Veganism Social

Чарлз **Монтгомері** Бернс :flow:Anyone familiar with <a href="https://infosec.exchange/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIDO2</a> / <a href="https://infosec.exchange/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passkeys</a> could you please <a href="https://infosec.exchange/tags/help" class="mention hashtag" rel="nofollow noopener" target="_blank">#help</a> me here?Accoding to Yubico docs on Passkey, the client/client device uses <a href="https://infosec.exchange/tags/CTAP2" class="mention hashtag" rel="nofollow noopener" target="_blank">#CTAP2</a> to communicate with platform authenticators. This sounds a bit strange to me, aren't there internal APIs on the platform that are called here? Isn't CTAP2 exclusive to <a href="https://infosec.exchange/tags/roaming" class="mention hashtag" rel="nofollow noopener" target="_blank">#roaming</a> authenticators?<a href="https://infosec.exchange/tags/advice" class="mention hashtag" rel="nofollow noopener" target="_blank">#advice</a> <a href="https://infosec.exchange/tags/thaks" class="mention hashtag" rel="nofollow noopener" target="_blank">#thaks</a> <a href="https://developers.yubico.com/Developer_Program/WebAuthn_Starter_Kit/Platform_and_Roaming_Authenticators.html" rel="nofollow noopener" translate="no" target="_blank">https://developers.yubico.com/Developer_Program/WebAuthn_Starter_Kit/Platform_and_Roaming_Authenticators.html</a>

0xKaishakunin<a href="https://mastodon.social/tags/Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#Google</a> <a href="https://mastodon.social/tags/Password" class="mention hashtag" rel="nofollow noopener" target="_blank">#Password</a> Manager for <a href="https://mastodon.social/tags/Android" class="mention hashtag" rel="nofollow noopener" target="_blank">#Android</a> will automatically upgrade your passwords to <a href="https://mastodon.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIDO2</a> <a href="https://mastodon.social/tags/passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#passkeys</a> Already seen on Google Play Services beta (25.19.31)The upgrades use the <a href="https://mastodon.social/tags/WebAuthn" class="mention hashtag" rel="nofollow noopener" target="_blank">#WebAuthn</a> conditional registration extension, which has to be supported by the relying party<a href="https://www.androidpolice.com/google-may-auto-convert-passwords-to-passkeys-on-android/" rel="nofollow noopener" translate="no" target="_blank">https://www.androidpolice.com/google-may-auto-convert-passwords-to-passkeys-on-android/</a>

S1mVery happy to finally be able to use my yubikeys on my phone (GrapheneOS, without Play services) 🤗Most of the pieces were already there, it only missed to be assembled into a Credential Provider, which is finally done with <a href="https://codeberg.org/s1m/hw-fido2-provider" rel="nofollow noopener" target="_blank">HW Fido2 Provider</a><a href="https://infosec.exchange/tags/fido2" class="mention hashtag" rel="nofollow noopener" target="_blank">#fido2</a> <a href="https://infosec.exchange/tags/passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#passkey</a> <a href="https://infosec.exchange/tags/yubikey" class="mention hashtag" rel="nofollow noopener" target="_blank">#yubikey</a> <a href="https://infosec.exchange/tags/android" class="mention hashtag" rel="nofollow noopener" target="_blank">#android</a>

David NelsonDid you know you can manage resident <a href="https://mastodon.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passkeys</a> on your <a href="https://mastodon.social/tags/YubiKey" class="mention hashtag" rel="nofollow noopener" target="_blank">#YubiKey</a> or other <a href="https://mastodon.social/tags/Fido2" class="mention hashtag" rel="nofollow noopener" target="_blank">#Fido2</a> key with just your web browser?In Chrome: –Open the settings screen –"Privacy and Security" –"Security" –"Manage Security Keys" –"Sign-in data"Or you can put chrome://settings/securityKeys in the nav bar.

