eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.

Server stats:

206
active users

#fido2

1 post1 participant0 posts today
KMJ 🇦🇹<p>Strange, I have 2 <a href="https://mastodon.ctseuro.com/tags/GoTrust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoTrust</span></a> <a href="https://mastodon.ctseuro.com/tags/Fido2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Fido2</span></a> Keys. They work fine with <a href="https://mastodon.ctseuro.com/tags/Chromium" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Chromium</span></a> but on <a href="https://mastodon.ctseuro.com/tags/Firefox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Firefox</span></a> touching the key does not activate it are ask for the password. Like Firefox can not access the USB=</p><p><a href="https://mastodon.ctseuro.com/tags/Debian12" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Debian12</span></a> <a href="https://mastodon.ctseuro.com/tags/Gotrust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Gotrust</span></a> <a href="https://mastodon.ctseuro.com/tags/Fido2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Fido2</span></a> <a href="https://mastodon.ctseuro.com/tags/U2F" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>U2F</span></a></p>
Karl Voit :emacs: :orgmode:<p><a href="https://graz.social/tags/Authentifizierung" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentifizierung</span></a> mit <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a> und <a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> <a href="https://karl-voit.at/FIDO2-vs-Passkeys/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">karl-voit.at/FIDO2-vs-Passkeys/</span><span class="invisible"></span></a></p><p>Was das ist, warum man es nutzen soll und wie man sie im Vergleich zu anderen Methoden einschätzt.</p><p><a href="https://graz.social/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MFA</span></a> <a href="https://graz.social/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a> <a href="https://graz.social/tags/FIDO" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO</span></a> <a href="https://graz.social/tags/Passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkey</span></a> <a href="https://graz.social/tags/Sicherheit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Sicherheit</span></a> <a href="https://graz.social/tags/publicvoit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>publicvoit</span></a></p>
:hacker_p: :hacker_f: :hacker_t:<p>I thought that <a href="https://infosec.exchange/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a> / <a href="https://infosec.exchange/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> cross-device requires proximity and enforces it using "cloud assisted Bluetooth" (<a href="https://infosec.exchange/tags/cable" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cable</span></a>). How is it even possible to MITM it?</p><p><a href="https://news.risky.biz/risky-bulletin-new-phishing-technique-bypasses-fido-keys/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">news.risky.biz/risky-bulletin-</span><span class="invisible">new-phishing-technique-bypasses-fido-keys/</span></a></p><p>Reported by: <span class="h-card" translate="no"><a href="https://mastodon.social/@campuscodi" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>campuscodi</span></a></span><br>CC: <span class="h-card" translate="no"><a href="https://hachyderm.io/@rmondello" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>rmondello</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@timcappalli" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>timcappalli</span></a></span></p>
TechnoTenshi :verified_trans: :Fire_Lesbian:<p>Typage 0.2.3 adds support for encrypting files with passkeys via WebAuthn PRF, enabling phishing-resistant, hardware-bound symmetric encryption in browser and CLI with age-plugin-fido2prf.</p><p>Thanks <span class="h-card" translate="no"><a href="https://abyssdomain.expert/@filippo" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>filippo</span></a></span> </p><p><a href="https://words.filippo.io/passkey-encryption/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">words.filippo.io/passkey-encry</span><span class="invisible">ption/</span></a></p><p><a href="https://infosec.exchange/tags/WebAuthn" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebAuthn</span></a> <a href="https://infosec.exchange/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> <a href="https://infosec.exchange/tags/Encryption" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Encryption</span></a> <a href="https://infosec.exchange/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a></p>
apfeltalk :verified:<p>Wie funktionieren Passkeys: Der vollständige Leitfaden für deine passwortlose Zukunft<br>Die Verwaltung von Passwörtern bleibt eine der größten Herausforderungen im Bereich IT-Sicherheit. Viele Unternehmen und Nutzer<br><a href="https://www.apfeltalk.de/magazin/news/wie-funktionieren-passkeys-der-vollstaendige-leitfaden-fuer-deine-passwortlose-zukunft/" rel="nofollow noopener" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">apfeltalk.de/magazin/news/wie-</span><span class="invisible">funktionieren-passkeys-der-vollstaendige-leitfaden-fuer-deine-passwortlose-zukunft/</span></a><br><a href="https://creators.social/tags/News" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>News</span></a> <a href="https://creators.social/tags/Authenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authenticator</span></a> <a href="https://creators.social/tags/Authentifizierung" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentifizierung</span></a> <a href="https://creators.social/tags/Datenschutz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Datenschutz</span></a> <a href="https://creators.