Sign in or Join to comment or subscribe

2023-06-15T23:29:26Z ago

Sorry 1Password, I dropped out of your subscription, when you decided to move it to the cloud. I won’t share my 200 passwords in the cloud, because if the platform gets hacked I and my customers are lost completely being an IT Professional dealing with many operational related passwords, where you could do harmful things.
The nice one about passkeys is, that the private key does not leave your device. The security issue is, that it does it nevertheless, because it is synced through your provider. The first thing Google asked me to activate was keychain synchronization on my iPhone.
So the security downside:: can the FBI or the CIA force the providers to offer the private keys synched over their platforms? Even if they cut my finger or fake my FaceID, can they actually get access to all sites, where I use passkeys? You didn’t answer that. And we know your national security knows no limits on privacy even in courts.
While I still believe, that passkeys are a relieve to many consumers out there and it will protect them very reasonable against phishing, I wonder how we get it to work in production environments, where I would like to have passwordless also. Imagine a workshop where ten people use the same ten laptops to do diagnostics on cars in ten boxes between they switch? How do I register ten passkeys on ten devices for one company application that does car diagnostics? Any solution to that problem?
Nevertheless it was a great show and I really hope, passkeys make the world for normal users/customers so much more secure and easier to use. Still as a non normal user I have some security and usability issues. Hope you get the points here about cyber security for IT professionals and enterprise use cases.
Thank you very much for the great show!

2023-06-15T23:45:40Z ago

You discussed the marketing and the rollout of passkeys a lot. What I see as a potential danger is, that as soon as a majority of users begin to trust passkeys as a „quality“ measure of a website and associate this with trust, we will see, that a lot of organized criminality web sites will adopt to that and will fake to be more trusted than they are.
If you can’t use passkeys for phishing, because the passkey is bound to the trusted web site, would there be a way to prevent the use of passkeys on a list of blacklisted web sites known to be criminal and scamming users? That would give me even more trust. It will not prevent scamming on the internet, but it could shorten it in time being successful and add some more effort to criminals, because users might feel uncomfortable, if they have to change the domain every to week to reregister their passkey…
This could help in reducing scamming of users. What do you think?

2023-06-18T04:11:06Z ago

Two questions I had were not addressed.

  1. Is the same public key being used on all the sites. In other words if company A is affiliated with Company B can my login to A be associated with a login on B?

  2. What if I want to have two separate accounts on a web site. Two different gmail addressed, separate logins for reddit etc? Can I create personas and switch between them?

Jerod Santo

Jerod Santo

Omaha, Nebraska

Jerod co-hosts The Changelog, crashes JS Party, and takes out the trash (his old code) once in awhile.

2023-06-19T13:58:07Z ago

Good questions! The spec says:

Conceptually, one or more public key credentials, each scoped to a given WebAuthn Relying Party, are created by and bound to authenticators as requested by the web application. The user agent mediates access to authenticators and their public key credentials in order to preserve user privacy.

So I think the answer to #1 is that it should be different public keys for each site, but that it’s up to the user agent to implement that.

For #2, I don’t see any reason why you couldn’t have separate accounts on a web site just like you can with passwords.

2023-07-03T04:47:41Z ago

The courts have ruled that you cannot be compelled to give up something you know (password, pin) to unlock a device - self incrimination. If you lock all your passkeys (or passwords) with something you have - fingerprint, face unlock, you can be legally compelled to unlock your vault. So, if for any reason you find yourself involved in a court case you will be handing over every account access for discovery to the prosecution.

Player art
  0:00 / 0:00