artfulrobot<a href="https://floss.social/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#Microsoft</a> role out <a href="https://floss.social/tags/passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#passkeys</a> by default but ... require you to install a Microsoft app on your phone to use it.Requiring a proprietary app makes a mockery of the open <a href="https://floss.social/tags/fido2" class="mention hashtag" rel="nofollow noopener" target="_blank">#fido2</a> standard and if they haven't used this as another tracking opportunity I'll eat my hat.At every turn Microsoft finds a way to lock down their users (I'd use "customers" but users are more like cattle to big tech rather than people who choose to give their custom)Ditch the lot! <a href="https://floss.social/tags/openSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#openSource</a> alternatives exist.

pink<a href="https://norden.social/@ksp1968" class="u-url mention" rel="nofollow noopener" target="_blank">@ksp1968</a> Ich habe auf die Schnelle nur etwas auf englisch gefunden: <a href="https://sts10.github.io/2022/11/11/mastodon-two-factor-authentication.html" rel="nofollow noopener" translate="no" target="_blank">https://sts10.github.io/2022/11/11/mastodon-two-factor-authentication.html</a> <a href="https://norden.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIDO2</a> wird da auch nicht erwähnt. Die offizielle <a href="https://norden.social/tags/Mastodon" class="mention hashtag" rel="nofollow noopener" target="_blank">#Mastodon</a> Dokumentation (<a href="https://docs.joinmastodon.org/user/contacts/#account" rel="nofollow noopener" translate="no" target="_blank">https://docs.joinmastodon.org/user/contacts/#account</a>) ist auch nicht wirklich hilfreich. Vielleicht hat <a href="https://norden.social/@leuchtturm" class="u-url mention" rel="nofollow noopener" target="_blank">@leuchtturm</a> noch mehr Informationen?

ksp1968<a href="https://norden.social/@pink" class="u-url mention" rel="nofollow noopener" target="_blank">@pink</a> <a href="https://social.nitrokey.com/@nitrokey" class="u-url mention" rel="nofollow noopener" target="_blank">@nitrokey</a> <a href="https://norden.social/tags/fido2" class="mention hashtag" rel="nofollow noopener" target="_blank">#fido2</a> <a href="https://norden.social/tags/2fa" class="mention hashtag" rel="nofollow noopener" target="_blank">#2fa</a> <a href="https://norden.social/tags/token" class="mention hashtag" rel="nofollow noopener" target="_blank">#token</a> <a href="https://norden.social/tags/neuhier" class="mention hashtag" rel="nofollow noopener" target="_blank">#neuhier</a> Efahrungsbericht zur 2fa FIDO2 Anmeldung bei einer Instanz. Bei mir norden.social. Ihr könnt in den Einstellungen->Konto->2 Faktor Authentifizierung eure Anmeldung sicherer machen. Wenn ihr 2fa Authentifizierung eingerichtet habt, könnt ihr auch FIDO2 einrichten. Ich habe 2 solcher FIDO2-Token, und habe beide eingerichtet, über die ich mich nun anmelde. @norden.social: Gibt es eine Schritt für Schritt Anleitung für Anfänger dazu?

pink<a href="https://norden.social/@ksp1968" class="u-url mention" rel="nofollow noopener" target="_blank">@ksp1968</a> norden.social unterstützt doch <a href="https://norden.social/tags/fido2" class="mention hashtag" rel="nofollow noopener" target="_blank">#fido2</a> (evtl. muss man vorher <a href="https://norden.social/tags/totp" class="mention hashtag" rel="nofollow noopener" target="_blank">#totp</a> einrichten, gut auch als Backup). Über <a href="https://norden.social/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#TOTP</a> auf dem <a href="https://social.nitrokey.com/@nitrokey" class="u-url mention" rel="nofollow noopener" target="_blank">@nitrokey</a> kann ich nicht viel sagen, laut Webseite sollte der 2 Pro das können.