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a> <a href="https://creators.social/tags/ITSicherheit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ITSicherheit</span></a> <a href="https://creators.social/tags/Passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkey</span></a> <a href="https://creators.social/tags/Passwortlos" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passwortlos</span></a> <a href="https://creators.social/tags/PublicKeyKryptographie" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PublicKeyKryptographie</span></a> <a href="https://creators.social/tags/Sicherheitsschlssel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Sicherheitsschlssel</span></a> <a href="https://creators.social/tags/WebAuthn" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebAuthn</span></a></p>
Hex<p>The FIDO2 Level 2 certification should mean, that you can use your Nitrokey 3 with ID Austria.</p><p><a href="https://www.nitrokey.com/news/2025/nlnet-foundation-supports-nitrokey-3-storage-and-fido2-level-2-certification" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">nitrokey.com/news/2025/nlnet-f</span><span class="invisible">oundation-supports-nitrokey-3-storage-and-fido2-level-2-certification</span></a></p><p><a href="https://www.id-austria.gv.at/de/hilfe/hilfe-zu-ida/authentifizierungsfaktoren#header-welche_fido_sicherheitsschlussel_sind_mit_id_austria_kompatibel_und_wo_sind_sie_erhaltlich-qbvpmo" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">id-austria.gv.at/de/hilfe/hilf</span><span class="invisible">e-zu-ida/authentifizierungsfaktoren#header-welche_fido_sicherheitsschlussel_sind_mit_id_austria_kompatibel_und_wo_sind_sie_erhaltlich-qbvpmo</span></a> (german only)</p><p><a href="https://chaos.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a> <a href="https://chaos.social/tags/WebAuthn" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebAuthn</span></a> <a href="https://chaos.social/tags/IDAustria" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IDAustria</span></a> <a href="https://chaos.social/tags/Nitrokey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Nitrokey</span></a></p>
Karl Voit :emacs: :orgmode:<p><span class="h-card" translate="no"><a href="https://social.bund.de/@bsi" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>bsi</span></a></span> Nitpicking: gerade bei <a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> besteht die Möglichkeit, über die Cloud auch anderen Personen Zugriff zu geben. Daher muss man mit Passkeys genau aufpassen, wem man hier Rechte eingeräumt hat.</p><p>Daher sind Passkeys auch in solchen Fällen leider anfällig auf <a href="https://graz.social/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> (Angreifer gibt vor, Freund zu sein).</p><p>Aber immer noch besser als fast alle anderen Authentifizierungsmethoden. 👍 Nur HW-Tokens mit <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a> sind besser, da sie die privaten Keys nicht auslesbar speichern.</p>
Karl Voit :emacs: :orgmode:<p><span class="h-card" translate="no"><a href="https://social.bund.de/@bsi" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>bsi</span></a></span> Sorry, starke Passwörter mit 2FA oder <a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> helfen leider nicht prinzipiell gegen Phishing.</p><p>Gerade bei der Methode mittels Smartphones kann man seine Passkey-Geheimnisse in die Cloud als auch zu anderen Personen transferieren. Das ist der Knackpunkt. In Zukunft zielt <a href="https://graz.social/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> dann halt auf die Übermittlung der Geheimnisse zum Angreifer ab.</p><p> <a href="https://arxiv.org/abs/2501.07380" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">arxiv.org/abs/2501.07380</span><span class="invisible"></span></a> "Another concern could be social engineering, where a user is tricked into sharing a passkey with an account controlled by an attacker." -&gt; Schutz nur bei ausschließlich "device-bound passkeys" in der "roaming-authenticator"-Variante = Hardware <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a> Tokens. Die sind aktuell det einzige Schutz gegen Phishing.</p><p>Aber alles ist besser als kein <a href="https://graz.social/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a>.</p>
JRT<p>Ok with <a href="https://infosec.exchange/tags/passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkeys</span></a> booking.com went from one of the worst to a mediocre login experience.<br>It would be wonderful if there was a setting to skip <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a>, when signing in with a resident key.</p><p><a href="https://infosec.exchange/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a></p>
Sönke Schwardt-Krummrich<p>I have wanted to use my Yubikeys for a secure SSH login for some time now. But like <span class="h-card" translate="no"><a href="https://floss.social/@jgoerzen" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>jgoerzen</span></a></span>, I have come across many incorrect, poorly explained and inadequately explained instructions. It looks like John has now written the ultimate guide for <a href="https://univention.social/tags/SSH" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SSH</span></a> with <a href="https://univention.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a>/U2F hardware keys that beats all other guides I know of.</p><p><a href="https://www.complete.org/easily-using-ssh-with-fido2-u2f-hardware-security-keys/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">complete.org/easily-using-ssh-</span><span class="invisible">with-fido2-u2f-hardware-security-keys/</span></a></p>
