Whole-known-network
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> </p><p>> if the user has a PTSD level of hypervigilance</p><p>oh hey this describes me (literally)</p>
<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> i said nothing about a separate device</p>
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> +1 </p><p>// I was wary of passkeys because of the hype by Big companies (never a good sign, as we can see now that it's been a while) - however I am satisfied with the solution via keepassx + firefox + syncthing. Works on all my machines on the sites where I've set it up.</p>
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> yes. the key detail here is that the PKI involved *includes the domain of the site* so phishing goes from "mild difficulty if the user has a PTSD level of hypervigilance, easy if they're not really paying attention" to "physically impossible without local code execution or device theft". the differences are huge. the difference is big enough that the FTC has occasionally given it the force of law: <a href="https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2023/02/security-principles-addressing-underlying-causes-risk-complex-systems#_ftnref6" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://www.</span><span class="ellipsis">ftc.gov/policy/advocacy-resear</span><span class="invisible">ch/tech-at-ftc/2023/02/security-principles-addressing-underlying-causes-risk-complex-systems#_ftnref6</span></a></p>
<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> PKI-based authentication is strictly better than what you're suggesting since you can no longer steal a credential (other than from the password manager), no matter what happens with the browser or the website</p>
<p><span class="h-card" translate="no"><a href="https://mk.absturztau.be/@niconiconi" class="u-url mention">@<span>niconiconi</span></a></span> oh nice, just found out about your ISOUSB211 isolator board</p>
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> i am using a password manager with a browser extension that lets me do passkey logins in most places i've tried to do them</p><p>keepassx stores them in the password database, like everything else it stores</p><p>it's a normal file</p>
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> ok this doesn't work for one of my use cases. I may be seeing this up sooner or later with [other tool] for the machines where it works tho</p>
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> I'm not really clear on what "non-vendor-locked" means here, but it sounds like people aren't paying attention to an extremely stupid corner of the spec, so: great</p>