Thread 107165570

passkeys are pretty cool.

still don't know how to use them

>>107165570 (OP)
KeepassXCs passkey support is great.
You basically don't need that auto-fill stuff, because the passkey standards got that covered for you and keepass doesn't have to make up some random password either.

>>107165570 (OP)
especially with a fingerprint on my macbook

passkeys can SUCK MY FUCKING DICK

>>107165570 (OP)
when you need to log into something on a remote machine...
Fucking hate passkeys

>>107165570 (OP)
No idea what this is, but if google is involved, that means they get unrestricted access to your shit.

>>107166056
>No idea what this is
someone can correct me if I'm wrong since I base half of my knowledge on reddit posts and the other half on imagination but passkeys are public key cryptography. your phone or PC produces a private key and stores it on your device then shares its public key with the website you're trying to set passkey with.

every time you want to sign in you use your device to sign a message instead of entering your password. pros are it's easy to use and resistant to phishing as it verifies the domain name of website and doesn't share login information with fake sites.

>but if google is involved, that means they get unrestricted access to your shit.
well you can use it on your google account in which case google does have unrestricted access. but you can use it with other services that support it.

it's basically your computer storing passwords and not revealing them to you or anybody. it's locked in, you cannot even back it up unlike your password database. idk how well it fares against malware but I assume if your computer has malware you're screwed with a password manager too since it can steal your entries and browser cookies.

>>107165570 (OP)
>key
Can I lend my key to my friends so they can open my door?

>>107166239
>you cannot even back it up unlike your password database
sounds fantastic when a device breaks

>>107165570 (OP)
I am not giving my fingerprints and face scans to Android/Apple.

>>107166431
if you have a mobile phone, it already scans your face.
https://youtu.be/zfGHDeNK97o

>>107165570 (OP)
Keypass[xc] is way cooler.

>>107166420
I think there are cloud backup implementations. for people who don't want to use that sites you sign up with passkeys can offer backup codes. google already does this for 2fa.

https://github.com/keepassxreboot/keepassxc/issues/10406
https://github.com/keepassxreboot/keepassxc/issues/10407

>>107166239
Yup. Passkeys are essentially SSH keys (if you’re familiar with that) but for websites. However, it’s not entirely correct that say passkeys are tied to your device. This is the more familiar definition of passkeys you’ll see online when searching them up, but there’s also syncable passkeys that are stored in your password manager. These are not tied to a specific device: https://bitwarden.com/passwordless-passkeys/

>>107165570 (OP)
Passphrase is more than good enough.

>>107166866
do not spread fud

>>107166017
it's okay but i'm still waiting for the other shoe to drop
it's only a matter of time before fidofags make good on their threat to blacklist keepassx from the passkey (((ecosystem)))

use case?

>>107167015
the securest thing ever, will be very useful with attestation soon

>>107166239
>and browser cookies.
any good site is (read:should be) doing geoip on sessions.

>>107167021
>attestation
use case?

>>107166866
rereading these it's really impressive how much patience the keepassxc guy has
i would have called these corponigger blackmailers some unfortunate names and locked their issues

>>107167097
Banning insecure (read open source) implementations that fido doesn't approve of.

>>107166866
this sounds like a bad implementation rather than an inherent flaw with how passkeys work.

>>107166869
right. I also overlooked the option of generating passkeys on an offline password manager that supports it and sharing the database between devices yourself. this way you can backup passkeys without cloud.

though I don't really understand how passkeys are generated. I assume it's analogous to totp where everyone has agreed on one open way of doing it so there's no need to rely only on one service to use passkeys.

>>107167015
getting the same (if not more) security of logging into your accounts with a simple pin instead of having to type in a long ass password and use 2fa every time.

>>107166004
Fpbp
And I’m a freaking Sys Admin which makes it worse

>>107167123
>this sounds like a bad implementation rather than an inherent flaw with how passkeys work.
You're absolutely right! They need banned yesteryear.

>>107167097
for more info regarding what >>107167114 said see >>107166866

>>107167123
>getting the same (if not more) security
You've got some explaining to do, chief

Passkeys are for super gay babies.

>>107167114
>>107167169
What if we just... never use this bullshit :)

kill google
kill apple
kill microsoft
alive keepass

>>107167190
It will become mandatory, we're working very hard on that.

>>107167168
take what I have to say with a grain of salt, I like and use keepassxc. I have no technical expertise, I am at the user end of these things, saar.

>>107165570 (OP)
I don't like passkeys(because they tie you to a physical device even if you were using a VPN) and I dislike biometrics even more(because why would I want to give a website I don't trust my fingerprint or eye)
I'd rather just use a password because I'm not a mouthbreather

>>107167228
Do you want your relatives to get scammed and their passwords stolen?

>>107167205
Just like ID verification and whatnot, but here's the beautiful part: only the few big sites (facebook, twitter, youtube, reddit, discord, and a couple more) will enforce it. The rest of the internet is, and will always remain as free as usual

>>107167237
Most of my relatives are retarded and deserve to lose their money(and are assholes), and the ones that aren't I manage their shit for them anyway

>>107167241
Please do give us enough time to completely make unsecured passwords obsolete.

