|
I don't understand the complaints about yubikeys. I enrolled mine for my vaultwarden instance, and the handful of keystone accounts that all my other stuff fails to(my google email for account recovery, etc), and then let vaultwarden handle the rest of security. It bugs me to reauth with it exactly as often as it does any other 2fa(never on major sites, every time on my personal stuff because I haven't figured out how to set the session time)
|
#
?
Jan 1, 2023 17:59
|
|
|
|
| # ? May 30, 2024 15:44 |
|
|
Entering the PIN and/or touching the key is so much nicer and faster than unlocking my phone, open the OTP app, scrolling to find the specific website's code, then transcribe it into the web browser.
|
|
#
?
Jan 1, 2023 18:33
|
|
|
RFC2324 posted:I don't understand the complaints about yubikeys. I enrolled mine for my vaultwarden instance, and the handful of keystone accounts that all my other stuff fails to(my google email for account recovery, etc), and then let vaultwarden handle the rest of security. My main issue with it is that there are only 16 OTP slots(when i need give or take 30) and the use flow of taking the key out, insert it, pray that the connector isn't oxidized, put the pin in, pray that the touch point isn't oxidized and then touch is slow. Going over NFC replaces the oxidize issue with nfc sensors on laptops being on the fritz most of the time. Also their production lines are more hosed than Tesla, i'm waiting for four 5C NFC since last October with support telling me to wait or get hosed. I've added everything that accepted more than two keys(gently caress you microsoft) to apple passkeys and it's actually faster since taking the phone out, unlock, scan qr and execute is natural. SlowBloke fucked around with this message at 18:58 on Jan 1, 2023 |
|
#
?
Jan 1, 2023 18:51
|
|
|
Klyith posted:1. Wait for more than a handful of websites to support them. What are examples of common sites that support this? I know I probably sound like I’m dense and/or “just asking questions” but I’m genuinely curious to try it out. When I had a yubikey I mainly used it for ssh I didn’t even know I could hook it into random websites.
|
|
#
?
Jan 1, 2023 19:54
|
|
|
Boris Galerkin posted:What are examples of common sites that support this? I know I probably sound like I’m dense and/or “just asking questions” but I’m genuinely curious to try it out. When I had a yubikey I mainly used it for ssh I didn’t even know I could hook it into random websites. Nvidia for instance. You create the account, then you go into the user security properties ( https://profile.nvgs.nvidia.com/security ) and add a new security key, follow the instructions to add a new passkey using your iphone(or your yubikey if it's a 5 series). Once you do this you will be able to login using "a security key" that is nothing but bits on the icloud keychain(or the yubikey if you enrolled that).
|
|
#
?
Jan 1, 2023 19:58
|
|
|
I looked at a passkey video to see what yall where talking about and I still dont get how theyre significantly different than longass passwords encrypted and stored in a cloud vault. Is it the automatic nature whete the website asks directly for the key without your input? Im obviously missing something.
|
|
#
?
Jan 1, 2023 20:15
|
|
|
Tapping the Yubikey in my USB hub that's sitting like a foot away from me is so much easier than transcribing codes from SMS or Auth apps I have no idea why anyone would say Yubikey is inconvenient unless they just don't use MFA at all, in which case how did you find this thread?
|
|
#
?
Jan 1, 2023 20:25
|
|
|
Defenestrategy posted:I looked at a passkey video to see what yall where talking about and I still dont get how theyre significantly different than longass passwords encrypted and stored in a cloud vault. Is it the automatic nature whete the website asks directly for the key without your input? Im obviously missing something. This is what makes a yubikey or a passkey tick https://youtu.be/3wtwUh6iyxY Compared to a user/password combo is far more hard to phish since you need physical line of sight(contact or bluetooth range) to unlock the "vault". Cup Runneth Over posted:Tapping the Yubikey in my USB hub that's sitting like a foot away from me is so much easier than transcribing codes from SMS or Auth apps I have no idea why anyone would say Yubikey is inconvenient I'm on my second yubikey in two years since i need to use it on multiple computers on the move, even babysitting it in a soft pouch, they are far more fragile than Yubico will admit on. I'm getting rather tired of replacing more yubikey in a three year interval than my car tires. Also i cannot fit all my otp codes inside a yubikey, which makes that part kinda useless since i need to also rely on other solutions (be it authy or keepassXC) to fit the rest of them anyway. SlowBloke fucked around with this message at 20:49 on Jan 1, 2023 |
|
#
?
Jan 1, 2023 20:44
|
|
|
Does any of the competition have higher quality auth keys?
|
|
#
?
Jan 1, 2023 21:12
|
|
|
I use a YubiKey 5 Nano for work and it's great. Just sits in my laptop and I press the button when needed. There's a "Yubisneeze" risk, where you put your token in a chat window or whatever, but there's workarounds and it's not a big deal. I really should move over to using one for mobile devices, but at the same time Google/Apple's handling of device authentication seems pretty good for the average person.
|
|
#
?