ksp1968Moin <a href="https://norden.social/tags/neuhier" class="mention hashtag" rel="nofollow noopener" target="_blank">#neuhier</a> Ich habe einen <a href="https://norden.social/tags/Nitrokey" class="mention hashtag" rel="nofollow noopener" target="_blank">#Nitrokey</a> Pro als USB-Dongle. Habt ihr Erfahrung mit <a href="https://norden.social/tags/totp" class="mention hashtag" rel="nofollow noopener" target="_blank">#totp</a> <a href="https://norden.social/tags/2fa" class="mention hashtag" rel="nofollow noopener" target="_blank">#2fa</a> ? Ich möchte meine Dongles gerne zur Anmeldung bei meinem Account @norden.social verwenden. Ich habe davon aber noch die Finger gelassen. Ich habe keine Erfahrung damit. Außer mit <a href="https://norden.social/tags/fido2" class="mention hashtag" rel="nofollow noopener" target="_blank">#fido2</a>. <a href="https://norden.social/tags/neuhier" class="mention hashtag" rel="nofollow noopener" target="_blank">#neuhier</a> <a href="https://norden.social/tags/totp" class="mention hashtag" rel="nofollow noopener" target="_blank">#totp</a> <a href="https://norden.social/tags/2fa" class="mention hashtag" rel="nofollow noopener" target="_blank">#2fa</a> <a href="https://norden.social/tags/nitrokey" class="mention hashtag" rel="nofollow noopener" target="_blank">#nitrokey</a> <a href="https://norden.social/tags/fido2" class="mention hashtag" rel="nofollow noopener" target="_blank">#fido2</a>

David NelsonOccasionally Google prompts me to create a passkey immediately after I signed in with one. I cancel and move on. No big deal, but it seems quite obtuse. They know I have multiple registered and that I just used one of them. <a href="https://mastodon.social/tags/Fido2" class="mention hashtag" rel="nofollow noopener" target="_blank">#Fido2</a> <a href="https://mastodon.social/tags/Passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passkey</a> <a href="https://mastodon.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passkeys</a> <a href="https://mastodon.social/tags/Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#Google</a> <a href="https://mastodon.social/tags/GoogleWorkspace" class="mention hashtag" rel="nofollow noopener" target="_blank">#GoogleWorkspace</a>

Karl Voit :emacs: :orgmode:<a href="https://social.tchncs.de/@keno3003" class="u-url mention" rel="nofollow noopener" target="_blank">@keno3003</a> (2/2) Der einzige Schutz dagegen ist, wenn man physische <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIDO2</a>-Tokens verwendet ("device-bound passkeys" nur in der "roaming-authenticator"-Variante!), die das Auslesen des Geheimnisses prinzipiell ausschließen. Dies ist also die einzige wirklich Phishing-resistente Authentifizierungsmethode.IMO sollten also die Tipps am Ende vom Video *mit Fokus auf Sicherheit* anders lauten:- am besten 2 <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIDO2</a> HW-Tokens besorgen und für alle <a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passkeys</a> verwenden (für <a href="https://graz.social/tags/IDAustria" class="mention hashtag" rel="nofollow noopener" target="_blank">#IDAustria</a> Österreich: <a href="https://www.oesterreich.gv.at/dam/jcr:972a25a0-65e6-4c2e-9422-a2e02ce16f2d/20230613_ID-Austria_FIDO.pdf" rel="nofollow noopener" translate="no" target="_blank">https://www.oesterreich.gv.at/dam/jcr:972a25a0-65e6-4c2e-9422-a2e02ce16f2d/20230613_ID-Austria_FIDO.pdf</a>)- keine phishing-gefährdeten Fall-Back-Mechanismen verwenden: also nur den 2. FIDO2-Token- jede 2FA ist besser als keine- niemals Passwörter in die Cloud schicken (Cloud-PW-Manager)HTH 🙇 <a href="https://graz.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://graz.social/tags/Sicherheit" class="mention hashtag" rel="nofollow noopener" target="_blank">#Sicherheit</a> <a href="https://graz.social/tags/Authentifizierungsmethoden" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authentifizierungsmethoden</a>

Matt CengiaI'd love if there was a website like <a href="https://www.passkeys.io/who-supports-passkeys" rel="nofollow noopener" translate="no" target="_blank">https://www.passkeys.io/who-supports-passkeys</a> which showed which websites also support *non-resident* <a href="https://aus.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIDO2</a> authentication as opposed to resident <a href="https://aus.social/tags/Passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passkey</a>. Let's reward sites that have that support!

