don't have problems A, B, C and D!
Me: Actually B is still a problem.
You: Yeah well, B is also a problem for passwords! And so is F and G!
Me: Yes, but B is still a problem.
You: But if I hacked the pentagon, then Z would also be a problem for passwords!
I'm not a…
@maxheadroom@hub.uckermark.social @philip@mastodon.mallegolhansen.com@…
Disagree on one point:
You do need to worry about how the passkey is stored, least you loose access to the credential manager that holds all your passkeys.
I know that’s a problem being worked on, I appreciate everyone involved, but let’s not pretend it’s a non-problem.
@…
@Techmeme@techhub.socialWhatsApp launches passkey-encrypted backups for iOS and Android, letting users encrypt their stored message history using their face, fingerprint, or a code (Jess Weatherbed/The Verge)
https://www.theverge.com/news/809842/whatsapp-passkey-chat-backup-encryption…
@aredridel@kolektiva.socialUgh why is this always the way. I evaluated like 25 authentication servers for a small scale web project — I do want to support things like OIDC and Passkeys, so this is not something I really want to make myself like the old days of “use crypt() on the passwords and just make a simple database”.
5 of them are just dev mode garbage that will never see the light of day as a thing people use.
2 of them are home network nonsense for people who want enterprise login for their family, but where One Nerd controls the whole user-list.
15 of them are freemium "open source" where they withhold features for their enterprise tier and make them so unfortunately difficult to deploy, all requiring postgresql databases and a complex containerization setup and helm charts and oh so much.
and then there's kanidm, which is great except its opinions make it completely unusable for a community project, it's really more trying to fit the ‘enterprise unix authentication' space. Kudos to them for communicating it but it's the wrong tool, even if it is really good.
And then there's rauthy. Which is exactly what I want, well built and delightful, uses a lightweight embedded database, and even has a peer-to-peer sync for scalability. But customizing it is going to be a lesson in building it from source repeatedly, and its configuration is just a bit strange, and its frontend is extremely Backend Developer Wrote A Web UI. I guess I got a second project. And maybe a third to make debian packages of it.
Yet it really is the best of the options _by far_.
NLNet supported projects continue to punch above their weight class.
@daniel@social.telemetrydeck.comSometimes my browser suddenly asks me, hey do you want to scan a QR code with your phone? It’s very safe! And then I say no.
That’s my experience with passkeys. I would love to try them, but I don’t get this UI around it.
@lil5@social.linux.pizzaAsk a SaaS product what backup solutions they use and if they store it at a different company, you get nothing, no reply.
#hanko #HankoAuth #SaaS
Please have faith in Bezos
Shame…
@pixelcode@social.tchncs.deRE: #Proton had a similar policy and allowed only paying customers to use Passkeys and FIDO2 …
@kubikpixel@chaos.social»Cyberkriminalität — Millionen Payback-Konten angreifbar:
Cyberkriminelle nutzen aktuell offenbar eine Schwachstelle im Sicherheitskonzept von Payback aus, um Kundendaten und Bonuspunkte zu stehlen«
Die Frage ist eigentlich: Weshalb nutzen populäre App Dienste immer noch kein Argon2 & Co. Passwort Hashes so wie E-Mail Adressen im Klartext und nicht zB 2FA / Passkeys?
📺
