apparently family members are freaked out because microsoft is pushing their bullshit #passwordless nonsense, and there's an arbitrary deadline for August 1st on which they say they're going to delete all their passwords.
their default browser home pages have a bunch of suggested articles with scary headlines, and when they try to search for more information about it the information at the top of the page is LLM nonsense which only freaks them out more.
Another approach would be if Alice could generate multiple Passkeys and hand them out to individuals she trusts, and then retaining the ability to revoke them. Sadly many sites don't yet support Passkeys, and this model still lets someone like Mal revoke Alice's access, so that's not great.
Bitwarden has a feature whereby Alice can share a password with Eve but not let her see it or export it. This could work pretty well, except that if the site requires 2FA from a SMS text message (vs TOTP or a token) or if Eve has the knowhow to intercept the password.
I still think that what we ultimately want is attenuated scopes because then we can track all actions by the delegated party.
I do wonder if this need is niche or if the current solution of "good faith password sharing" works well enough often enough that it's not risen to the level of concern for developers.
2/2
I've been thinking about delegated authority on websites lately.
It would be convenient if I could delegate certain functions to people, for example allowing someone like my accountant to have access to some of my financial records.
Some organizations make this easy, allowing me to have multiple accounts.
Other services don't offer this, nor do they offer any kind of OAuth type of delegated authorization or capabilities model.
I've been thinking about ways around this.
One very wacky way would be if Alice could have a a "special browser" that would tie into some service she runs. Bob would log in with his credentials and then behind the scenes the application logs in as Alice.
This would be very complicated to implement though.
1/
React-like functional webcomponents, but with vanilla HTML, JS and CSS
Introducing Dim – a new #Framework that brings #ReactJS-like functional #JSX-syntax with #VanillaJS. Check it out here:
Project: https://github.com/positive-intentions/dim Website: https://dim.positive-intentions.com
My journey with #WebComponents started with Lit, and while I appreciated its native browser support (less #Tooling!), coming from #ReactJS, the class components felt like a step backward. The #FunctionalProgramming approach in React significantly improved my #DeveloperExperience and debugging flow.
So, I set out to build a thin, functional wrapper around #Lit, and Dim is the result! It's a #ProofOfConcept right now, with "main" #Hooks similar to React, plus some custom ones like useStore for #EncryptionAtRest. (Note: #StateManagement for encryption-at-rest is still unstable and currently uses a hardcoded password while I explore #Passwordless options like #WebAuthn/#Passkeys).
You can dive deeper into the #Documentation and see how it works here:
Dim Docs: https://positive-intentions.com/docs/category/dim
This #OpenSource project is still in its early stages and very #Unstable, so expect #BreakingChanges. I've already received valuable #Feedback on some functions regarding #Security, and I'm actively investigating those. I'm genuinely open to all feedback as I continue to develop it!
UK govt commits to #passkeys in another big step to a #passwordless world
“The rollout of passkeys across GOV.UK services marks another major step forward in strengthening the UK’s digital defences while improving the user experience for millions,” said AI and digital government minister Feryal Clark.
https://www.biometricupdate.com/202505/uk-govt-commits-to-passkeys-in-another-big-step-to-a-passwordless-world
Passkey adoption continues to expand; nice move announced in the UK today. #passwordless #passkey
"The move to implement passkey technology for the government’s GOV.UK services marks a major step forward in strengthening the nation’s digital security." -- NCSC UK
https://www.ncsc.gov.uk/news/government-adopt-passkey-technology-digital-services
Latest issue of my curated #cybersecurity and #infosec list of resources for week #18/2025 is out!
It includes the following and much more:
France has linked Russian APT to 12 #cyberattacks on French Orgs.;
Cybersecurity experts demand the reinstatement of Chris Krebs' security clearances and the withdrawal of the investigation;
#Vulnerabilities in Apple's #AirPlay Protocol;
New York's Metropolitan Transportation Authority plans to use #AI and cameras to detect potential subway crimes before they happen;
@SentinelOne Targeted by Chinese #PurpleHaze Group;
#Microsoft sets all new accounts #passwordless by default;
The #Trump administration plans to cut $491 million from #CISA's budget;
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end 
https://infosec-mashup.santolaria.net/p/infosec-mashup-18-2025
Microsoft’s new “passwordless by default” is great but comes at a cost
#security #Microsoft #passwordless
Microsoft: nuovi account senza password e con passkey di default
https://gomoot.com/microsoft-nuovi-account-senza-password-e-con-passkey-di-default/
As RSA Conference kicks off, it’s cool to see #identity management get highlighted in this CSO Online article as a topic that will “dominate” the agenda, as well as a callout that the #passwordless (re)evolution is finally here. Attendees should definitely check out the talks in the Identity track because there’s a little bit of everything in there: from best practices, technical solutions, and top concerns for those tackling today’s problems, to interesting developments that could shape tomorrow’s digital experiences.
#IAM #RSAC2025
https://www.csoonline.com/article/3965415/10-key-questions-security-leaders-must-ask-at-rsa-2025.html
What does your password manager set up look like?