Jan 1, 2023 21:13
|
|
|
Internet Explorer posted:I really should move over to using one for mobile devices, but at the same time Google/Apple's handling of device authentication seems pretty good for the average person. With passkeys now widely available, i would suggest moving to that implementation rather than a physical one. The only scenario i would suggest keeping it physical is for high risk content or if you tend to jump from android to ios(or viceversa) often.
|
|
#
?
Jan 1, 2023 21:39
|
|
|
Saukkis posted:Does any of the competition have higher quality auth keys? Not really no. Yubico pretty much has the enterprise market on lock, and has as close to a functional monopoly as you can get in the security key space.
|
|
#
?
Jan 1, 2023 21:51
|
|
|
Saukkis posted:Does any of the competition have higher quality auth keys? Solo has the distinction of being even worse build quality wise. Our Microsoft accounts swear by Feitian when not suggesting we train our users that WHfB isn't devil incarnate.
|
|
#
?
Jan 1, 2023 22:04
|
|
|
Defenestrategy posted:I still dont get how theyre significantly different than longass passwords encrypted and stored in a cloud vault. Is it the automatic nature whete the website asks directly for the key without your input? It's that all the complexity is totally hidden from the user. Years and years of telling people to use longass random passwords in a password manager has produced minimal progress. Passkeys are secure and far easier for normal people to use. I kinda dislike the idea: it's yet another thing that, once people are using them all the time and adapted to the passwordless system, adds lock-in to an ecosystem. I doubt apple will have an easy way to move your passkeys to an android device or vice versa. But despite that it'll be better security for the masses, so I can't object too much.
|
|
#
?
Jan 1, 2023 22:44
|
|
|
Klyith posted:It's that all the complexity is totally hidden from the user. Years and years of telling people to use longass random passwords in a password manager has produced minimal progress. Passkeys are secure and far easier for normal people to use. The vendor lock in is part due to FIDO consortium not having a standard export method for safety reasons, Yubico attempted to provide some options but i think it didn't went far.
|
|
#
?
Jan 1, 2023 23:01
|
|
|
Longass passwords can also still be phished, since we have probably all had the experience of having to tell our password manager what site we were actually on when it didn’t detect that you used your microsoft.com account for live.com or whatever. Passkeys just can’t. I’m not sure what the interoperability difficulties are between passkey implementations. It doesn’t work now but I could see it becoming a matter of using a 3rd-party manager like you have to for password mobility these days.
|
|
#
?
Jan 1, 2023 23:04
|
|
|
Subjunctive posted:Longass passwords can also still be phished, since we have probably all had the experience of having to tell our password manager what site we were actually on when it didn’t detect that you used your microsoft.com account for live.com or whatever. Passkeys just can’t. The issue is that the seed+enroll data is by design sealed in the fido token storage, that data is supposed to stay there since fido doesn't have a standard for data exchange. If you have enrolled in apple passkey solution and decide to drop all of your apple stuff and go android, you will have to enroll everything again, same as if you replaced a yubikey.
|
|
#
?
Jan 1, 2023 23:17
|
|
|
SlowBloke posted:The issue is that the seed+enroll data is by design sealed in the fido token storage, that data is supposed to stay there since fido doesn't have a standard for data exchange. If you have enrolled in apple passkey solution and decide to drop all of your apple stuff and go android, you will have to enroll everything again, same as if you replaced a yubikey. Is the Fido token storage locked to the device, or is it in iCloud (in the Apple world)? i.e. would you need to enroll everything again if you upgraded your iPhone or does that only apply if you decide to switch to android?
|
|
#
?
Jan 1, 2023 23:26
|
|
|
Why don’t you just use touchid on your laptop?
|
|
#
?
Jan 2, 2023 00:24
|
|
|
beuges posted:Is the Fido token storage locked to the device, or is it in iCloud (in the Apple world)? i.e. would you need to enroll everything again if you upgraded your iPhone or does that only apply if you decide to switch to android? It’s shared across devices as part of the iCloud Keystore, and I don’t believe is vended in real-time from the cloud service, so there’s key material that I think could be moved around to Android as well if there were a compatible receiver (and commercial will) I don’t know how the iCloud Keystore interacts with the enclaves, or why Apple Wallet doesn’t let you move those registrations between devices, for example, so there could be mechanical limits arising from the design, or I might just be an idiot
|
|
#
?
Jan 2, 2023 00:34
|
|
|
I thought fido and therefore passkeys) was certificate based auth. So rather than sending the same password every time, it sends a signature.
|
|
#
?
Jan 2, 2023 00:37
|
|
|
Yeah, I think that’s the case. The question is how portable the private key material or equivalent is, I think.
|
|
#
?
Jan 2, 2023 00:40
|
|
|
How do I setup passkeys on Android using my Microsoft account? I'd prefer not to have my keychain (is that the right term outside of Apple?) with Google, but if only Apple and Google are options then so be it.
|
|
#
?
Jan 2, 2023 02:10
|
|
|
Hot take: the platform locked passkey system is a nightmare and unless you’re entirely in a single ecosystem you shouldn’t use them yet The reason why all the passkey providers have been coy about portability is because they don’t really want to talk about it because the answer is “lol you can’t”. I’m hoping for password managers to pick up the slack on making passkeys work if you’re a mixed OS user
|
|
#
?
