 |
Post AtxgKIXcdTaebGXS9A by [email protected] |
 |
More posts by [email protected] |
|
Post #AtxBcJ2UQUE2mH5F5c by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@GossiTheDog I didn’t get passkeys for a long time. Like. embarrassingly long… |
|
|
|
Post #AtxCiysRt0DsEB8Lb6 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@GossiTheDog ah yes . Session hijacking comes to mind. |
|
|
|
Post #AtxCrRFcHG6eXm0FSS by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@GossiTheDog Passkeys are the CYA for the Googles of the world by passing the o… |
|
|
|
Post #AtxD0iCIdk6lhzsDcO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@GossiTheDog I've also been struggling to understand how this is utterly bu… |
|
|
|
Post #AtxE10xeyaizrFjZcO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@GossiTheDog Please do. |
|
|
|
Post #AtxE5Clb1fYvd85bua by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wishy @GossiTheDog correct me if I'm wrong, but pin, face id, etc should b… |
|
|
|
Post #AtxEWro2YBXYjLQHK4 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@pft @wishy @GossiTheDog "Biometrics should be a replacement for the user … |
|
|
|
Post #AtxEXPx5b2ysdFuz9E by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@GossiTheDog Same way as passwords, as far as I'm concerned, since I keep m… |
|
|
|
Post #AtxEtreRIBAGuVtkKu by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@GossiTheDog Please do! I know about the spec but not really how the spec has b… |
|
|
|
Post #AtxFC6ObD9VxquBZAW by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@GossiTheDog I sadly caved into the hype as 1password.com kept pestering, peste… |
|
|
|
Post #AtxFRvmyPmu9aa8NrE by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@GossiTheDog I’m looking forward to it |
|
|
|
Post #AtxFg9bnpW2QVLgutk by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@GossiTheDog How to steal passkeys, when implementation isn't clear:1. Adve… |
|
|
|
Post #AtxG0RHlojUn7VzgKO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@pft @GossiTheDog My understanding is that Windows Hello have access to the key… |
|
|
|
Post #AtxG0RNRTe25P6eDAW by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wishy @GossiTheDog theoretically, if the key is in the TPM, then no one has ac… |
|
|
|
Post #AtxG1U8ogZxIGZIwtc by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@pft @GossiTheDog Not really, the TPM doesn't have infinite key storage. Yo… |
|
|
|
Post #AtxG2IY3H1qmbJUoAi by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wishy @GossiTheDog Aaaaaaaaa! So passkeys are practically only wrapped?"D… |
|
|
|
Post #AtxG2gHD3IdeC1nhFg by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@bontchev @wishy @GossiTheDog where does that come from? |
|
|
|
Post #AtxG3muDtGFZ2iZoVE by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@bontchev @GossiTheDog if you get the chance to have a good passkey implementat… |
|
|
|
Post #AtxGFqEbL9PAqEr8TY by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@GossiTheDog I understand how passkeys work well enough. But I’m not skilled … |
|
|
|
Post #AtxGhVuOVMrHuUbEDg by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@pft @wishy @GossiTheDog Not sure; I read it somewhere and totally agree with i… |
|
|
|
Post #AtxH0ZfijlRd5GpCS0 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@bontchev @wishy @GossiTheDog I'm not sure how it would work. How should my… |
|
|
|
Post #AtxH0Zm6M2Y5P3oIOe by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@pft @wishy @GossiTheDog Well, a true 2FA can be password + biometrics. How is … |
|
|
|
Post #AtxHjdAoZ6ruyVqyBM by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@bontchev @wishy @GossiTheDog it is not. It is only used for authentication on … |
|
|
|
Post #AtxHjdHu8kXXKVAdEW by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@pft @wishy @GossiTheDog Well, I'm sure it doesn't remember your whole … |
|
|
|
Post #AtxHjdNZnf4pc5pA4e by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@bontchev @wishy @GossiTheDog I'm really not familiar with the specificitie… |
|
|
|
Post #AtxHkGtUsumeAO3hk8 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@pft @GossiTheDog Yes and their choice of wording of "help protect" i… |
|
|
|
