<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> please imagine a real person without PTSD hypervigilance using a password manager</p><p>1/2</p>

<p><span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> you can install <a href="https://keepassxc.org/" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="">keepassxc.org/</span><span class="invisible"></span></a> and its browser extension and use it as both a normal password manager, and passkey manager</p><p>you can sync the password database between multiple devices</p><p>it works fine</p><p>the AOSP version i build for myself doesn&#39;t have a system-wide passkey API but i think if you run a normal firmware it works on android too</p>

<p><span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> i actively avoid using stuff like yubikeys for this exact reason and i still use passkeys because they do not share this flaw</p>

<p><span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> </p><p>&gt; if the user has a PTSD level of hypervigilance</p><p>oh hey this describes me (literally)</p>

<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> i said nothing about a separate device</p>

<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> +1 </p><p>// I was wary of passkeys because of the hype by Big companies (never a good sign, as we can see now that it&#39;s been a while) - however I am satisfied with the solution via keepassx + firefox + syncthing. Works on all my machines on the sites where I&#39;ve set it up.</p>

<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> yes. the key detail here is that the PKI involved *includes the domain of the site* so phishing goes from &quot;mild difficulty if the user has a PTSD level of hypervigilance, easy if they&#39;re not really paying attention&quot; to &quot;physically impossible without local code execution or device theft&quot;. the differences are huge. the difference is big enough that the FTC has occasionally given it the force of law: <a href="https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2023/02/security-principles-addressing-underlying-causes-risk-complex-systems#_ftnref6" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://www.</span><span class="ellipsis">ftc.gov/policy/advocacy-resear</span><span class="invisible">ch/tech-at-ftc/2023/02/security-principles-addressing-underlying-causes-risk-complex-systems#_ftnref6</span></a></p>

<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> PKI-based authentication is strictly better than what you&#39;re suggesting since you can no longer steal a credential (other than from the password manager), no matter what happens with the browser or the website</p>

<p><span class="h-card" translate="no"><a href="https://mk.absturztau.be/@niconiconi" class="u-url mention">@<span>niconiconi</span></a></span> oh nice, just found out about your ISOUSB211 isolator board</p>