Explain #passkeys to me like I'm your grandparents.
Recherches récentes
Options de recherche
#WebAuthn
2 messages2 participants1 message aujourd’hui
I've stopped using Firefox since the drama a while back... Using #ZenBrowser and #LibreWolf mainly on macOS and on #Android, #Ironfox and #Cromite (as an alt browser). But I'm having quite a lot of website functionality problems when using Ironfox. Can't create accounts, forms not working, can't use #webauthn, pages not loading correctly, checkouts or shopping sites broken, etc. I guess I need to have #Firefox still installed... It's annoying. What's your workaround? #browsers #androidbrowser
The cryptography behind passkeys
https://blog.trailofbits.com/2025/05/14/the-cryptography-behind-passkeys/
The Trail of Bits Blog · The cryptography behind passkeysThis post will examine the cryptography behind passkeys, the guarantees they do or do not give, and interesting cryptographic things you can do with them, such as generating cryptographic keys and storing certificates.
Why MFA is getting easer to bypass and what to do about it - An entire cottage industry has formed around phishing attacks that bypass ... - https://arstechnica.com/security/2025/05/phishing-attacks-that-defeat-mfa-are-easier-than-ever-so-what-are-we-to-do/ #multifactorauthentication #passwords #security #phishing #webauthn #biz #mfa
Ars Technica · Phishing attacks that defeat MFA are easier than ever. So what are we to do?
LemonLDAP::NG 2.21 is out!
This new release includes improvements on OpenID Connect and CAS protocols, Loki logger, public notifications and much more.
Read our release notes: https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-21-0-is-out/
Putting the word out here that https://webauthn.io got a bit of an upgrade today:
- You can now specify hints during authentication, if you're so inclined
- There's a new
/profilepage for after authentication to help with page navigation via the browser
Poke around a bit and feel free to let me know if anything seems off 
WebAuthn.ioA demonstration of the WebAuthn specification
A répondu dans un fil de discussion
@sarahjamielewis I would like to hear answers to that question as well. I have not tried it myself, but I'm considering #Keycloak for something like that.
I would also suggest the hashtags #passkey #webauthn and #fido to gather the attention of the right people?
If you're ready to learn the technical details, then there is a Tour of WebAuthN here: https://www.imperialviolet.org/tourofwebauthn/tourofwebauthn.html
www.imperialviolet.orgA Tour of WebAuthn
Okay... ein besonderes Teil, möchte ich Euch auch noch anbieten, denn #nocciverkauftdinge
Heute kann ich Euch eine limitierte Edition des SoloKeys v2
NFC anbieten.
Limitiert, weil es sich um eine spezielle Produktion handelt, die Glitzer im Epoxy hat. (siehe Video) 
... und außerdem in einem gewagten Lila daher kommt.
#Glitzer Leute, Glitzer und Sicherheit für Euren Passwortsafe, Webanwendungen (Webauthn), Fido2 und so weiter... mit ein wenig Arbeit kann man sich sogar so an seinem Laptop anmelden (hatte ich mal)
Das Ding ist noch original verpackt und enthält neben dem USB Key, den man übrigens nie verkehrt einstecken kann (wow!), noch zwei Überzieher. 
Okay... der hat mich mal so knapp 60€ gekostet und wenn ich 45€ inkl. Versand (Ein Brief als Einschreiben) bekommen kann, dann wäre ich mehr als Dankbar.
Gerne wieder 
Danke!
#solokey #fido2 #webauthn
00:05
Passkey advice (ncsc.gov.uk)
From https://www.ncsc.gov.uk/blog-post/passkeys-not-perfect-getting-better (highly condensed by me):
❝
What then are the remaining problems with passkeys?
Inconsistent support and experiences Device loss scenarios Migration issues Account recovery processes Platform differences Implementation complexity Inconsistent use Uncertainty around multi-factor status
❞
I recently wrote about a number of Android an iOS/iPadOS vulnerabilities (including account lock-out risks) in https://infosec.exchange/@ErikvanStraten/113820358011090612 and a couple of follow-up toots.
People wanting to know the basics of passkeys can read a somewhat acceptable translation from Dutch to English of my writeup "Passkeys for laymen", which can be seen by opening https://www-security-nl.translate.goog/posting/798699/Passkeys+voor+leken?_x_tr_sl=nl&_x_tr_tl=en&_x_tr_hl=nl (which seems to work in Chrome). The original article, in Dutch, can be seen in https://www.security.nl/posting/798699/Passkeys+voor+leken.
A good source of (unbiased!) info is also Dan Goodin's article in https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/.
Finally: the problem with passwords starts with a 'p': it's PEOPLE. Use a password manager as I describe in https://infosec.exchange/@ErikvanStraten/113022180851761038 (with Android screenshot: https://infosec.exchange/@ErikvanStraten/113549056619471557).
www.ncsc.gov.ukPasskeys: they're not perfect but they're getting betterPasskeys are the future of authentication, offering enhanced security and convenience over passwords, but widespread adoption faces challenges that the NCSC is working to resolve.
En réponse à lil5 
@lil5 : passwords *do* prevent phishing on Android and iOS/iPadOS if you set up autofill for your password manager and know what to be aware of.