@jpsachse : or when your account gets pwned and the attacker does a better job proving that they are you than you - after all, *they* have access to your account - while you do not.
ANDROID PASSKEY BLACK HOLE
*Or* when you press a button "Clear data" (at the bottom of https://chrome.google.com/sync) which is accompanied by the text:
« This will clear your Chrome data that has been saved in your Google Account. This might clear some data from your devices. »
For you to subsequently find out that ALL OF YOUR PASSKEYS on (all of) your Android device(s) are IRRETRIEVABLE GONE (I reported this to Google in June 2023 and published it 6 months later in
https://seclists.org/fulldisclosure/2024/Feb/15). It's still unfixed.
WHY NO EXPORT AND NO BACKUP
W.r.t. being able to export and/or backup all private keys belonging to all of your passkeys: that's a big dilemma (depending on your POV).
The main (advertised, not taking into account a possibly desired vendor lock-in) reason is simple: if *you* have direct access to such private keys, *malware* running on your device does too.
The compromise is that they are automatically synced to your cloud account, and from there to other devices (of the same brand, provided they run an OS version that's not too old), including a new device if you brick or lose your old device.
However, if there's serious malware on your device, then, even if the malware authors cannot steal all of your passkeys (that is, their private keys), then you're toast anyway; a RAT such as AnyDesk may fool you into believing that you're logging in to website A while in fact it's B and they steal it's session cookie - and pwn the webaccount.
SYNCING PRIVATE KEYS
BTW it's hardly being discussed, but being able to synchronize secrets between secure hardware enclaves in such a way that *you* are denied access, is quite an achievement (considering that, if you buy a new phone, the only available secrets to the transport system are your definitely weak passcode, and your, potentially weak, cloud password that may be used to encrypt the private keys in transit).
I *know* that it's complicated because I accidentally found out around June 2023 that Android can get confused: passkeys *seem* to sync just fine, but passkeys created on phone 1 do not work on phone 2 and vice versa. Somehow the phones had started using *different* encryption keys used to securily synchronize them (I also mentioned that issue in my reports to Google in the summer of 2023, and I mention it in the FD (seclists.org) message).
I don't know how Apple syncs secrets in iCloud keychain, and neither whether a situation may exist where passkey's private keys sync but are unusable (like may happen when using Android).
APPLE'S OWN PASSKEY MISERY
However, Apple has got their own bunch of problems with passkeys being usable *without* requiring biometrics or a passcode to unlock them from iCloud Keychain, see https://infosec.exchange/@ErikvanStraten/113050312014160350 and follow-up (it gets worse every time I look at it) https://infosec.exchange/@ErikvanStraten/113053761440539290 (more details in earlier toots in that thread).
In short: if you don't use biometrics to unlock your iPhone or iPad (OR you do, but you have -unlikely- disabled a specific configuration setting), then anyone with access to your iDevice in an unlocked condition (*), can sign in to:
https://appleid.apple.com
and/or
https://icloud.com
WITHOUT entering your passcode (or using biometrics).
(*) your child, spouse, someone you don't know (well) who borrows your phone to make a call (because their's battery is dead), NOTABLY including a thief who stole it while you were using it (or saw you type your passcode and can unlock it by themselves: https://youtu.be/QUYODQB_2wQ).
I'm not sure yet, but this may even render Apple's anti-theft system totally moot.
here's a taste of a blog post i'm going to publish soon, trying to bring about some simplification and understanding around passkeys compared to YubiKeys
and no, the Magic Keyboard with Touch ID when paired with #VisionPro does not permit the use of Touch ID
i even asked this to an Apple salesperson and they didn't know and they scoffed at the question because "there's Optic ID why would you want a second factor of authentication?!?"
sign. so, for business users who want a #WebAuthn #passwordless #FIDO2 #MFA experience, for use with, like, #Okta, Vision Pro does not support that
I'm finally writing an #introduction toot LOL.
I'm "JJGadgets" online, you can call me JJ, everyone does.
My life is #tech, nothing brings me more joy and zen than sitting in front of my screens. Maybe except for Japanese food.
I use and prefer #linux for both server and desktop use, despite its flaws. I live in the #commandline. Been that way since I first jailbroke on iOS 5 and installed MobileTerminal.
I study #infosec but textbooks and lessons don't even come close to doing justice to what #infosec is all about. I like to think that I live and strive to live the infosec life, including my mindset. (After all, that's why @truxnell started calling me the "tinfoil hat sensei" LOL)
I do #Kubernetes @ Home, and maintain my cluster state in #git then apply it with tools like #FluxCD. My #homelab repo can be found at https://biohazard.jjgadgets.tech (will always 301 redirect to my latest Git remote of choice, in the event it changes). I think using #GitOps/IaC to declare desired security-related state (policies, rules etc) makes managing security a lot easier.
I try to follow "Principle of Least Privilege" for my homelab, and especially for Kubernetes security, using tools such as network policies (#netpols), policy engines, secrets management, identity management, strong #authentication, and access control. For example, my homelab Kubernetes cluster heavily uses netpols everywhere to default-deny and only allow the necessary network traffic for any given app to work.
