Post AtxgKIXcdTaebGXS9A by [email protected] | |
More posts by [email protected] | |
Post #AtxBcJ2UQUE2mH5F5c by [email protected] | |
0 likes, 1 repeats | |
@GossiTheDog I didn’t get passkeys for a long time. Like. embarrassingly long… | |
Post #AtxCiysRt0DsEB8Lb6 by [email protected] | |
0 likes, 1 repeats | |
@GossiTheDog ah yes . Session hijacking comes to mind. | |
Post #AtxCrRFcHG6eXm0FSS by [email protected] | |
0 likes, 0 repeats | |
@GossiTheDog Passkeys are the CYA for the Googles of the world by passing the o… | |
Post #AtxD0iCIdk6lhzsDcO by [email protected] | |
0 likes, 0 repeats | |
@GossiTheDog I've also been struggling to understand how this is utterly bu… | |
Post #AtxE10xeyaizrFjZcO by [email protected] | |
0 likes, 0 repeats | |
@GossiTheDog Please do. | |
Post #AtxE5Clb1fYvd85bua by [email protected] | |
0 likes, 0 repeats | |
@wishy @GossiTheDog correct me if I'm wrong, but pin, face id, etc should b… | |
Post #AtxEWro2YBXYjLQHK4 by [email protected] | |
0 likes, 1 repeats | |
@pft @wishy @GossiTheDog "Biometrics should be a replacement for the user … | |
Post #AtxEXPx5b2ysdFuz9E by [email protected] | |
0 likes, 1 repeats | |
@GossiTheDog Same way as passwords, as far as I'm concerned, since I keep m… | |
Post #AtxEtreRIBAGuVtkKu by [email protected] | |
0 likes, 0 repeats | |
@GossiTheDog Please do! I know about the spec but not really how the spec has b… | |
Post #AtxFC6ObD9VxquBZAW by [email protected] | |
0 likes, 0 repeats | |
@GossiTheDog I sadly caved into the hype as 1password.com kept pestering, peste… | |
Post #AtxFRvmyPmu9aa8NrE by [email protected] | |
0 likes, 1 repeats | |
@GossiTheDog I’m looking forward to it | |
Post #AtxFg9bnpW2QVLgutk by [email protected] | |
0 likes, 0 repeats | |
@GossiTheDog How to steal passkeys, when implementation isn't clear:1. Adve… | |
Post #AtxG0RHlojUn7VzgKO by [email protected] | |
0 likes, 0 repeats | |
@pft @GossiTheDog My understanding is that Windows Hello have access to the key… | |
Post #AtxG0RNRTe25P6eDAW by [email protected] | |
0 likes, 0 repeats | |
@wishy @GossiTheDog theoretically, if the key is in the TPM, then no one has ac… | |
Post #AtxG1U8ogZxIGZIwtc by [email protected] | |
0 likes, 0 repeats | |
@pft @GossiTheDog Not really, the TPM doesn't have infinite key storage. Yo… | |
Post #AtxG2IY3H1qmbJUoAi by [email protected] | |
0 likes, 0 repeats | |
@wishy @GossiTheDog Aaaaaaaaa! So passkeys are practically only wrapped?"D… | |
Post #AtxG2gHD3IdeC1nhFg by [email protected] | |
0 likes, 0 repeats | |
@bontchev @wishy @GossiTheDog where does that come from? | |
Post #AtxG3muDtGFZ2iZoVE by [email protected] | |
0 likes, 0 repeats | |
@bontchev @GossiTheDog if you get the chance to have a good passkey implementat… | |
Post #AtxGFqEbL9PAqEr8TY by [email protected] | |
0 likes, 0 repeats | |
@GossiTheDog I understand how passkeys work well enough. But I’m not skilled … | |
Post #AtxGhVuOVMrHuUbEDg by [email protected] | |
0 likes, 1 repeats | |
@pft @wishy @GossiTheDog Not sure; I read it somewhere and totally agree with i… | |
Post #AtxH0ZfijlRd5GpCS0 by [email protected] | |
0 likes, 0 repeats | |
@bontchev @wishy @GossiTheDog I'm not sure how it would work. How should my… | |
Post #AtxH0Zm6M2Y5P3oIOe by [email protected] | |
0 likes, 1 repeats | |
@pft @wishy @GossiTheDog Well, a true 2FA can be password + biometrics. How is … | |
Post #AtxHjdAoZ6ruyVqyBM by [email protected] | |
0 likes, 0 repeats | |
@bontchev @wishy @GossiTheDog it is not. It is only used for authentication on … | |
Post #AtxHjdHu8kXXKVAdEW by [email protected] | |
0 likes, 0 repeats | |
@pft @wishy @GossiTheDog Well, I'm sure it doesn't remember your whole … | |
Post #AtxHjdNZnf4pc5pA4e by [email protected] | |
0 likes, 0 repeats | |
@bontchev @wishy @GossiTheDog I'm really not familiar with the specificitie… | |
Post #AtxHkGtUsumeAO3hk8 by [email protected] | |
0 likes, 0 repeats | |
@pft @GossiTheDog Yes and their choice of wording of "help protect" i… | |
Post #AtxHkGzsVBt6UB2ngm by [email protected] | |