Details: https://infosec.exchange/@ErikvanStraten/113022180851761038
With Android screenshot: https://infosec.exchange/@ErikvanStraten/113549056619471557
BTW passkeys suck: https://infosec.exchange/@ErikvanStraten/113730072998238596
Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)W.r.t. password managers (pw mgrs):
1) Make sure that you *NEVER* forget your master password.
2) Make an *OFFLINE* backup of the (encrypted) pw database after each modification. For example, rotate between multiple USB storage media.
3) Use a pw mgr that can generate strong (random, long, unguessable) passwords. Use that functionality to generate a unique pw for each account.
LAST BUT NOT LEAST
4) At least on mobile devices, configure the OS and pw mgr to locate your credentials *automatically* based on the domain name of the website you're visiting (using "autofill", which lets the OS pass the domain name –as used by the browser– to the pw mgr).
EXAMPLE WHY
If you receive an email (with SPF, DKIM and DMARC all fine) from:
whomever@circle-ci.com
that instructs you to revalidate your 2FA settings in, e.g.:
https:⧸⧸circle-ci.com/revalidate
Then a properly configured pw mgr will not come up with ANYTHING - because the record is for (without the dash):
https:⧸⧸circleci.com
The deja vu after the 2022 attack (https://github.blog/news-insights/company-news/security-alert-new-phishing-campaign-targets-github-users/), described in https://discuss.circleci.com/t/circleci-security-alert-warning-fraudulent-website-impersonating-circleci/50899, is still alive and kicking since March this year (see https://crt.sh/?q=circle-ci.com and https://www.virustotal.com/gui/domain/circle-ci.com/detection). The fake site even looks better than the original one (I don't know whether it is actually malicious, or will just warn users who attempt to log in).
NOTE: if your pw mgr does not find a matching record in the pw mgr database, do NOT manually locate the "circleci.com" record. If you do: do NOT autofill or copy/paste your credentials for https:⧸⧸circleci.com to https:⧸⧸circle-ci.com! Using those creds, the fake site may immediately log in to the authentic website AS YOU - pwning your account.
WHAT I'M USING
I'm using KeePassium on iOS and KeePassDX on Android; they work just fine (disclaimer: I'm not in any way related to their authors, and do no warrant their reliability).
@steelefortress
#Passwords #PasswordManagers #PasswordManager #KeePassium #iOS #iPadOS #KeePassDX #Android #Autofill #DomainName #DomainNames #DomainNameCheck
A répondu dans un fil de discussion
Chrome 133* is the first #WebAuthn client to be all green!
https://featuredetect.passkeys.dev
(*with some flags enabled)
Sweet, Windows 11 Preview Build 22635.4515 is out on Beta Channel with the new Windows Hello passkey provider APIs! 
Windows Insider Blog · Announcing Windows 11 Insider Preview Build 22635.4515 (Beta Channel)Hello Windows Insiders, today we are releasing Windows 11 Insider Preview Build 22635.4515 (KB5046756) to the Beta Channel.
Changes in Beta Channel builds and updates are documented in two buckets: new features, improvements, and fi
Hey, anyone wanna take this out for a spin and report back? It's just some types so nothing too fancy, but it's my first package published to JSR.io 
JSR@simplewebauthn/types - JSR@simplewebauthn/types on JSR: TypeScript types used by the @simplewebauthn series of libraries
Suite du fil
I've written a new blog post taking a moderately deep dive into "Threat Modeling YubiKeys and Passkeys"
https://yawnbox.is/blog/threat-modeling-yubikeys-and-passkeys/
I greatly welcome feedback as I want to make sure I'm not misrepresenting anything. I want to make it better if it can be improved. I'm happy to be wrong, just please provide details and links!
also, i need a job! if you like my work, maybe you know of something where i'd be a good fit.
yawnbox.isThreat modeling YubiKeys and passkeys
oooooh, #Nextcloud now supports password-less authentication with #WebAuthn, amazing! (Just noticed this with version 30, I didn't check when it was introduced.)
I couldn't help myself this time: I got so indignant, after a week of evangelizing passkeys, that anyone would suggest password managers (and magic links too?!) might be better than passkeys.
Newsflash, they aren't 
#webauthn #passkeys https://infosec.exchange/@iamkale/113331604015112606
Infosec ExchangeMatthew Miller :donor: (@iamkale@infosec.exchange)New blog post just dropped 📝🎉
Password managers aren't replacements for passkeys
https://blog.millerti.me/2024/10/18/password-managers-arent-replacements-for-passkeys/
#millertime #blog #echofeed
LemonLDAP::NG 2.20 is out!
This new release includes brand new features like FIDO2 PasswordLess (PassKeys), events management and Google reCaptcha.
Read more on https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-20-0-is-out/
#IAM #SSO #CAS #SAML #OpenIDConnect #OW2 #lemonldap #lemonldapng #Captcha #Passkeys #Passwordless #WebAuthn #FIDO2 @ow2 @worteks_com
I’m attempting to make passwordless authentication accessible for developers
Here’s a working example you can try:
https://example.stupidwebauthn.site
- Email is used for verification
- Passkeys are used for authentication
- Sqlite is used for database
- Api calls and JWT secrets are used for internal connections
- JWT & JWE is used for session security
GitHub if you want to run it locally:
GIF
Suite du fil
