2
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> </p><p>&gt; if the user has a PTSD level of hypervigilance</p><p>oh hey this describes me (literally)</p>
<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> i said nothing about a separate device</p>
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> +1 </p><p>// I was wary of passkeys because of the hype by Big companies (never a good sign, as we can see now that it&#39;s been a while) - however I am satisfied with the solution via keepassx + firefox + syncthing. Works on all my machines on the sites where I&#39;ve set it up.</p>
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> yes. the key detail here is that the PKI involved *includes the domain of the site* so phishing goes from &quot;mild difficulty if the user has a PTSD level of hypervigilance, easy if they&#39;re not really paying attention&quot; to &quot;physically impossible without local code execution or device theft&quot;. the differences are huge. the difference is big enough that the FTC has occasionally given it the force of law: <a href="https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2023/02/security-principles-addressing-underlying-causes-risk-complex-systems#_ftnref6" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://www.</span><span class="ellipsis">ftc.gov/policy/advocacy-resear</span><span class="invisible">ch/tech-at-ftc/2023/02/security-principles-addressing-underlying-causes-risk-complex-systems#_ftnref6</span></a></p>
<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> PKI-based authentication is strictly better than what you&#39;re suggesting since you can no longer steal a credential (other than from the password manager), no matter what happens with the browser or the website</p>
<p><span class="h-card" translate="no"><a href="https://mk.absturztau.be/@niconiconi" class="u-url mention">@<span>niconiconi</span></a></span> oh nice, just found out about your ISOUSB211 isolator board</p>
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> i am using a password manager with a browser extension that lets me do passkey logins in most places i&#39;ve tried to do them</p><p>keepassx stores them in the password database, like everything else it stores</p><p>it&#39;s a normal file</p>
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> ok this doesn&#39;t work for one of my use cases. I may be seeing this up sooner or later with [other tool] for the machines where it works tho</p>
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> I&#39;m not really clear on what &quot;non-vendor-locked&quot; means here, but it sounds like people aren&#39;t paying attention to an extremely stupid corner of the spec, so: great</p>