When I say TOTP is phishable and webauthn (“passkeys”) isn’t, this is a real-world example of what I am talking about

I'm not entirely pro-passkeys yet, but this is a good case for them.

@andreasio @bitprophet you're wrong, because you are underestimating how bad passwords are and how often people get pwned due to their flaws. they seem normal, but it's dire. approval-app "2FA" is almost as bad.

the things you're referencing are real issues, and I'd be nervous about any website which required me to lock myself out from everything except a *single* passkey, but that's not how any big site's auth works. password/TOTP/SMS fallbacks are still everywhere. (a bit too common, IMHO).

@porglezomp 1password is pretty good about this, but you have to know how to use it *really* well, and you have to regard "copy/paste into a field on a website" as an omega-level threat, rather than "basic, normal functionality of your computer" which is not in the muscle-memory of most people. https://mastodon.social/@glyph/115942437226812155

@bitprophet @glyph Mozilla recommends that sites nudges users to delete alternative login methods?
https://developer.mozilla.org/en-US/docs/Web/Security/Authentication/Passkeys#migrating_from_passwords

My understanding is that extensions in chrome and Firefox can see what the browser see. Let's say ublock gets compromised, and my browser is connected to e.g. keepass. Can ublock steel my private keys?

Just saying. This is what I fear. Maybe I misunderstand. But passkeys just seem to me to require trust of too many applications and third parties and even myself.

@andreasio @bitprophet Mozilla says a lot of things and almost none of them are based in reality.

I do not believe that extensions have full access to each others' internals. Not completely sure, I'm not a browser extension developer, but malicious extension attacks are always "fake password manager" or "clickjacking", not "reach in to pw manager data structures and steal private keys" so I don't think so.

@glyph yeah I was very happy with 1Password but I didn’t want to jump into cloud subscription software and the legacy extension is rotting which is part of why I can’t rely on it. Also it never got good tools for merging different accounts that are actually the same. And Passwords.app has a different set of problems like occasionally disconnecting from my browser and being even worse at merging accounts.

@porglezomp I understand the trepidation about subscription software, but personally I am happy to subscribe. I want 1password to update to every new OS security feature, to always be available on lots of new devices, to be up to date and constantly responsive to evolving threats, and that involves a constantly-maintained service not just a drop-it-and-forget-it app purchase.

I'm not entirely pro-passkeys yet, but this is a good case for them.

@bitprophet you should set them up everywhere that allows you to have a TOTP backup. always use passkeys with wild abandon, maintain the TOTP fallback in the rare (and increasingly so over time) case where your webauthn stack shits itself, but treat "I have to enter a TOTP" as an extremely rare and dangerous thing that should only ever come from an action that you initiate (i.e.: never, ever when you click a link in email)

@glyph yea fair, I should keep my eyes out more for where they are an upgrade-with-fallback.

I /have/ seen them put to good use when stored inside 1P, which (IIUC) should mean they’ll also be proof against any sort of device loss.

Also, lol at clicking links in emails! Who does that. I mean I know who, but, it ain’t me that’s for sure.