med-mastodon.com is one of the many independent Mastodon servers you can use to participate in the fediverse.
Medical community on Mastodon

Administered by:

Server stats:

364
active users

#passkeys

5 posts5 participants0 posts today
Marcel SIneM(S)US<p><a href="https://social.tchncs.de/tags/Apple" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Apple</span></a> :apple_inc: erweitert Passwörter-App-Unterstützung für Windows | Mac &amp; i <a href="https://www.heise.de/news/Apple-erweitert-Passwoerter-App-Unterstuetzung-fuer-Windows-10483159.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">heise.de/news/Apple-erweitert-</span><span class="invisible">Passwoerter-App-Unterstuetzung-fuer-Windows-10483159.html</span></a> <a href="https://social.tchncs.de/tags/password" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>password</span></a> <a href="https://social.tchncs.de/tags/passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passwords</span></a> <a href="https://social.tchncs.de/tags/Passwortmanager" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passwortmanager</span></a> <a href="https://social.tchncs.de/tags/PasswordManager" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordManager</span></a> <a href="https://social.tchncs.de/tags/Passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkey</span></a> <a href="https://social.tchncs.de/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a></p>
Seth G.<p><span class="h-card" translate="no"><a href="https://mastodon.online/@cryptomator" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>cryptomator</span></a></span> Credential management was a particularly fun one to figure out: the best way to secure those.</p><p>I am using Proton Pass, since they have cloud-synced <a href="https://chaos.social/tags/passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkey</span></a> support, but their export only supports .json. To make it easy, I import the .json into <span class="h-card" translate="no"><a href="https://fosstodon.org/@keepassxc" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>keepassxc</span></a></span> to make a <a href="https://chaos.social/tags/KeePass" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KeePass</span></a> vault, so even if the service goes down, I can still open my creds on desktop or <a href="https://chaos.social/tags/KeePassDX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KeePassDX</span></a>. KeePass vaults are also widely-supported for import into other cloud credential managers.</p><p><a href="https://chaos.social/tags/passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkeys</span></a></p>
Steve Dustcircle 🌹<p>How <a href="https://masto.ai/tags/passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkeys</span></a> work: Let's start the <a href="https://masto.ai/tags/passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkey</span></a> registration process </p><p><a href="https://www.zdnet.com/article/how-passkeys-work-lets-start-the-passkey-registration-process/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">zdnet.com/article/how-passkeys</span><span class="invisible">-work-lets-start-the-passkey-registration-process/</span></a></p>
StanceOfMind<p>Microsoft has said that it's ending support for passwords in its Authenticator app starting August 1, 2025.</p><p><a href="https://thehackernews.com/2025/07/microsoft-removes-password-management.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">thehackernews.com/2025/07/micr</span><span class="invisible">osoft-removes-password-management.html</span></a> <a href="https://tech.lgbt/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microsoft</span></a> <a href="https://tech.lgbt/tags/Authenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authenticator</span></a> <a href="https://tech.lgbt/tags/Passcodes" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passcodes</span></a> <a href="https://tech.lgbt/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> <a href="https://tech.lgbt/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://tech.lgbt/tags/Tech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Tech</span></a></p>
Stefan :veritrek:<p>This is great! Waiting for <a href="https://social.stefanberger.net/tags/strongbox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>strongbox</span></a> to adapt the new <a href="https://social.stefanberger.net/tags/passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkeys</span></a> APIs. <a href="https://hachyderm.io/@rmondello/114813337794341023" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">hachyderm.io/@rmondello/114813</span><span class="invisible">337794341023</span></a></p>
Cliff<p>Not really surprised to see this. </p><p>Microsoft Authenticator is ending support for passwords.</p><p><a href="https://www.theverge.com/news/695288/microsoft-authenticator-autofill-store-passwords" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">theverge.com/news/695288/micro</span><span class="invisible">soft-authenticator-autofill-store-passwords</span></a></p><p><a href="https://infosec.exchange/tags/MS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MS</span></a> <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microsoft</span></a> <a href="https://infosec.exchange/tags/Authenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authenticator</span></a> <a href="https://infosec.exchange/tags/Password" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Password</span></a> <a href="https://infosec.exchange/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> <a href="https://infosec.exchange/tags/Apps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Apps</span></a> <a href="https://infosec.exchange/tags/News" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>News</span></a> <a href="https://infosec.exchange/tags/Tech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Tech</span></a> <a href="https://infosec.exchange/tags/TechNews" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TechNews</span></a></p>