Jan 2, 2023 03:58
|
|
|
Buff Hardback posted:I’m hoping for password managers to pick up the slack on making passkeys work if you’re a mixed OS user I think you're right, 1Password is claiming they'll do them some time this year. Obviously they're a threat if they don't get in front of it, though.
|
|
#
?
Jan 2, 2023 04:13
|
|
|
Buff Hardback posted:Hot take: the platform locked passkey system is a nightmare and unless you’re entirely in a single ecosystem you shouldn’t use them yet Why not just have multiple independent hardware authenticator devices, like you probably should be doing already?
|
|
#
?
Jan 2, 2023 04:29
|
|
|
Fart Amplifier posted:Why not just have multiple independent hardware authenticator devices, like you probably should be doing already? If you get enough hardware keys, you become the computer janitor
|
|
#
?
Jan 2, 2023 07:05
|
|
|
Guy Axlerod posted:I thought fido and therefore passkeys) was certificate based auth. So rather than sending the same password every time, it sends a signature. Check the video i posted a bit back, that's how fido(and passkeys) works. It's cert based but the private key is managed by the token cryptographic engine.
|
|
#
?
Jan 2, 2023 07:07
|
|
|
Ynglaur posted:How do I setup passkeys on Android using my Microsoft account? I'd prefer not to have my keychain (is that the right term outside of Apple?) with Google, but if only Apple and Google are options then so be it. There's a MS authenticator app in the google app store. edit: google seems to be building their passkey support into chrome rather than as a universal thing, yuck. Guess I won't join the passwordless future until keepass supports it. Klyith fucked around with this message at 14:42 on Jan 2, 2023 |
|
#
?
Jan 2, 2023 14:35
|
|
|
Klyith posted:There's a MS authenticator app in the google app store. Passkeys enroll kickstart is done by the device os which then bounces the session to chrome(android) or iCloud keychain(safari). No way to replace the enroll endpoint on neither android or iOS.
|
|
#
?
Jan 2, 2023 15:06
|
|
|
Klyith posted:There's a MS authenticator app in the google app store. Thanks, I'll play around with it. I already use MS Authenticator for all of my MFA anyways. If 1Password supports passkeys later that might be interesting, too.
|
|
#
?
Jan 2, 2023 17:30
|
|
|
Found the yubico proposal for fido credential backup https://www.yubico.com/blog/yubico-proposes-webauthn-protocol-extension-to-simplify-backup-security-keys/ It looks like it stalled since i haven't heard anything newer about it.
|
|
#
?
Jan 2, 2023 18:20
|
|
|
How should I derive key material from a username and password, without a salt? This is a client server interaction, and I don't see any TLS mechanism to communicate the salt to the client, though maybe I could bastardize the SNI field? My use case is that I have an embedded device, that will be programmed with a preshared key. User can update it out of band with a USB cable. The client should derive the same key (from a username and password) then use it in a TLS_PSK_WITH_AES_128_GCM_SHA256 session. In summary: Need a 128 bit key material, derived from only a username and password. Used as the preshared key in a TLS_PSK_WITH_AES_128_GCM_SHA256 session. Currently I am thinking: BLAKE2b to hash the username, to use as a salt Then using ARGON2ID13, using the above salt and the password.
|
|
#
?
Jan 3, 2023 15:51
|
|
|
Rather than rolling your own crypto scheme from primitives, you should just use TLS in a non-PSK mode to set up a secure connection, and then do auth within that.
|
|
#
?
Jan 4, 2023 02:10
|
|
|
Jabor posted:Rather than rolling your own crypto scheme from primitives, you should just use TLS in a non-PSK mode to set up a secure connection, and then do auth within that. 2nding. Don't invent an sign in solution, one there's perfectly good Open Source ones out there waiting for you, and two inventing your own will just be a painful black hole of lost dev effort.
|
|
#
?
Jan 4, 2023 02:13
|
|
|
Inventing it will be great, all dopamine and adrenaline. If you are not planning to immediately leave the job, though, it’s the maintenance burden that should scare you.
|
|
#
?
Jan 4, 2023 02:27
|
|
|
how many years was the subtitle "don't roll your own crypto"?
|
|
#
?
Jan 4, 2023 03:00
|
|
|
One year too few, it seems.
|
|
#
?
Jan 4, 2023 03:01
|
|
|
To clarify, I am using TLS1.2, have been the entire time. TLS_PSK_WITH_AES_128_GCM_SHA256 is a TLS cypher suite. I initially tried with TLS_ECDHE_whatever, but it took like 30 seconds+ for the key exchange to occur, just not feasible in a low power, low compute application. If I shouldn't use PSK because generating the key is 'rolling my own', I am not sure where I should go from where. What should I be using?
|
|
#
?
Jan 4, 2023 03:02
|
|
|
|
| # ? May 30, 2024 15:44 |
|
|
Sorry, I’m just shitposting. Public key encryption was such a big deal because secure symmetric key distribution is really hard!
|
|
#
?
Jan 4, 2023 03:06
|
|