Post #AtxHkGzsVBt6UB2ngm by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wishy @GossiTheDog thanks Steve! This is definitely something that I didn'… |
|
|
|
Post #AtxHkH5u8mhymrrc5A by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@pft @GossiTheDog I've got most of my understanding from a system custom en… |
|
|
|
Post #AtxHkPzV3xvuNbw7qi by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@shadowwwind @GossiTheDog My phone doesn't do browsers, web sites, or passk… |
|
|
|
Post #AtxHkRjGbI8VlqMBpA by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@pft @bontchev @GossiTheDog FWIW, I'm talking exclusively about Windows, gi… |
|
|
|
Post #AtxHl8SliVUOJ7y7Zw by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wishy @bontchev @GossiTheDog I'm also interested in Windows for the time b… |
|
|
|
Post #AtxHtCU8e9fz6ASH8C by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@GossiTheDog I frankly prefer passwords. At least I have control over them and … |
|
|
|
Post #AtxIbL3s7ZwWRIDRgG by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@GossiTheDog |
|
|
|
Post #AtxLGeFxrKONkjhJwm by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@GossiTheDog At some point can be soon. |
|
|
|
Post #AtxLPvtBfeQD2tTGPg by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@GossiTheDog I have been getting increasingly annoyed with the amount of pressu… |
|
|
|
Post #AtxLPw0zCeezR57UZM by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@arazil @GossiTheDog That's primarily my issue with it as well. I want my s… |
|
|
|
Post #AtxLmcTI20ilU1Awt6 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
That'd be interesting to read. Do you mean Apple-style "passkeys are s… |
|
|
|
Post #AtxLuwsI3ZJj4yqCUi by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@nieldk @GossiTheDog this is why I'm mad we got passkeys instead of mTLS |
|
|
|
Post #AtxLuwyffqQBOlpIRM by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@rileywd @GossiTheDog hardware MFA wherever I can |
|
|
|
Post #AtxLuxZBU5d1E0uSLw by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@generalx @GossiTheDog GitHub used to provide a software implementation of a U2… |
|
|
|
Post #AtxLvuCBVFHt3lbQC8 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wishy @pft @GossiTheDog Anything saying a TPM can store unlimited secrets is p… |
|
|
|
Post #AtxLvuID8q6lMSQEaW by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@david_chisnall @wishy @GossiTheDog that makes sense to me. So in practice when… |
|
|
|
Post #AtxLx4lRh6H47yeb9U by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@shadowwwind @bontchev @GossiTheDog I would never, ever, ever want to store my … |
|
|
|
Post #AtxLxcA3WcZHhrQDaq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@bontchev that makes a lot of sense with "a thing you know and a thing you… |
|
|
|
Post #AtxMIcIwBhIYERahCS by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@bontchev @pft @wishy @GossiTheDog While a common sentiment, it ultimately misr… |
|
|
|
Post #AtxMbAGYeqhkm5K29Q by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@pft @wishy @GossiTheDog Yup. I believe that's also what a lot of U2F keys… |
|
|
|
Post #AtxR5HVegtGnkC046y by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@GossiTheDog Would love to see the write up. I treat them as passwords. They h… |
|
|
|
Post #AtxRUUrgAoauP7KDwG by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@GossiTheDog Please do! |
|
|
|
Post #AtxU9K9l5k0UyRNSN6 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@rileywd @nieldk @GossiTheDog mTLS definately deserves more love than it gets, … |
|
|
|
Post #AtxUAi9jLb5HhG1eGe by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@david_chisnall @pft @GossiTheDog I know hardware tokens such as the Yubikey wo… |
|
|
|
Post #AtxUAiGSwYTK29B1lY by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@wishy @pft @GossiTheDog Bit Locker is different because it needs to be fast. … |
|
|
|
Post #AtxUCMmvlN300N9OWu by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@USBTypeSTeve @bontchev @GossiTheDog its stored in the phones security chip, ch… |
|
|
|
Post #AtxUEPXkUTMf841Yzw by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@shom @pft @wishy @GossiTheDog Biometrics is "something you are", not… |
|
|
|