>>107167237
>muh scams and hackermen
Oh no, my uncle lost his instagram account. Whatever shall he do... (make another and move on)
>inb4 muh online banking
Only retarded third worlders do this shit. Civilised people use cash, only.

I still don't understand why. Just make ssh auth a proper standard. Done. Register your ed25519 pubkey, ask ssh-agent for your creds and you're done.
Less autism.

>>107167249
>unsecured passwords
https

>>107167283
Clearly not enough. People still get their accounts stolen they need more protection.

>>107166055
>the year is 2025
>We still don't have a solution for proxying credential requests through other machines.
>windows can't do it through winrm or any non interactive session.
>even ssh forwarding is unsafe

How is this even possible?

>>107167287
TOTP

>>107167361
A decent start but not enough adoption and still filters some people, we need better, we need Passkeys.

>>107167241
There’s literally nothing wrong with passkeys, you’re just a contrarian for no reason.

>>107166866
I hate corporate security theater so much.

You got a standard that is basically ssh keys for website login - something that could be very nice - and some shitter comes around talking about certification for providers and the ability to blacklist some.

>>107167375
Passkeys filter even more people that download the authenticator app(s?), and have much lower adoption, both for end users and websites

>>107167382
i take issue with this in particular >>107167169

>>107167382
>nothing wrong with passkeys
FIDO

>>107167412
>>107167404
Just follow the spec? Is that so hard?

>>107167427
No, but why bother with such a retarded spec?

>>107167427
and pay for a certificate that provides ZERO benefit to the user because the NSA has access to default installed root certificates... we already had all that bullshit in the past already, i don't need that for fucking login methods as well.

>>107167287
How does passkeys help? Credentials can be stolen from cookies, localStorage (MUH HECKIN CSRFs DOH) or whatever real credential exists.
>>107167382
There is literally everything wrong with it
1. (((requires))) physical hardware or a (((conveniently allowed))) cloud service
2. Ridiculously complex
3. Windows (most normie used OS) has the worst passkey prompt in the form of Hello which tries to bait you into using some phone bullshit.
4. You'll still need some kind of backdoor because hardware breaks. Even at work I have at least 2 ways to login: fido or some phone bullshit.

Hardware breaks? You're fucked. Cuck bullshit response? Have more than one, oh and make sure you have more than one off-site as well. Limited key slots too goy, better buy the 100+ dollar deluxe one.
Can allow user to backup their keys? Oops, your key is now blacklisted from (((certain))) sites.

The other cloud shit is blatantly anticompetitive bullshit. I shouldn't need to spell out how bad it is. The keepass* fork drama should be enough to dumpster the whole retarded concept.

Ultimately I don't believe it's any better than Kerberos, mutual TLS or even ssh2 key auth and adds a lot of stupid shit that exists to inconvenience users (with cost and hardware anxiety) and competitors for no reason.

>>107167447
To avoid your software getting denylisted?
>>107167461
You do not have governments as threat actors against you, take your medications.

>>107167487
>denylisted
by who?

>>107167496
Please see the screenshot in >>107167169

>>107167509
talks about banning users, not software. Keep using whatever you like, just avoid the passkey xancer. Seems simple to me

>>107167447
Those orpo niggers are looking for an excuse to implement Google Play Attestation style retardation and lock the infrastructure down.

Funnily enough, the corpo nigger doesn't complain about cloud services (including Apple!) not implementing what he demands either... because that would immediately wreck any argument in favor of attestation... an argument those issues aren't even about!
He is being a sneeky faggot, he doesnt actually argue with the keepass dude, he argues for himself to to have something to show his FIDO buddies that can then be used to lock shit down, even thought that it is wrong.

>>107167550
No, it talks about services like Google refusing to trust Passkeys from KeepassXC as they're not as secure as they should be.

Passkeys cannot be phished without literally sending the passkey to the scammer. They're great, get one for your parents.

>>107167487
The goverent is my Nr.1 threat factor!
The government hates me, and hates everyone they rule over, and proved in the past that they will abuse their power.

Government meddling needs to be the uttermost important consideration.
And considering this, any attestation requirement is a secrutiy vulnerability.

>>107167565
stop ragebaiting, we all know that nobody can possibly be this much of a glowy bootlicker

>>107167467
>>107167556
The only one here with both the knowledge and energy to explain why kepasses are opaque locked down bullshit. Thanks. I personally, will heep using https + totp. Glowniggers, keep seething

>>107167392
There's something to be said about how software passkeys are dangerous and lower security than hardware-based ones, but this is way too far.

>>107165570 (OP)
>passkeys are pretty cool.
for me to poop on

>>107167593
>how software passkeys are dangerous and lower security than hardware-based ones
They would never make this argument, because google produced security keys that were so massively flawed that they could be remotely cloned via Bluetooth.

Why do kikes want to make it impossible for you to be able to get your own private key?

>>107167715
It's not your key though, you're using someone else's service and they're giving you a key.

>>107167382
>>107167585
>>107167487
>t.

>>107167467
>Limited key slots too goy, better buy the 100+ dollar deluxe one.
I remember reading an article about resident keys vs non resident keys and it's making more and more sense now
fuck passkeys, proper (no sms) 2FA was always the way to go

You literally don't need more than TOTP

>>107167566
fake news.

passkeys can be phished:
https://mastersplinter.work/research/passkey/