Karl Voit :emacs: :orgmode:<a href="https://mastodon.social/@yacc143" class="u-url mention" rel="nofollow noopener" target="_blank">@yacc143</a> FYI: <a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passkeys</a> and <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIDO2</a> (= "device-bound <a href="https://graz.social/tags/passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#passkey</a>" which can be divided into "platform-" and "roaming-authenticators") are identical except the <a href="https://graz.social/tags/cloud" class="mention hashtag" rel="nofollow noopener" target="_blank">#cloud</a>-sync mechanism (as of my current understanding).So unfortunately, they get mixed up or are considered as totally different things. Both is wrong.In reality, they are very similar except that FIDO2 hardware tokens ("device-bound passkeys" only in their "roaming-authenticator" variant) are designed that way, that Passkeys are not being able to extracted from the device (at least for the moment).Therefore, users of HW tokens can't be tricked into transferring their passkey to a rogue third party, which is possible with all other Passkey variants. Therefore: passkeys are NOT <a href="https://graz.social/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#phishing</a>-resistant in the general case.<a href="https://graz.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://graz.social/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#authentication</a> <a href="https://graz.social/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FA</a>

Karl Voit :emacs: :orgmode:<a href="https://graz.social/tags/TroyHunt" class="mention hashtag" rel="nofollow noopener" target="_blank">#TroyHunt</a> fell for a <a href="https://graz.social/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#phishing</a> attack on his mailinglist members: <a href="https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/" rel="nofollow noopener" translate="no" target="_blank">https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/</a>Some of the ingredients: <a href="https://graz.social/tags/Outlook" class="mention hashtag" rel="nofollow noopener" target="_blank">#Outlook</a> and its habit of hiding important information from the user and missing <a href="https://graz.social/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FA</a> which is phishing-resistant.Use <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIDO2</a> with hardware tokens if possible (<a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passkeys</a> without FIDO2 HW tokens are NOT phishing-resistant due to the possibility of being able to trick users with credential transfers: <a href="https://arxiv.org/abs/2501.07380" rel="nofollow noopener" translate="no" target="_blank">https://arxiv.org/abs/2501.07380</a>) and avoid Outlook (or <a href="https://graz.social/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#Microsoft</a>) whenever possible.Further learning: it could happen to the best of us! Don't be ashamed, try to minimize risks and be open about your mistakes.Note: any 2FA is better than no 2FA at all.<a href="https://graz.social/tags/email" class="mention hashtag" rel="nofollow noopener" target="_blank">#email</a> <a href="https://graz.social/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://graz.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://graz.social/tags/OTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#OTP</a> <a href="https://graz.social/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#TOTP</a> <a href="https://graz.social/tags/Passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passkey</a> <a href="https://graz.social/tags/haveibeenpwned" class="mention hashtag" rel="nofollow noopener" target="_blank">#haveibeenpwned</a> <a href="https://graz.social/tags/Ihavebeenpwned" class="mention hashtag" rel="nofollow noopener" target="_blank">#Ihavebeenpwned</a>

Karl Voit :emacs: :orgmode:<a href="https://infosec.exchange/@technotenshi" class="u-url mention" rel="nofollow noopener" target="_blank">@technotenshi</a> <a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passkeys</a> are not prone to <a href="https://graz.social/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#phishing</a> according to my understanding of: <a href="https://arxiv.org/abs/2501.07380" rel="nofollow noopener" translate="no" target="_blank">https://arxiv.org/abs/2501.07380</a>The paper describes that it's possible to fool Passkey owners to transfer their <a href="https://graz.social/tags/Passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passkey</a> to attackers: "Another concern could be social engineering, where a user is tricked into sharing a passkey with an account controlled by an attacker."However, the authors disagree with my interpretation.The only really secure method is hardware <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIDO2</a> tokens where the secrets can't leave the device.