0 likes, 0 repeats | |
@wishy @GossiTheDog thanks Steve! This is definitely something that I didn'… | |
Post #AtxHkH5u8mhymrrc5A by [email protected] | |
0 likes, 0 repeats | |
@pft @GossiTheDog I've got most of my understanding from a system custom en… | |
Post #AtxHkPzV3xvuNbw7qi by [email protected] | |
0 likes, 0 repeats | |
@shadowwwind @GossiTheDog My phone doesn't do browsers, web sites, or passk… | |
Post #AtxHkRjGbI8VlqMBpA by [email protected] | |
0 likes, 0 repeats | |
@pft @bontchev @GossiTheDog FWIW, I'm talking exclusively about Windows, gi… | |
Post #AtxHl8SliVUOJ7y7Zw by [email protected] | |
0 likes, 0 repeats | |
@wishy @bontchev @GossiTheDog I'm also interested in Windows for the time b… | |
Post #AtxHtCU8e9fz6ASH8C by [email protected] | |
0 likes, 0 repeats | |
@GossiTheDog I frankly prefer passwords. At least I have control over them and … | |
Post #AtxIbL3s7ZwWRIDRgG by [email protected] | |
0 likes, 1 repeats | |
@GossiTheDog | |
Post #AtxLGeFxrKONkjhJwm by [email protected] | |
0 likes, 1 repeats | |
@GossiTheDog At some point can be soon. | |
Post #AtxLPvtBfeQD2tTGPg by [email protected] | |
0 likes, 0 repeats | |
@GossiTheDog I have been getting increasingly annoyed with the amount of pressu… | |
Post #AtxLPw0zCeezR57UZM by [email protected] | |
0 likes, 1 repeats | |
@arazil @GossiTheDog That's primarily my issue with it as well. I want my s… | |
Post #AtxLmcTI20ilU1Awt6 by [email protected] | |
0 likes, 0 repeats | |
That'd be interesting to read. Do you mean Apple-style "passkeys are s… | |
Post #AtxLuwsI3ZJj4yqCUi by [email protected] | |
0 likes, 0 repeats | |
@nieldk @GossiTheDog this is why I'm mad we got passkeys instead of mTLS | |
Post #AtxLuwyffqQBOlpIRM by [email protected] | |
0 likes, 0 repeats | |
@rileywd @GossiTheDog hardware MFA wherever I can | |
Post #AtxLuxZBU5d1E0uSLw by [email protected] | |
0 likes, 0 repeats | |
@generalx @GossiTheDog GitHub used to provide a software implementation of a U2… | |
Post #AtxLvuCBVFHt3lbQC8 by [email protected] | |
0 likes, 0 repeats | |
@wishy @pft @GossiTheDog Anything saying a TPM can store unlimited secrets is p… | |
Post #AtxLvuID8q6lMSQEaW by [email protected] | |
0 likes, 0 repeats | |
@david_chisnall @wishy @GossiTheDog that makes sense to me. So in practice when… | |
Post #AtxLx4lRh6H47yeb9U by [email protected] | |
0 likes, 0 repeats | |
@shadowwwind @bontchev @GossiTheDog I would never, ever, ever want to store my … | |
Post #AtxLxcA3WcZHhrQDaq by [email protected] | |
0 likes, 0 repeats | |
@bontchev that makes a lot of sense with "a thing you know and a thing you… | |
Post #AtxMIcIwBhIYERahCS by [email protected] | |
0 likes, 1 repeats | |
@bontchev @pft @wishy @GossiTheDog While a common sentiment, it ultimately misr… | |
Post #AtxMbAGYeqhkm5K29Q by [email protected] | |
0 likes, 1 repeats | |
@pft @wishy @GossiTheDog Yup. I believe that's also what a lot of U2F keys… | |
Post #AtxR5HVegtGnkC046y by [email protected] | |
0 likes, 0 repeats | |
@GossiTheDog Would love to see the write up. I treat them as passwords. They h… | |
Post #AtxRUUrgAoauP7KDwG by [email protected] | |
0 likes, 0 repeats | |
@GossiTheDog Please do! | |
Post #AtxU9K9l5k0UyRNSN6 by [email protected] | |
0 likes, 0 repeats | |
@rileywd @nieldk @GossiTheDog mTLS definately deserves more love than it gets, … | |
Post #AtxUAi9jLb5HhG1eGe by [email protected] | |
0 likes, 0 repeats | |
@david_chisnall @pft @GossiTheDog I know hardware tokens such as the Yubikey wo… | |
Post #AtxUAiGSwYTK29B1lY by [email protected] | |
0 likes, 0 repeats | |
@wishy @pft @GossiTheDog Bit Locker is different because it needs to be fast. … | |
Post #AtxUCMmvlN300N9OWu by [email protected] | |
0 likes, 0 repeats | |
@USBTypeSTeve @bontchev @GossiTheDog its stored in the phones security chip, ch… | |
Post #AtxUEPXkUTMf841Yzw by [email protected] | |
0 likes, 0 repeats | |
@shom @pft @wishy @GossiTheDog Biometrics is "something you are", not… | |
Post #AtxUI04N8xMvHWzkfY by [email protected] | |
