Pulse of Truth

1599 readers

79 users here now

Cyber Security news and links to cyber security stories that could make you go hmmm. The content is exactly as it is consumed through RSS feeds and wont be edited (except for the occasional encoding errors).

This community is automagically fed by an instance of Dittybopper.

founded 2 years ago

MODERATORS

krogoth@infosec.pub

Passkeys are incompatible with open-source software (www.smokingonabike.com)

submitted 2 weeks ago by lemmydev2@infosec.pub to c/pulse_of_truth@infosec.pub

9 comments fedilink hide all child comments

Comments

you are viewing a single comment's thread
view the rest of the comments

[–] Jinna@lemmy.blahaj.zone 11 points 2 weeks ago* (last edited 2 weeks ago)

The spec has issues due to usual RFC bullshit and corporate greed, but as per usual the viewpoint here is too narrow. I'm running my own open source authentication stack and choose what attestations are acceptable, say only allow the FIPS version of Yubikeys. That feature exists because companies want to be able to control which methods they consider secure enough for their own employees. This tech was built for corporate security, using it externally facing with end-users is a bolted on after the fact idea. Having control is necessary, it does not make the spec evil.

Now say GitHub enable attestations that only allow Windows Hello passkeys to go through, then yes that's technically possible. It would also be a support nightmare so they won't. (It's already a support nightmare for anyone limiting devices since for example security key vendors regularly forget to publish their fingerprints for new products.)

The whole biometrics thing? Total red herring. UV can be enabled in many different ways and totally "faked" as well, which is what all the software implementations do such as Bitwarden. Only way to stop it is approvelisting specific devices, see point above.