Ian Brown 👨🏻‍💻<p>As requested from several directions, I tried to update my expert profile on the EU's experts website, since <span class="h-card" translate="no"><a href="https://social.ngi.eu/@ngi" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>ngi</span></a></span> is looking for more reviewers. But as usual, the horror of the EC's own login system (WHY!) struck again (<a href="https://eupolicy.social/tags/ECAS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ECAS</span></a>).</p><p>WHY DOESN'T IT USE STANDARD WEB TECHNOLOGIES LIKE <a href="https://eupolicy.social/tags/PASSKEYS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PASSKEYS</span></a>!!</p><p>I STILL CAN'T ACTIVATE 2FA AND I HAVE THE EU LOGIN APP SET UP ON MY IPHONE!</p><p>GAAAAAAAAAAAAAH! 🤯</p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@relishthecracker" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>relishthecracker</span></a></span> : that's make belief.</p><p>"Wow, asymmetric encryption, even quantum-computer-proof", "military-grade", etcetera.</p><p>Right after logging in using a passkey with an unbreakably protected private key, the website sends a session cookie (or similar) to the browser - which is NOT protected like private keys. If a website (like most of them) does not log you out if your IP-address changes, such a cookie is nearly as bad as a password. And fully if the cookie never expires.</p><p>Therefore:</p><p>1️⃣ Even if attackers cannot copy private keys: if the user device is sufficiently compromised (i.e. on Android, running an accessibility service), they can take over all of the user's accounts;</p><p>2️⃣ If the user's browser is compromised, attackers can copy session cookies and use them to obtain access to accounts the user logs in to;</p><p>3️⃣ An AitM (Attacker in the Middle) using a malicious website can copy/steal authentication cookies. Such AitM-attacks are possible in at least the following cases if either:</p><p>• A malicious third party website manages to obtain a fraudulently issued certificate (examples: <a href="https://infosec.exchange/@ErikvanStraten/112914050216821746" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/112914050216821746</span></a>);</p><p>• An attacker obtains unauthorised write access to the website's DNS record;</p><p>• An attacker manages to obtain access to a server where a "dangling" (forgotten) subdomain name points to, *AND* the real authenticating server (RP) does not carefully check for allowed subdomains (see <a href="https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/w3ctag/design-revie</span><span class="invisible">ws/issues/97#issuecomment-175766580</span></a>);</p><p>4️⃣ The server is compromised or has a rogue admin: the attacker can add their passkey's public key to your account, or replace your public key with theirs (note that passkey pubkeys are not encapsulated by certificates issued by trusted issuers, stating who owns the public key).</p><p>Phishing using fake websites is probably the number one problem on the internet. *THE* major advantage of passkeys is that they make phishing attacks VERY HARD.</p><p>Indeed, if your device is sufficiently compromised, the risk of all of your passwords being stolen if you use a password manager is BIG.</p><p>However, as I wrote, if your device is sufficiently compromised, an attacker does not need access to your private keys in order to obtain access to your accounts.</p><p><span class="h-card" translate="no"><a href="https://sigmoid.social/@oliversampson" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>oliversampson</span></a></span> <span class="h-card" translate="no"><a href="https://cathode.church/@kaye" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>kaye</span></a></span> </p><p><a href="https://infosec.exchange/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> <a href="https://infosec.exchange/tags/PasswordManagers" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordManagers</span></a> <a href="https://infosec.exchange/tags/DomainNames" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DomainNames</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/Cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cryptography</span></a> <a href="https://infosec.exchange/tags/MilitaryGrade" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MilitaryGrade</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FakeWebsites</span></a> <a href="https://infosec.exchange/tags/ATO" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ATO</span></a> <a href="https://infosec.exchange/tags/AccountTakeOver" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AccountTakeOver</span></a> <a href="https://infosec.exchange/tags/Passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passwords</span></a> <a href="https://infosec.exchange/tags/SharedSecrets" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SharedSecrets</span></a> <a href="https://infosec.exchange/tags/AsymmetricCryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AsymmetricCryptography</span></a> <a href="https://infosec.exchange/tags/SubDomains" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SubDomains</span></a> <a href="https://infosec.exchange/tags/DanglingSubDomains" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DanglingSubDomains</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://sigmoid.social/@oliversampson" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>oliversampson</span></a></span> <span class="h-card" translate="no"><a href="https://cathode.church/@kaye" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>kaye</span></a></span> </p><p>Primary passkeys advantage:<br>• With some uncommon exceptions, you cannot (be persuaded to) log in to a phishing website with a (slightly) different domain name *USING A PASSKEY* (see below) - because software (not you) checks the domain name.</p><p>Some passkeys disadvantages:<br>• Typically you yourself do not have access to each passkey's private key (*)(usually you can't back them up/export them). Risks: vendor lock-in and losing access to accounts.</p><p>• Because there's a risk of losing access to passkeys and thus to accounts, usually accounts can also be accessed using a rescue code - which renders them phishable again.</p><p>• Implementation errors (both Apple and Android suffered from them, and probably still do - I did not check today).</p><p>(*) For each new passkey, your device generates a unique complementary keypair. The public key is stored in your account on the server and is used to verify that your device has access to the complementary private key, which is kept secret. However, even if attackers do not have access to your private key(s), there are other ways for them to obtain access your account(s).</p><p>A reasonable alternative to passkeys is using a password manager that "integrates" with the browser to verify the domain name of the site you're logging in to. Android and iOS "Autofill" provide such a bridge between password managers and browsers (without requiring browser plug-ins).</p><p><a href="https://infosec.exchange/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> <a href="https://infosec.exchange/tags/PasswordManagers" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordManagers</span></a> <a href="https://infosec.exchange/tags/DomainNames" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DomainNames</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MitM</span></a></p>