🔘 G◍M◍◍T 🔘<p>💡 Microsoft: nuovi account senza password e con passkey di default</p><p><a href="https://gomoot.com/microsoft-nuovi-account-senza-password-e-con-passkey-di-default/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">gomoot.com/microsoft-nuovi-acc</span><span class="invisible">ount-senza-password-e-con-passkey-di-default/</span></a></p><p><a href="https://mastodon.uno/tags/blog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>blog</span></a> <a href="https://mastodon.uno/tags/fido" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fido</span></a> <a href="https://mastodon.uno/tags/fido2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fido2</span></a> <a href="https://mastodon.uno/tags/microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>microsoft</span></a> <a href="https://mastodon.uno/tags/news" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>news</span></a> <a href="https://mastodon.uno/tags/password" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>password</span></a> <a href="https://mastodon.uno/tags/passwordless" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passwordless</span></a> <a href="https://mastodon.uno/tags/picks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>picks</span></a> <a href="https://mastodon.uno/tags/tech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tech</span></a> <a href="https://mastodon.uno/tags/tecnologia" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tecnologia</span></a> <a href="https://mastodon.uno/tags/windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>windows</span></a></p>
pink<p><span class="h-card" translate="no"><a href="https://norden.social/@ksp1968" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>ksp1968</span></a></span> Ich habe auf die Schnelle nur etwas auf englisch gefunden: <a href="https://sts10.github.io/2022/11/11/mastodon-two-factor-authentication.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">sts10.github.io/2022/11/11/mas</span><span class="invisible">todon-two-factor-authentication.html</span></a><br><a href="https://norden.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a> wird da auch nicht erwähnt.<br>Die offizielle <a href="https://norden.social/tags/Mastodon" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Mastodon</span></a> Dokumentation (<a href="https://docs.joinmastodon.org/user/contacts/#account" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">docs.joinmastodon.org/user/con</span><span class="invisible">tacts/#account</span></a>) ist auch nicht wirklich hilfreich.<br>Vielleicht hat <span class="h-card" translate="no"><a href="https://norden.social/@leuchtturm" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>leuchtturm</span></a></span> noch mehr Informationen?</p>
pink<p><span class="h-card" translate="no"><a href="https://norden.social/@ksp1968" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>ksp1968</span></a></span> norden.social unterstützt doch <a href="https://norden.social/tags/fido2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fido2</span></a> (evtl. muss man vorher <a href="https://norden.social/tags/totp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>totp</span></a> einrichten, gut auch als Backup). Über <a href="https://norden.social/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a> auf dem <span class="h-card" translate="no"><a href="https://social.nitrokey.com/@nitrokey" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>nitrokey</span></a></span> kann ich nicht viel sagen, laut Webseite sollte der 2 Pro das können.</p>
ksp1968<p>Moin <a href="https://norden.social/tags/neuhier" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>neuhier</span></a> <br>Ich habe einen <a href="https://norden.social/tags/Nitrokey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Nitrokey</span></a> Pro als USB-Dongle. Habt ihr Erfahrung mit <a href="https://norden.social/tags/totp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>totp</span></a> <a href="https://norden.social/tags/2fa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2fa</span></a> ?<br>Ich möchte meine Dongles gerne zur Anmeldung bei meinem Account @norden.social verwenden. Ich habe davon aber noch die Finger gelassen. Ich habe keine Erfahrung damit. Außer mit <a href="https://norden.social/tags/fido2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fido2</span></a>.<br><a href="https://norden.social/tags/neuhier" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>neuhier</span></a> <a href="https://norden.social/tags/totp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>totp</span></a> <a href="https://norden.social/tags/2fa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2fa</span></a> <a href="https://norden.social/tags/nitrokey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nitrokey</span></a> <a href="https://norden.social/tags/fido2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fido2</span></a></p>
