@rmondello here’s a #passkey question I can’t find an answer to: how can you use them with devices that you don’t have a password manager on, or that you aren’t logged into. For instance smart TVs or if I need to login to something on my kids iPad?
passkey
Update verfügbar: #40 - #Passkey statt #Passwort – was steckt dahinter?
mit Ute Lange & Michael Münz
Dienste und Webseiten bieten immer häufiger ein Login ohne Passwort an. Die neue Technologie heißt Passkey und ist besonders komfortabel. Das Besondere: Ihr müsst euch keine langen Passwörter merken, denn die #Authentisierung basiert auf einem kryptografischen Verfahren. Dazu werden im Hintergrund zwei digitale Schlüssel erzeugt, die miteinander agieren: der eine liegt bei euch, der zweite beim Dienstanbieter. Bei jedem Login werden Aufgaben erstellt, die nur mit eurem geheimen Schlüssel gelöst werden können. So kann eindeutig belegt werden, dass ihr euch einloggt. Da der persönliche Benutzername und das Passwort wegfallen, ist euer Account auch besonders gut gegen #Pishing-Angriffe geschützt.
Stefan Becker, Referatsleiter Cyber-Sicherheit für die Wirtschaft beim #BSI, erklärt anschaulich, wie Passkey funktioniert ....
Webseite der Episode: https://update-verfuegbar.podigee.io/43-passkey
Mediendatei: https://audio.podigee-cdn.net/1385428-m-4e09c3acaef6cc1baf40f5f5ef659476.mp3?source=feed
#Google rolls out automatic #passkey syncing via Password Manager
https://techcrunch.com/2024/09/19/google-rolls-out-automatic-passkey-syncing-via-password-manager/
Is this the first major iPhone release since passkeys have started becoming more widely adopted?
If you are moving from Android to iPhone this week you may want to check all the consumer services you registered a passkey in Google Password manager before you wipe or trade in your phone. You will need to re register a passkey on your iPhone using Apple Passwords.
Can you see them in the web browser for your Google account at least if you already traded it in and don’t have another android device?
Syncable passkeys are not currently transferable across passkey ecosystems so you have to register passkeys again if switching ecosystems.
If you are using device bound passkeys via Microsoft Entra you will need to re register on your new device.
If you value your Google Account, do not set up a passkey.
The problem with a Passkey is it is tied to your hardware, and so if you wipe your phone, Google will tell you that you cannot have them call you for 2-step because you already have a "more secure method" available. But since you have wiped your phone, the passkey it seeks is gone.
If I was not signed in elsewhere and able to remove the passkey from the account, I would be locked out.
It would not have been a big deal, since I only created a dummy account with nothing of value. But I am unsure how many dummy accounts Google would let me create, so I rather not generate a new one.
#Google #Passkey #Security #GrapheneOS
New post on the importance of minimizing conditional UI latency in #webauthn
tl;dr
* embed all the javascript necessary to fire the conditional UI request on your html
* don't wait on network requests
* don't cringe
I don't know who needs to hear this, but put an AirTag on that key ring of FIDO2 security keys you have.
here's a taste of a blog post i'm going to publish soon, trying to bring about some simplification and understanding around passkeys compared to YubiKeys
#fido #fido2 #webauthn #passkey #passkeys #yubikey #yubikeys #passwordless #auth #authenticaation #okta #identity #infosec #security
Edited 303d ago
#Google expands #passkey support to its #AdvancedProtectionProgram ahead of the #US presidential #election
Do you recommend using passkey if you are already using a yubikey or some other similar tool? I asked Google Gemini AI and here was what it said:
Yes, I generally recommend using Passkeys in addition to your YubiKey, even if you're already an active YubiKey user. Here's why:
**1. Enhanced Security:** Passkeys add a significant layer of security on top of your YubiKey. They are tied directly to your device and website/app and resist phishing attacks far better than passwords. This extra layer makes compromising your accounts significantly harder.
**2. Improved Convenience:** Passkeys can streamline logins. Instead of manually entering a password or even plugging in your YubiKey, Passkeys can often provide a near-seamless login with biometric recognition (face or fingerprint).
**3. Future-proofing:** Passkeys represent the direction passwordless authentication is heading. As adoption increases, you'll benefit from smoother login experiences on more and more platforms.
**4. YubiKey as a Backup:** Your YubiKey still plays a vital role as a secure backup if:
* Your primary device with Passkeys is unavailable or malfunctioning.
* A website or app doesn't yet support Passkeys.