0 likes, 0 repeats | |
@shom @bontchev @pft @wishy @GossiTheDog Know/have/are has always been a counte… | |
Post #AtxULKK6IULqxxwDmi by [email protected] | |
0 likes, 0 repeats | |
@david_chisnall @generalx @GossiTheDog U2F does have an attestation feature. So… | |
Post #AtxUQZW3Eq1JX91r28 by [email protected] | |
0 likes, 0 repeats | |
@david_chisnall @pft @GossiTheDog Fair to say very few secure enclave techs hav… | |
Post #AtxUQrHpATKqeEVkMC by [email protected] | |
0 likes, 0 repeats | |
@david_chisnall @wishy @pft @GossiTheDog That's the original WebAuthN isn&#… | |
Post #AtxURdIWfAPvYJCz7A by [email protected] | |
0 likes, 0 repeats | |
@USBTypeSteve @shadowwwind @GossiTheDog Well, better than using your dog's … | |
Post #AtxZD46pCFhM8JbmPg by [email protected] | |
0 likes, 0 repeats | |
@todb @GossiTheDog Agreed, I've seen some wild and wacky shiz out there on … | |
Post #AtxZEE8PPJkLW4u3sW by [email protected] | |
0 likes, 0 repeats | |
@glent @david_chisnall @GossiTheDog That's why the key, no pun intended, is… | |
Post #AtxeYoMwthk3STL56G by [email protected] | |
0 likes, 1 repeats | |
@pauliehedron @GossiTheDog hey, I recognize one of those key chains! @BlueTeamC… | |
Post #AtxgFvh9dTBwaLujse by [email protected] | |
0 likes, 0 repeats | |
@tay @nieldk @GossiTheDog could use mTLS as either or both. One hardware bound … | |
Post #AtxgKIXcdTaebGXS9A by [email protected] | |
0 likes, 0 repeats | |
@glent @david_chisnall @GossiTheDog (cont'd)We may not care about $site if … | |
Post #Atxrdqed7xl3OiLDpQ by [email protected] | |
0 likes, 0 repeats | |
@todb @GossiTheDog partially, we think, ... marketers can get away with that cl… | |
Post #Atxrdql0kErViVKJm4 by [email protected] | |
0 likes, 0 repeats | |
@todb @GossiTheDog for example, there was a neat post last year which talked ab… | |
Post #Atxrdqs6JsX84UdypE by [email protected] | |
0 likes, 1 repeats | |
@ireneista @todb @GossiTheDog Perhaps this was the post https://fy.blackhats.ne… | |
Post #Au0pGfRj13V7Xe0I0O by [email protected] | |
0 likes, 1 repeats | |
@GossiTheDog After the Troy Hunt incident I would say that a deeper look into p… | |
Post #Au1p08CV35c0xOxOgi by [email protected] | |
0 likes, 0 repeats | |
@todb @GossiTheDogit didn't get the traction it should have, because the pu… | |
Post #Au1p08IWggQtG5mD56 by [email protected] | |
0 likes, 0 repeats | |
@todb @GossiTheDog except the critique was true, but the marketing terminology … | |
Post #Au1p08OYKHFlYmb1TU by [email protected] | |
0 likes, 0 repeats | |
@todb @GossiTheDog broadly speaking we would say that this is an intentional at… | |
Post #Au1p08UDzBn3qNFYJc by [email protected] | |
0 likes, 0 repeats | |
@todb @GossiTheDog anyway, we describe all this not to complain but because it&… | |
Post #Au1p08aFcmbw944Mi0 by [email protected] | |
0 likes, 0 repeats | |
@todb @GossiTheDog for the record: we personally want to see hardware tokens be… | |
Post #Au1p08gHGNQoRktB6O by [email protected] | |
0 likes, 0 repeats | |
@todb @GossiTheDog we are also against the stronger forms of manufacturer attes… | |
Post #Au1p08lwvHy6jLXhwW by [email protected] | |
0 likes, 0 repeats | |
@todb @GossiTheDog we've become convinced that it's necessary to use th… | |
Post #Au1p08tkSICt7XBw6C by [email protected] | |
0 likes, 0 repeats | |
@ireneista @todb @GossiTheDog I think there's a draft definition of passkey… | |
Post #Au1p091C0cA5Ucfshc by [email protected] | |
0 likes, 0 repeats | |
@sourcejedi @todb @GossiTheDog sigh good to know, thank you. that is absolutely… | |
Post #Au1p097DeCyxnJUh60 by [email protected] | |
0 likes, 0 repeats | |
@sourcejedi @todb @GossiTheDog discoverable and resident credentials are two di… | |
Post #Au1p0gLu4dKusPcO48 by [email protected] | |
0 likes, 0 repeats | |
@sourcejedi @todb @GossiTheDog wow, the definition there calls attention to som… | |
Post #Au1p0oZJWeoiMJxD4y by [email protected] | |
0 likes, 0 repeats | |
@todb @GossiTheDog It used to be tied to hardware secure enclaves in security k… |