FKA ZOG<p>Interesting <a href="https://jauntygoat.net/tags/passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkey</span></a> <a href="https://jauntygoat.net/tags/passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkeys</span></a> stuff to keep an eye on.</p><p>There currently seems very limited support for passkeys on the end user side in Linux, i.e. completely open source solutions.</p><p>Here are two related interesting projects, one that uses ssh keys as passkeys:</p><p><a href="https://github.com/bulwarkid/ssh-passkey" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/bulwarkid/ssh-passk</span><span class="invisible">ey</span></a></p><p>and another that creates a virtual fido USB device:</p><p><a href="https://github.com/bulwarkid/virtual-fido" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/bulwarkid/virtual-f</span><span class="invisible">ido</span></a></p><p>there are related to a Linux passkey GUI manager that seems to have not seen much development for quite a few years:</p><p><a href="https://bulwark.id/" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="">bulwark.id/</span><span class="invisible"></span></a></p><p>I don't know if these are stable enough to use, but interesting anyway - given the rapid movement in this space I'd expect to passkey related software having more activity.</p><p><a href="https://bulwark.id/blog/problem-with-passkeys" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">bulwark.id/blog/problem-with-p</span><span class="invisible">asskeys</span></a></p>
Karl Voit :emacs: :orgmode:<p><span class="h-card" translate="no"><a href="https://social.bund.de/@bsi" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>bsi</span></a></span> Nitpicking: gerade bei <a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> besteht die Möglichkeit, über die Cloud auch anderen Personen Zugriff zu geben. Daher muss man mit Passkeys genau aufpassen, wem man hier Rechte eingeräumt hat.</p><p>Daher sind Passkeys auch in solchen Fällen leider anfällig auf <a href="https://graz.social/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> (Angreifer gibt vor, Freund zu sein).</p><p>Aber immer noch besser als fast alle anderen Authentifizierungsmethoden. 👍 Nur HW-Tokens mit <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a> sind besser, da sie die privaten Keys nicht auslesbar speichern.</p>
Oliver Sampson<p><span class="h-card" translate="no"><a href="https://cathode.church/@kaye" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>kaye</span></a></span> I completely agree and instinctively refused using <a href="https://sigmoid.social/tags/passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkeys</span></a> without even thinking why.</p>
Karsten Schmidt<p><span class="h-card" translate="no"><a href="https://mastodon.gamedev.place/@jonikorpi" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>jonikorpi</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.gamedev.place/@aeva" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>aeva</span></a></span> There are quite a few well documented usability and vendor/platform lock-in issues with <a href="https://mastodon.thi.ng/tags/passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkeys</span></a> though, some not immediately obvious to most users. I too still remain unconvinced they're an improvement over using a x-platform password manager...</p><p><a href="https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">arstechnica.com/security/2024/</span><span class="invisible">12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/</span></a></p><p><a href="https://proton.me/blog/big-tech-passkey" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">proton.me/blog/big-tech-passke</span><span class="invisible">y</span></a></p>
Seth G.<p><span class="h-card" translate="no"><a href="https://mastodon.social/@protonprivacy" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>protonprivacy</span></a></span> 's <a href="https://chaos.social/tags/ProtonPass" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ProtonPass</span></a> is the only European cross-platform <a href="https://chaos.social/tags/passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkey</span></a> manager I've found, and I love it. </p><p><a href="https://chaos.social/tags/passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkeys</span></a> <a href="https://chaos.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://chaos.social/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://chaos.social/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://chaos.social/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>privacy</span></a></p>
By-Tor<p>Are passkeys ready for primetime? Here is my little experiment (blog post about it) <br><a href="https://itsbytor.wordpress.com/2025/06/30/%f0%9f%97%9d%ef%b8%8f-the-passkey-experiment-one-mans-journey-through-the-passwordless-frontier/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">itsbytor.wordpress.com/2025/06</span><span class="invisible">/30/%f0%9f%97%9d%ef%b8%8f-the-passkey-experiment-one-mans-journey-through-the-passwordless-frontier/</span></a></p><p><a href="https://mastodon.scot/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://mastodon.scot/tags/passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkeys</span></a> <a href="https://mastodon.scot/tags/encryption" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>encryption</span></a> <a href="https://mastodon.scot/tags/internet" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>internet</span></a> <a href="https://mastodon.scot/tags/computers" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>computers</span></a> <a href="https://mastodon.scot/tags/computing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>computing</span></a></p>
Zeroday Podcast (sven)<p>Wie kann ich denn <a href="https://chaos.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> zwischen <a href="https://chaos.social/tags/Linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linux</span></a>, <a href="https://chaos.social/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a>, <a href="https://chaos.social/tags/iOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>iOS</span></a> und <a href="https://chaos.social/tags/Android" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Android</span></a> synchronisieren? Ich habe <a href="https://chaos.social/tags/Keepass" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Keepass</span></a> und <a href="https://chaos.social/tags/Nextcloud" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Nextcloud</span></a> im Einsatz auf allen Systemen, falls das hilft. Hat irgendwer eine Idee? Ohne machen die für mich keinen Sinn.</p>
Replied to BSI