**Considerations:**
* **Compatibility:** Passkeys are still in their growth phase. Check that your devices and the websites/apps you use frequently support them.
* **Education:** Take some time to understand how Passkeys work, their differences from passwords, and how to set them up and manage them.
**Overall:** Passkeys and hardware security keys like YubiKeys work best in tandem, offering a strong balance of security and convenience.
Let me know if you'd like more details on setting up Passkeys or would like resources for learning more!
-----
Do you agree with this creepy AI?
#opsec #infosec #security #privacy #gemini #google #passkey #yubikey
Edited 337d ago
New post on choosing the right `timeout` value in #WebAuthn!
tl;dr
* design your challenge-response protocol to allow for a very long value
* whatever you do, don't leave it to the default value
Bitwarden strengthens its #passkey development toolkit to help accelerate modern workforce authentication. Get started today: https://bitwarden.com/blog/enabling-enterprises-to-build-modern-passkey-authentication/
NEW: The death of the password is really upon us. I spent the last month trying to ditch my passwords for passkeys, the more secure replacement.
The result: passkeys are great. But the user experience of setting them up and using them across multiple devices still needs some work
https://www.wired.com/story/stopped-using-passwords-passkeys/ #password #passkey #tech #privacy #technology
#passkey login really needs to be more consistent across applications. @bitwarden wants the master password after login with #Passkeys - what's the passkey for, then???
#PayPal asks for a TOTP after logging in with my passkey.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #38/2023 is out! It includes the following and much more:
➝ 🔓 ❌ TransUnion Denies #Breach After Hacker Publishes Allegedly Stolen Data
➝ 🔓 ⚖️ Hackers breached International Criminal Court’s systems last week
➝ 🔓 🤖 #Microsoft #AI researchers accidentally exposed terabytes of internal sensitive data
➝ 🦠 💸 #BlackCat #ransomware hits #Azure Storage with #Sphynx encryptor
➝ 🇮🇷 🇮🇱 Iranian Nation-State Actor OilRig Targets Israeli Organizations
➝ 🇮🇳 #India's biggest tech centers named as #cybercrime hotspots
➝ 🇫🇮 💊 Finnish Authorities Dismantle Notorious #PIILOPUOTI Dark Web Drug Marketplace
➝ 🇨🇦 🇷🇺 Canadian Government Targeted With #DDoS Attacks by Pro-#Russia Group
➝ 🇨🇳 🇺🇸 #China Accuses U.S. of Decade-Long #Cyberespionage Campaign Against #Huawei Servers
➝ 🇺🇸 🇨🇳 China's Malicious Cyber Activity Informing War Preparations, #Pentagon Says
➝ 🇨🇳 🦠 New #SprySOCKS Linux #malware used in cyber espionage attacks
➝ 🇬🇧 🔐 UK Minister Warns #Meta Over End-to-End Encryption
➝ 🇺🇸 🇷🇺 One of the #FBI’s most wanted hackers is trolling the U.S. government
➝ 🦠 🥸 Fake #WinRAR proof-of-concept exploit drops #VenomRAT malware
➝ 🦠 📈 #P2PInfect botnet activity surges 600x with stealthier malware variants
➝ 🦠 📡 Hackers backdoor #telecom providers with new HTTPSnoop malware
➝ 🦠 🐝 #Bumblebee malware returns in new attacks abusing #WebDAV folders
➝ 🔐 #GitHub launches #passkey support into general availability
➝ ☑️ 🐧 Free Download Manager releases script to check for #Linux malware
➝ 💬 🔐 #Signal adds quantum-resistant encryption to its #E2EE messaging protocol
➝ 🍏 🔐 #iOS 17 includes these new security and #privacy features
➝ 🩹 High-Severity Flaws Uncovered in #Atlassian Products and ISC BIND Server
➝ 🩹 😡 Incomplete disclosures by #Apple and #Google create “huge blindspot” for 0-day hunters
➝ 🍏 🩹 Apple emergency updates fix 3 new zero-days exploited in attacks
➝ 🩹 #TrendMicro fixes #endpoint protection zero-day used in attacks
➝ 🩹 #Fortinet Patches High-Severity #Vulnerabilities in FortiOS, FortiProxy, FortiWeb Products
➝ 🔓 Nearly 12,000 #Juniper #Firewalls Found Vulnerable to Recently Disclosed RCE Vulnerability
📚 This week's recommended reading is: "Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It" by Marc Goodman
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
https://infosec-mashup.santolaria.net/p/infosec-mashup-week-382023