I am also very interested in strong authentication methods such as #passwordless #fido2 / #webauthn (#yubikey and #passkeys) and where possible, I only enroll FIDO2 MFA, and choose the passwordless variant if available.
I try my best to use privacy-respecting software where possible, as I believe in maintaining transparency and control over the #privacy of people, regardless of online or offline.
I also believe in #opensource, too many times we've been shown the consequences of relying on closed source software, so where possible I always prefer open source.
Outside of the screen, admittedly I'm terrible at life stuff, and it's very hard for me to be interested in much of anything other than stuff on or related to a screen/device (I basically only talk tech stuff LOL). I'm working on changing that in the event I burnout hard again (though I still haven't found a non-tech interest yet, as of writing). I've burnt out multiple times despite still being a student, and thus I now (try to) take as much necessary measures as I can to avoid over-working, over-stressing or over-exerting myself.
That's about it, let's chat (or toot?)!
“Okay, but what about THIS failure scenario with passkeys?”: https://microblog.thomascannon.me/2023/09/06/okay-but-what.html
An essay of YubiKey use cases.
Copied from my post in the K8s@Home Discord server about some YubiKey use cases, very roughly formatted as I typed this not 5 minutes after I woke up.
(Also, @truxnell said and I quote: “Any yubikey setup suggestions/tricks? Pinging @jj ***oh wise tinfoil hat sensei :tinfoil: ***.” So yes, this is where I got the nickname “tinfoil hat sensei” from. Thanks Nat.)
OTP: so the “first slot” of the OTP part of YubiKey is automatically programmed as Yubico OTP, DON’T TOUCH THIS because it’ll screw up your TOTPs on the YubiKey and iirc FIDO2 as well for some reason
the second slot however is blank, and I have it set to challenge-response. several things can use challenge-response but they’re quite rare: KeePassXC, Shavee (3rd party ZFS encryption “plugin”), Yubico Windows Login (for local accounts, onprem AD uses PIV via ADCS, Azure AD uses FIDO2 (and Azure AD is the only way to FIDO2 login to Windows :peperolleyes:))
PIV: age1yubikey saves the key to PIV
store local CA certs if you want to fuck with CA stuff in homelab lol (budget HSM)
S/MIME certs (but in my experience and another friend’s, S/MIME + YubiKey doesn’t work well with… any clients & OS combo at all)
local AD passwordless login via ADCS
apparently macOS login via YubiKey uses PIV but i don’t have a Mac to test lol, my 2015 is a brick until I get a new battery
GPG: email encryption between parties that both have GPG, auto incoming email encryption on Mailbox.org (ProtonMail requires their own bridges and stuff for decryption, YubiKey’s GPG is completely useless there, only FIDO2 for authn is useful for Proton)
Git commit signing
I use my YubiKey GPG for SOPS because I can’t be fucked to safeguard an agekey file and remember to copy it to the multiple OSes I use, only my cluster has an agekey
SSH: 3 options
SSH key using FIDO2, requires OpenSSH 8.2+ (resident keys allow storing the key on the YubiKey, it’s really nice to just go to any 8.2+ machine and ssh-add -K, then ssh-add -e when done, nothing else needed)
SSH via GPG auth subkey (GPG is a bitch, but if you already have a distro that isn’t too stripped down it most likely is already installed and preconfigured anyway, I could use it on a random Kali VM with USB passthrough relatively easily)
SSH PIV certificates instead of plain SSH keys (requires PIV .so libraries like Yubico’s, then ssh-add -s /usr/lib/libyubico.so.1 or something like that (can’t remember exactly), I don’t use this tho. fun fact: an ECDSA PIV cert in the PIV authentication slot can be used via GPG agent SSH too :kek:)
also if you use Linux and macOS: god bless auth sufficient pam_u2f.so but please enforce FIDO2 PIN if pam_u2f.so is used on a device that is both portable and stores valuable, personal and/or sensitive data.
LUKS decryption has a few YubiKey options (FIDO2, PIV, challenge response).
As of this post’s date (16 May 2023), my experience with 1Password is it only uses YubiKey for initial 1P.com vault login (the login on 1P that requires Secret Key), subsequent logins after initial vault login are biometrics/PIN/master password only. Others report that BitWarden behaves the same.
Lastly, do plan and consider your physical security (e.g. is your home safe enough for certain YubiKey configurations? offsite YubiKey for critical accounts?) as well as Disaster/otherwise Recovery (e.g. descendants/companions in event of user not available on Earth)
Hi Folks! 
Time for that #Introduction post:
: #Microsoft employee, currently driving our #Passwordless story for #AzureAD customers. Also #FIDO, #FIDO2, #phishing-resistant, #UX, #A11y, and please dear gods, #EnableMFA. 
: Seattle Exurbs 
: #workingmom, fam of 4.
Enjoy 
, 
, 
,
Looking forward to learning more about #indieweb!
G◍M◍◍T 