Karl Voit :emacs: :orgmode:<a href="https://infosec.exchange/@0xF21D" class="u-url mention" rel="nofollow noopener" target="_blank">@0xF21D</a> Any more reason to switch to FIDO2 with hardware tokens or <a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passkeys</a>.The latter only if you trust the service providers and if you don't need protection against phishing. With Passkeys and their optional delegation feature you can be tricked into transferring to a hacker. 😞With a <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIDO2</a> hardware token, you're really safe.

Karl Voit :emacs: :orgmode:<a href="https://shkspr.mobi/blog/@blog" class="u-url mention" rel="nofollow noopener" target="_blank">@blog</a> Well,let's kill <a href="https://graz.social/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#TOTP</a> and switch to <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIDO2</a> which protects against <a href="https://graz.social/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> and MITM.

David NelsonPeople who use hardware security keys: Storing them in geographically diverse locations is a wise move but makes it impossible to quickly onboard. How do you keep track of where you’ve registered each key? A checklist in a spreadsheet is obvious but cumbersome. Is there a better way? (Yes I use passkeys extensively but for certain services like email, iCloud, and my password manager, a hardware option is desirable if not mandatory.) <a href="https://mastodon.social/tags/YubiKey" class="mention hashtag" rel="nofollow noopener" target="_blank">#YubiKey</a> <a href="https://mastodon.social/tags/YubiKeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#YubiKeys</a> <a href="https://mastodon.social/tags/FIDO" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIDO</a> <a href="https://mastodon.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIDO2</a> <a href="https://mastodon.social/tags/FIDOKey" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIDOKey</a> <a href="https://mastodon.social/tags/FIDOKeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIDOKeys</a> <a href="https://mastodon.social/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#Security</a>

Juergen M. Bruckner<a href="https://sueden.social/@red_rooster" class="u-url mention" rel="nofollow noopener" target="_blank">@red_rooster</a> Du kannst auch einen FIDO2 Stick verwenden - wo das halt geht.<a href="https://mastodon.bruckner.email/tags/fido" class="mention hashtag" rel="nofollow noopener" target="_blank">#fido</a> <a href="https://mastodon.bruckner.email/tags/fido2" class="mention hashtag" rel="nofollow noopener" target="_blank">#fido2</a> <a href="https://mastodon.bruckner.email/tags/opensource" class="mention hashtag" rel="nofollow noopener" target="_blank">#opensource</a> <a href="https://mastodon.bruckner.email/tags/totp" class="mention hashtag" rel="nofollow noopener" target="_blank">#totp</a> <a href="https://mastodon.bruckner.email/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a>

0hlov3Passwords alone won’t save you. Phishing attacks, data breaches, and credential stuffing are everywhere. So how do you truly secure your online identity? Lets explore YubiKey, a phishing-resistant hardware security key that enables passwordless login, strong authentication, and cryptographic signing for personal and enterprise use. <a href="https://schoenwald.aero/posts/2025-02-5_the-ultimate-guide-to-yubikey/" rel="nofollow noopener" target="_blank">https://schoenwald.aero/posts/2025-02-5_the-ultimate-guide-to-yubikey/</a> What do you think? Did I miss something important or misunderstood something? Also, this isn’t an ad, unless my enthusiasm and advocacy for cool security tech count as advertising. ;) <a href="https://gts.privatetrace.io/tags/yubikey" class="mention hashtag" rel="nofollow noopener" target="_blank">#YubiKey</a> <a href="https://gts.privatetrace.io/tags/fido2" class="mention hashtag" rel="nofollow noopener" target="_blank">#FIDO2</a> <a href="https://gts.privatetrace.io/tags/passwordlessauthentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#PasswordlessAuthentication</a>

Recent searches

Search options

Administered by:

Server stats:

#fido2