#Tag · bonfire.cafe

My family tech support season has begun.

For elderly people, modern tech is brutal: websites keep breaking password managers (multi-step SSO forms, JS overload, domain changes). Native apps aren't any better.

"Forgot password?" links almost always bypass password managers. The PW manager ends up with an outdated password, breaking trust in the solution, and even gets accounts locked for failed login attempts.

Kornel

@kornel@mastodon.social replied · last week

#Passkeys don't solve the password mess for my elderly relatives.

The "scan QR code" fallback that pops up sometimes is a dead-end. They've been told to click "Deny" whenever sites suddenly ask for permissions, so they block Bluetooth access too.

They don't know or don't remember how to scan a QR code, or are baffled why something for "viewing restaurant menus" is used to log in.

Sites use inconsistent terminology for "passkey/security key/try other method", even worse in non-English.

Ricky Mondello

@rmondello@hachyderm.io · 4 weeks ago

@publicvoit @renchap @gracjan Nice try. Please watch my explanation that I sent to Renaud.

Karl Voit :emacs: :orgmode:

@publicvoit@graz.social replied · 4 weeks ago

@rmondello @renchap @gracjan To my understanding, some implementations that allow migration of #passkeys to other accounts are prone to #Phishing.

https://arxiv.org/abs/2501.07380
"Another concern could be #socialengineering, where a user is tricked into sharing a passkey with an account controlled by an attacker." -> classic phishing, I'd say.

Convenience vs. #security, the usual trade-off.

According to that, roaming authenticators (classic #FIDO2 USB/NFC devices that are able to handle passkeys) are the only phishing-resistant method.

Still, Passkeys are much better than anything else (except FIDO2 HW tokens, of course) but it seems to be the case that the slogan that passkeys are 100% protecting against phishing isn't true any more.

What are your thoughts on that angle?

arXiv.org

Device-Bound vs. Synced Credentials: A Comparative Evaluation of Passkey Authentication

With passkeys, the FIDO Alliance introduces the ability to sync FIDO2 credentials across a user's devices through passkey providers. This aims to mitigate user concerns about losing their devices and promotes the shift toward password-less authentication. As a consequence, many major online services have adopted passkeys. However, credential syncing has also created a debate among experts about their security guarantees. In this paper, we categorize the different access levels of passkeys to show how syncing credentials impacts their security and availability. Moreover, we use the established framework from Bonneau et al.'s Quest to Replace Passwords and apply it to different types of device-bound and synced passkeys. By this, we reveal relevant differences, particularly in their usability and security, and show that the security of synced passkeys is mainly concentrated in the passkey provider. We further provide practical recommendations for end users, passkey providers, and relying parties.

Ricky Mondello

@rmondello@hachyderm.io · last month

I gave an opening keynote at the FIDO Alliance’s “Authenticate” conference a few weeks ago! Although it featured timely strategies and tips for professionals deploying passkeys, my primary goal was to explain, as clearly as I can, why passkeys are important and how we should use them to reduce the harm that passwords cause.

YouTube link: https://www.youtube.com/watch?v=otObbUSxcqs

I’m really proud of this talk and I hope you’ll watch it and share it with others. I put care in to making it approachable while still delivering my perspective and insights to security professionals. If you don’t get the “why” behind passkeys, this talk will help fill that gap.

Julian :rainbow_heart:

@Loredo@chaos.social replied · 4 weeks ago

@rmondello great talk!

It leads to the obvious question how and when Apple is dropping the password and especially SMS 2FA for Apple Accounts. It seems to be a weak point when storing #Passkeys in the Apple Keychain. Unfortunately quite many processes are asking for a password still (without 2FA 😮) and using a Passkey for the Apple Account itself is missing.

I know you can’t comment, just to mention it… maybe it will increase some internal priority counters or something 🙃

Hacker News

@h4ckernews@mastodon.social · last month

Passkeys: They're not perfect but they're getting better

https://www.ncsc.gov.uk/blog-post/passkeys-not-perfect-getting-better</a><

#HackerNews #Passkeys #PasskeySecurity #Cybersecurity #Authentication #TechTrends #Innovation

Passkeys: they're not perfect but they're getting better

Passkeys are the future of authentication, offering enhanced security and convenience over passwords, but widespread adoption faces challenges that the NCSC is working to resolve.

Michael T Babcock

@mikebabcock@floss.social · last month

@iMeddles the problem is not the nature of any of the authentication devices but rather the fact that you're losing the multi in multi-factor authentication.
With multi-factor authentication, if someone steals my security key, they still need to guess my #passwords. If someone cracks my passwords, they still need to get their hands on my key.
With #passkeys, this is no longer true and all your authentication and identity is rolled into one device that if compromised, compromises everything. #MFA

F-Droid

@fdroidorg@floss.social · last month

This week in #FDroid (TWIF) is alive:

* website categories fixed
* calls by e-mail? #DeltaChat #ArcaneChat
* we caught up with #Catima
* last #FOSS version #DOOM #Wolfenstein #RPG
* sorry Android 5,6 and 7, #Fennec now needs 8+
* #Passkeys by #KeepassDX
* time flies, 10 years of #NewPipe
+ 8 new apps
& 131 updates
- 2 archived apps

Start reading: https://f-droid.org/2025/10/24/twif.html

tante

@tante@tldr.nettime.org · 2 months ago

So I think I'll need to read up on it a bit. I understand that "Passkeys" try to do something similar as SSH pubkeys.
But do you know a good technical explainer of what's going on and how it works?

