When I say TOTP is phishable and webauthn (“passkeys”) isn’t, this is a real-world example of what I am talking about

@glyph Heck yes. This is what I've been trying to preach for ages. And also why I consider the term "multi factor" not helpful for assessing security.

@glyph TBF a properly functioning (mentioned because not all are, or all the time) password manager would’ve prevented this too.

Though yarp, passkeys make it categorically impossible. Wish I trusted them more!

I'm not entirely pro-passkeys yet, but this is a good case for them.

@glyph @bitprophet this. I used yubikeys a bit 10 years ago. Found it annoying when I didn't have my key. Also worried about colleagues finding and using my key. Today passkeys rely on a us big tech corp relay partner. Or I need to conect keepass to my browser ( attack surface) which i prefer not to. So... I understand that passkeys is more secure, but the trade offs are unfavorable I think.

I'll be happy if I am wrong.

@porglezomp 1password is pretty good about this, but you have to know how to use it *really* well, and you have to regard "copy/paste into a field on a website" as an omega-level threat, rather than "basic, normal functionality of your computer" which is not in the muscle-memory of most people. https://mastodon.social/@glyph/115942437226812155

@bitprophet you should set them up everywhere that allows you to have a TOTP backup. always use passkeys with wild abandon, maintain the TOTP fallback in the rare (and increasingly so over time) case where your webauthn stack shits itself, but treat "I have to enter a TOTP" as an extremely rare and dangerous thing that should only ever come from an action that you initiate (i.e.: never, ever when you click a link in email)

@andreasio @bitprophet you're wrong, because you are underestimating how bad passwords are and how often people get pwned due to their flaws. they seem normal, but it's dire. approval-app "2FA" is almost as bad.

the things you're referencing are real issues, and I'd be nervous about any website which required me to lock myself out from everything except a *single* passkey, but that's not how any big site's auth works. password/TOTP/SMS fallbacks are still everywhere. (a bit too common, IMHO).

@snarfmason Passkeys are really good, but the forcing/tricking people into using them rubs people the wrong way.

@bitprophet @glyph Mozilla recommends that sites nudges users to delete alternative login methods?
https://developer.mozilla.org/en-US/docs/Web/Security/Authentication/Passkeys#migrating_from_passwords

My understanding is that extensions in chrome and Firefox can see what the browser see. Let's say ublock gets compromised, and my browser is connected to e.g. keepass. Can ublock steel my private keys?

Just saying. This is what I fear. Maybe I misunderstand. But passkeys just seem to me to require trust of too many applications and third parties and even myself.

@glyph yeah I was very happy with 1Password but I didn’t want to jump into cloud subscription software and the legacy extension is rotting which is part of why I can’t rely on it. Also it never got good tools for merging different accounts that are actually the same. And Passwords.app has a different set of problems like occasionally disconnecting from my browser and being even worse at merging accounts.

@andreasio @bitprophet Mozilla says a lot of things and almost none of them are based in reality.

I do not believe that extensions have full access to each others' internals. Not completely sure, I'm not a browser extension developer, but malicious extension attacks are always "fake password manager" or "clickjacking", not "reach in to pw manager data structures and steal private keys" so I don't think so.

@andreasio @bitprophet your concerns are not unreasonable, they're just mis-prioritized. Passwords already have all of these issues (unless you're not using a password manager in which case you're in _way_ worse trouble anyway) and a whole bunch more that you're under-weighting.

@porglezomp I understand the trepidation about subscription software, but personally I am happy to subscribe. I want 1password to update to every new OS security feature, to always be available on lots of new devices, to be up to date and constantly responsive to evolving threats, and that involves a constantly-maintained service not just a drop-it-and-forget-it app purchase.

@glyph I was more opposed to the switch to only supporting online vaults than the subscription but I guess that’s always true with apple’s Passwords so I might as well switch back.

@snarfmason @bitprophet if you don't mind sharing, what's stopping you from trusting passkeys / being pro-passkey? Not looking to debate, just to understand.

@glyph yea fair, I should keep my eyes out more for where they are an upgrade-with-fallback.

I /have/ seen them put to good use when stored inside 1P, which (IIUC) should mean they’ll also be proof against any sort of device loss.

Also, lol at clicking links in emails! Who does that. I mean I know who, but, it ain’t me that’s for sure.

@bitprophet the ones stored in Chrome and iCloud accounts are also cloud synced and resilient to device loss. the only "passkey"-shaped thing that isn't, is a yubikey, which is not really designed for any use-case without an out-of-band device reset