Karl Voit :emacs: :orgmode:<p><span class="h-card" translate="no"><a href="https://social.tchncs.de/@keno3003" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>keno3003</span></a></span> (2/2) Der einzige Schutz dagegen ist, wenn man physische <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a>-Tokens verwendet ("device-bound passkeys" nur in der "roaming-authenticator"-Variante!), die das Auslesen des Geheimnisses prinzipiell ausschließen. Dies ist also die einzige wirklich Phishing-resistente Authentifizierungsmethode.</p><p>IMO sollten also die Tipps am Ende vom Video *mit Fokus auf Sicherheit* anders lauten:</p><p>- am besten 2 <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a> HW-Tokens besorgen und für alle <a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> verwenden (für <a href="https://graz.social/tags/IDAustria" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IDAustria</span></a> Österreich: <a href="https://www.oesterreich.gv.at/dam/jcr:972a25a0-65e6-4c2e-9422-a2e02ce16f2d/20230613_ID-Austria_FIDO.pdf" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">oesterreich.gv.at/dam/jcr:972a</span><span class="invisible">25a0-65e6-4c2e-9422-a2e02ce16f2d/20230613_ID-Austria_FIDO.pdf</span></a>)</p><p>- keine phishing-gefährdeten Fall-Back-Mechanismen verwenden: also nur den 2. FIDO2-Token</p><p>- jede 2FA ist besser als keine</p><p>- niemals Passwörter in die Cloud schicken (Cloud-PW-Manager)</p><p>HTH 🙇 </p><p><a href="https://graz.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://graz.social/tags/Sicherheit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Sicherheit</span></a> <a href="https://graz.social/tags/Authentifizierungsmethoden" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentifizierungsmethoden</span></a></p>
Matt Cengia<p>I'd love if there was a website like <a href="https://www.passkeys.io/who-supports-passkeys" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">passkeys.io/who-supports-passk</span><span class="invisible">eys</span></a> which showed which websites also support *non-resident* <a href="https://aus.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a> authentication as opposed to resident <a href="https://aus.social/tags/Passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkey</span></a>. Let's reward sites that have that support!</p>
Karl Voit :emacs: :orgmode:<p><span class="h-card" translate="no"><a href="https://mastodon.social/@yacc143" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>yacc143</span></a></span> FYI: <a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> and <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a> (= "device-bound <a href="https://graz.social/tags/passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkey</span></a>" which can be divided into "platform-" and "roaming-authenticators") are identical except the <a href="https://graz.social/tags/cloud" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cloud</span></a>-sync mechanism (as of my current understanding).</p><p>So unfortunately, they get mixed up or are considered as totally different things. Both is wrong.</p><p>In reality, they are very similar except that FIDO2 hardware tokens ("device-bound passkeys" only in their "roaming-authenticator" variant) are designed that way, that Passkeys are not being able to extracted from the device (at least for the moment).</p><p>Therefore, users of HW tokens can't be tricked into transferring their passkey to a rogue third party, which is possible with all other Passkey variants. Therefore: passkeys are NOT <a href="https://graz.social/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a>-resistant in the general case.</p><p><a href="https://graz.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://graz.social/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> <a href="https://graz.social/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a></p>
Karl Voit :emacs: :orgmode:<p><a href="https://graz.social/tags/TroyHunt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TroyHunt</span></a> fell for a <a href="https://graz.social/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a> attack on his mailinglist members: <a href="https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">troyhunt.com/a-sneaky-phish-ju</span><span class="invisible">st-grabbed-my-mailchimp-mailing-list/</span></a></p><p>Some of the ingredients: <a href="https://graz.social/tags/Outlook" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Outlook</span></a> and its habit of hiding important information from the user and missing <a href="https://graz.social/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a> which is phishing-resistant.</p><p>Use <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a> with hardware tokens if possible (<a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> without FIDO2 HW tokens are NOT phishing-resistant due to the possibility of being able to trick users with credential transfers: <a href="https://arxiv.org/abs/2501.07380" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">arxiv.org/abs/2501.07380</span><span class="invisible"></span></a>) and avoid Outlook (or <a href="https://graz.social/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microsoft</span></a>) whenever possible.</p><p>Further learning: it could happen to the best of us! Don't be ashamed, try to minimize risks and be open about your mistakes.</p><p>Note: any 2FA is better than no 2FA at all.</p><p><a href="https://graz.social/tags/email" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>email</span></a> <a href="https://graz.social/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://graz.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://graz.social/tags/OTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OTP</span></a> <a href="https://graz.social/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a> <a href="https://graz.social/tags/Passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkey</span></a> <a href="https://graz.social/tags/haveibeenpwned" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>haveibeenpwned</span></a> <a href="https://graz.social/tags/Ihavebeenpwned" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ihavebeenpwned</span></a></p>