(Yes, I could search myself but I am looking for recommendations of articles you have read that you found helpful and clear.)

EDIT: https://passkeys.io did make some things clearer.

Karl Voit :emacs: :orgmode:

@publicvoit@graz.social replied · 2 months ago

@tante Ich habe auf https://karl-voit.at/FIDO2-vs-Passkeys/ zu #Passkeys und #FIDO2 gebloggt und u.a. auch erklärt, weshalb Passkeys in immer mehr Situationen leider nicht mehr gänzlich gegen #Phishing schützen, FIDO2 meiner Meinung nach aber sehr wohl.

D.h. die Hardware-Tokens liefern aktuell den einzig wasserdichten Schutz gegen Phishing. Trotzdem haben Passkeys viele Vorteile gegenüber den üblichen Methoden wie #TOTP, #TAN via #SMS oder #Email, ...

#publicvoit

Authentifizierung mit FIDO2 und Passkeys

maco boosted

Jonathan Kamens 86 47

@jik@federate.social · 4 months ago

Seriously, the issue in this thread is why I think #passkeys are a ticking time bomb. Most people don't understand how they work, or that they're linked to a single device, or that they need to maintain a backup login method. Websites that support passkeys don't do enough to communicate and enforce good habits. If we continue down the passkey path, people losing access is going to be a much bigger problem in the future, and we're not ready for it. #infosec

Jonathan Kamens 86 47

@jik@federate.social · 4 months ago

Alex Akselrod boosted

Štěpán Škorpil

@stepan@mastodon.skorpil.cz · 5 months ago

On weekend I managed to connect all my selfhosted services that support it to the #Keycloak #SSO (single sign on).
Namely #Mastodon #Peertube #NextCloud #FreshRSS #Matomo and #grafana

Why to bother with such complication for apps serving only a couple of users?
First it's quite easy nowadays.
And second, because I want to get rid of passwords and just use #passkeys .

This is one of many examples showing that good apps should just focus on one task and just use standards to cooperate with other apps focusing on other tasks.

Peertube for example focuses on videos, not user management. I am very OK that they don't support passkeys, because they implemented OpenId Connect standard to allow me use Keycloak for better login options.

On the other hand, I am quite sad that SSO is often the one feature, that is proprietary and reserved only for paying customers. SSO is not for huge corporations anymore. It's also usefull for us, selfhosters with couple of users.

❤️

Štěpán Škorpil

@stepan@mastodon.skorpil.cz · 5 months ago

On weekend I managed to connect all my selfhosted services that support it to the #Keycloak #SSO (single sign on).
Namely #Mastodon #Peertube #NextCloud #FreshRSS #Matomo and #grafana

Why to bother with such complication for apps serving only a couple of users?
First it's quite easy nowadays.
And second, because I want to get rid of passwords and just use #passkeys .

This is one of many examples showing that good apps should just focus on one task and just use standards to cooperate with other apps focusing on other tasks.

❤️

Doug Webb

@douginamug@mastodon.xyz · 5 months ago

#Passkeys working on #GrapheneOS with #Vanadium and #Bitwarden 🌻

Support for #keepassDX in progress 🌱 https://github.com/Kunzisoft/KeePassDX/issues/1421

spla

@spla@mastodont.cat · 6 months ago

Inici de sessió: quan vols entrar, el servidor envia un repte que el teu dispositiu signa amb la clau privada (sense revelar-la).
3. Verificació: el servidor comprova la signatura amb la teva clau pública i, si coincideix, et dóna accés.
Avantatges respecte a les contrasenyes
✅ Més segures: no es poden robar.
✅ Més còmodes: no has de recordar contrasenyes.
✅ Sincronització: es poden emmagatzemar en el núvol (amb xifratge) per usar-les en diferents dispositius.

spla

@spla@mastodont.cat replied · 6 months ago

Tant de bo tinguessin #Passkeys arreu, en tots els servidors, bancs, oficines virtuals de les administracions etc. No hi haurien robatoris de contrasenyes perquè no hi hauria cap per robar!

spla

@spla@mastodont.cat · 6 months ago

Les claus d’accés (#Passkeys) són una forma moderna i segura d’iniciar sessió sense necessitat de contrasenyes tradicionals. Funcionen amb autenticació biomètrica (digital o facial) i utilitzen criptografia de clau pública per verificar la teva identitat.

Com funcionen?
1. quan crees una passkey, el teu dispositiu genera un parell de claus:
- Clau privada (emmagatzemada de forma segura al teu dispositiu).
- Clau pública (enviada al servidor del lloc web o app).