Comment

Comment on MFA

<- View Parent

LodeMike@lemmy.today ⁨2⁩ ⁨months⁩ ago

No they fucking won’t. You know that websites are going to be massive throbbing cocks about it.

"Due to security issues, passkeys for our service must be kept in <Company name>® Secure Passkey App™

source

Sort:hotnew top

baronvonj@lemmy.world ⁨2⁩ ⁨months⁩ ago
“Your device has been rooted and therefore cannot be supported.”

source
- lemann@lemmy.dbzer0.com ⁨2⁩ ⁨months⁩ ago
  Unironically this…
  
  Passkeys don’t work on my rooted device - they seemingly set up correctly, but sites like GH claim your device passkey doesn’t exist when you try to actually login. When you go to the affected site’s account settings to add the device as a passkey again, an error of some kind claims the passkey already exists 🤷‍♂️
  
  Deleting/re-adding has no effect. Using FF with device biometric passkey auth
  
  source
warm@kbin.earth ⁨2⁩ ⁨months⁩ ago
Fair enough!

source
suzune@ani.social ⁨2⁩ ⁨months⁩ ago
Passkeys are an open standard. You need to install a Webauthn-compliant supplicant that talks to the browser. The supplicant can be anything, as long as it does the required protocol. The browser doesn’t care.

At the moment the browsers are the main problem. They need to open their APIs properly.

source
- LodeMike@lemmy.today ⁨2⁩ ⁨months⁩ ago
  TOTP is an open standard but look at how bad companies have fucked that up.
  
  source
- jj4211@lemmy.world ⁨2⁩ ⁨months⁩ ago
  Problem is part of the standard allows the server to require attestation. So congratulations, they only bless their app, or maybe they only bless iphones.
  
  If the service ignores that, then yes, it’s great. It’s as yet unpopular so it’s hard to know, but in adjacent industries I have seen them lock down the to the point it’s as asinine as “open your app to continue”
  
  source
- SuperIce@lemmy.world ⁨2⁩ ⁨months⁩ ago
  Not necessarily. I found out that bitwarden can generate a QR code that you just scan with your phone that allows your phone to act as a passkey, no browser support required. I was surprised when I discovered that. I had set up my phone as a passkey in Windows, and Windows can use phones as a passkey directly; on Linux that’s not supported so it just gave me a QR code that worked seamlessly. It’s not like a browser URL, but actually triggers the phone’s passkey authentication, kinda like QR codes for WiFi authentication. Pretty neat.
  
  source
rickyrigatoni@lemm.ee ⁨2⁩ ⁨months⁩ ago
Please make your device unsecure to give your account the illusion of security.

source