@bsi Sorry, starke Passwörter mit 2FA oder #Passkeys helfen leider nicht prinzipiell gegen Phishing.

Gerade bei der Methode mittels Smartphones kann man seine Passkey-Geheimnisse in die Cloud als auch zu anderen Personen transferieren. Das ist der Knackpunkt. In Zukunft zielt #Phishing dann halt auf die Übermittlung der Geheimnisse zum Angreifer ab.

arxiv.org/abs/2501.07380 "Another concern could be social engineering, where a user is tricked into sharing a passkey with an account controlled by an attacker." -> Schutz nur bei ausschließlich "device-bound passkeys" in der "roaming-authenticator"-Variante = Hardware #FIDO2 Tokens. Die sind aktuell det einzige Schutz gegen Phishing.

Aber alles ist besser als kein #2FA.

arXiv logo
arXiv.orgDevice-Bound vs. Synced Credentials: A Comparative Evaluation of Passkey AuthenticationWith passkeys, the FIDO Alliance introduces the ability to sync FIDO2 credentials across a user's devices through passkey providers. This aims to mitigate user concerns about losing their devices and promotes the shift toward password-less authentication. As a consequence, many major online services have adopted passkeys. However, credential syncing has also created a debate among experts about their security guarantees. In this paper, we categorize the different access levels of passkeys to show how syncing credentials impacts their security and availability. Moreover, we use the established framework from Bonneau et al.'s Quest to Replace Passwords and apply it to different types of device-bound and synced passkeys. By this, we reveal relevant differences, particularly in their usability and security, and show that the security of synced passkeys is mainly concentrated in the passkey provider. We further provide practical recommendations for end users, passkey providers, and relying parties.