@technotenshi #Passkeys are not prone to #phishing according to my understanding of:
arxiv.org/abs/2501.07380

The paper describes that it's possible to fool Passkey owners to transfer their #Passkey to attackers: "Another concern could be social engineering, where a user is tricked into sharing a passkey with an account controlled by an attacker."

However, the authors disagree with my interpretation.

The only really secure method is hardware #FIDO2 tokens where the secrets can't leave the device.

arXiv.orgDevice-Bound vs. Synced Credentials: A Comparative Evaluation of Passkey AuthenticationWith passkeys, the FIDO Alliance introduces the ability to sync FIDO2 credentials across a user's devices through passkey providers. This aims to mitigate user concerns about losing their devices and promotes the shift toward password-less authentication. As a consequence, many major online services have adopted passkeys. However, credential syncing has also created a debate among experts about their security guarantees. In this paper, we categorize the different access levels of passkeys to show how syncing credentials impacts their security and availability. Moreover, we use the established framework from Bonneau et al.'s Quest to Replace Passwords and apply it to different types of device-bound and synced passkeys. By this, we reveal relevant differences, particularly in their usability and security, and show that the security of synced passkeys is mainly concentrated in the passkey provider. We further provide practical recommendations for end users, passkey providers, and relying parties.
Replied in thread

@0xF21D Any more reason to switch to FIDO2 with hardware tokens or #Passkeys.

The latter only if you trust the service providers and if you don't need protection against phishing. With Passkeys and their optional delegation feature you can be tricked into transferring to a hacker. 😞

With a #FIDO2 hardware token, you're really safe.