Post #AtxUI04N8xMvHWzkfY by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@shom @bontchev @pft @wishy @GossiTheDog Know/have/are has always been a counte… |
|
|
|
Post #AtxULKK6IULqxxwDmi by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@david_chisnall @generalx @GossiTheDog U2F does have an attestation feature. So… |
|
|
|
Post #AtxUQZW3Eq1JX91r28 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@david_chisnall @pft @GossiTheDog Fair to say very few secure enclave techs hav… |
|
|
|
Post #AtxUQrHpATKqeEVkMC by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@david_chisnall @wishy @pft @GossiTheDog That's the original WebAuthN isn&#… |
|
|
|
Post #AtxURdIWfAPvYJCz7A by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@USBTypeSteve @shadowwwind @GossiTheDog Well, better than using your dog's … |
|
|
|
Post #AtxZD46pCFhM8JbmPg by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@todb @GossiTheDog Agreed, I've seen some wild and wacky shiz out there on … |
|
|
|
Post #AtxZEE8PPJkLW4u3sW by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@glent @david_chisnall @GossiTheDog That's why the key, no pun intended, is… |
|
|
|
Post #AtxeYoMwthk3STL56G by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@pauliehedron @GossiTheDog hey, I recognize one of those key chains! @BlueTeamC… |
|
|
|
Post #AtxgFvh9dTBwaLujse by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@tay @nieldk @GossiTheDog could use mTLS as either or both. One hardware bound … |
|
|
|
Post #AtxgKIXcdTaebGXS9A by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@glent @david_chisnall @GossiTheDog (cont'd)We may not care about $site if … |
|
|
|
Post #Atxrdqed7xl3OiLDpQ by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@todb @GossiTheDog partially, we think, ... marketers can get away with that cl… |
|
|
|
Post #Atxrdql0kErViVKJm4 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@todb @GossiTheDog for example, there was a neat post last year which talked ab… |
|
|
|
Post #Atxrdqs6JsX84UdypE by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@ireneista @todb @GossiTheDog Perhaps this was the post https://fy.blackhats.ne… |
|
|
|
Post #Au0pGfRj13V7Xe0I0O by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@GossiTheDog After the Troy Hunt incident I would say that a deeper look into p… |
|
|
|
Post #Au1p08CV35c0xOxOgi by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@todb @GossiTheDogit didn't get the traction it should have, because the pu… |
|
|
|
Post #Au1p08IWggQtG5mD56 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@todb @GossiTheDog except the critique was true, but the marketing terminology … |
|
|
|
Post #Au1p08OYKHFlYmb1TU by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@todb @GossiTheDog broadly speaking we would say that this is an intentional at… |
|
|
|
Post #Au1p08UDzBn3qNFYJc by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@todb @GossiTheDog anyway, we describe all this not to complain but because it&… |
|
|
|
Post #Au1p08aFcmbw944Mi0 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@todb @GossiTheDog for the record: we personally want to see hardware tokens be… |
|
|
|
Post #Au1p08gHGNQoRktB6O by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@todb @GossiTheDog we are also against the stronger forms of manufacturer attes… |
|
|
|
Post #Au1p08lwvHy6jLXhwW by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@todb @GossiTheDog we've become convinced that it's necessary to use th… |
|
|
|
Post #Au1p08tkSICt7XBw6C by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ireneista @todb @GossiTheDog I think there's a draft definition of passkey… |
|
|
|
Post #Au1p091C0cA5Ucfshc by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@sourcejedi @todb @GossiTheDog sigh good to know, thank you. that is absolutely… |
|
|
|
Post #Au1p097DeCyxnJUh60 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@sourcejedi @todb @GossiTheDog discoverable and resident credentials are two di… |
|
|
|
Post #Au1p0gLu4dKusPcO48 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@sourcejedi @todb @GossiTheDog wow, the definition there calls attention to som… |
|
|
|
Post #Au1p0oZJWeoiMJxD4y by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@todb @GossiTheDog It used to be tied to hardware secure enclaves in security k… |
