Recent searches
Search options
Administered by:
#passkeys
9 posts8 participants1 post today
Hey techos 
Is it worth switching to passkeys ?
Tired of managing passwords and 2FA codes?
Passkeys are the secure, phishing-proof future.
Biometric login Device-based keys Already supported by major platforms
Dive deeper at 
https://betweenthehacks.com/passkeys
Last fall, the FIDO Alliance announced a new system for importing and exporting passkeys across devices and platforms. The Google Password Manager now shows signs of work towards implementing just such a system.
#passkeys #security #google #password
https://www.androidauthority.com/passkey-import-3540069/
Android Authority · Google's making it easy to securely move your passkeys to a new phone (APK teardown)Passkeys could soon become much more convenient for using across multiple devices, with Android preparing new import/export tools.
Continued thread
@keno3003 (2/2) Der einzige Schutz dagegen ist, wenn man physische #FIDO2-Tokens verwendet ("device-bound passkeys" nur in der "roaming-authenticator"-Variante!), die das Auslesen des Geheimnisses prinzipiell ausschließen. Dies ist also die einzige wirklich Phishing-resistente Authentifizierungsmethode.
IMO sollten also die Tipps am Ende vom Video *mit Fokus auf Sicherheit* anders lauten:
- am besten 2 #FIDO2 HW-Tokens besorgen und für alle #Passkeys verwenden (für #IDAustria Österreich: https://www.oesterreich.gv.at/dam/jcr:972a25a0-65e6-4c2e-9422-a2e02ce16f2d/20230613_ID-Austria_FIDO.pdf)
- keine phishing-gefährdeten Fall-Back-Mechanismen verwenden: also nur den 2. FIDO2-Token
- jede 2FA ist besser als keine
- niemals Passwörter in die Cloud schicken (Cloud-PW-Manager)
HTH 
@keno3003 ad "Das Problem mit Passkeys" https://www.youtube.com/watch?v=u7Ti-Jc-b3A&pp=ygUYZGFzIHByb2JsZW0gYmVpIHBhc3NrZXlz
Sorry, dass #Passkeys immer absolut resistent gegen #Phishing sind, stimmt leider nicht.
https://arxiv.org/abs/2501.07380
"Another concern could be social engineering, where a user is tricked into sharing a passkey with an account controlled by an attacker."
Meiner Interpretation nach ermöglicht also das Transferieren von Passkeys zu anderen Personen eindeutig Phishing-Methoden. Die sind vielleicht noch nicht in der Praxis aufgetaucht aber ausschließen kann man es keinesfalls.
(1/2)
Top Passwordless Identity Assurance Trends for 2025 – Source: securityboulevard.com https://ciso2ciso.com/top-passwordless-identity-assurance-trends-for-2025-source-securityboulevard-com/ #rssfeedpostgeneratorecho #SecurityBloggersNetwork #identityverification #CompanyHighlights #CyberSecurityNews #SecurityBoulevard #Identity&Access #authentication #Industrynews #passwordless #Perspectives #Passkeys #SBNNews #FIDO
CISO2CISO.COM & CYBER SECURITY GROUP · Top Passwordless Identity Assurance Trends for 2025 – Source: securityboulevard.comSource: securityboulevard.com - Author: Bojan Simic, CEO, HYPR “The Renaissance Man” was attributed to Leonardo da Vinci because he symbolized the f
Continued thread
I was surprised last night to see that the latest Yubikeys support 100 #Passkeys, as opposed to the previous limit of 32, but it still doesn't feel like the best solution.
Am I the only one who absolutely starts to hate #passkeys? Everytime it's a dance to figure out which one or more passkeys I used with service X. Is it my phone, Bitwarden, one of my yubikeys, my Mac or chrome profile?
It's 'Log in with Google/Facebook/etc' all over again...
Help needed: I use #keepassxc and #keepassdx on various platforms. I do not use the browser integration of keepassxc. I see that keepassxc allows the usage of #passkeys. But I have no clue how to use a passkeys on several devices with keepassxc and keepassdx. And how would I incorporate it in my iPadOS (prio2)?
The only thing I see working is using Bitwarden or Protonpass or so. But I like my keepass apps.
Microsoft Unifies Sign-In Systems for Windows, Xbox, and Microsoft 365
#Microsoft #Windows11 #Xbox #Microsoft365 #Passkeys #CyberSecurity #Authentication #BigTech
About Troy Hunt being phished.
He noticed that his password manager's autocomplete didn't trigger, he ignored it, and says that phishing-resistant #passkeys would solve this. True, but I encountered on many occasions that passkeys simply don't work for whatever reason, and I have to fall back to using OTP, defefating the whole point.
RE: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/
Troy Hunt · A Sneaky Phish Just Grabbed my Mailchimp Mailing ListYou know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing
Neue Microsoft-Anmeldung: Schöner, schlauer, sicherer
https://techupdate.io/microsoft/neue-microsoft-anmeldung-schoener-schlauer-sicherer/50240/
techupdate.iotechUpdate.io | Neue Microsoft-Anmeldung: Schöner, schlauer, sicherer Microsoft modernisiert die Anmeldung für Privatnutzer: Neues Design, dunkler Modus, Passwortfreiheit durch Passkeys. Rollout bis April 2025.
Continued thread
Replied in thread
@yacc143 FYI: #Passkeys and #FIDO2 (= "device-bound #passkey" which can be divided into "platform-" and "roaming-authenticators") are identical except the #cloud-sync mechanism (as of my current understanding).
So unfortunately, they get mixed up or are considered as totally different things. Both is wrong.
In reality, they are very similar except that FIDO2 hardware tokens ("device-bound passkeys" only in their "roaming-authenticator" variant) are designed that way, that Passkeys are not being able to extracted from the device (at least for the moment).
Therefore, users of HW tokens can't be tricked into transferring their passkey to a rogue third party, which is possible with all other Passkey variants. Therefore: passkeys are NOT #phishing-resistant in the general case.
#TroyHunt fell for a #phishing attack on his mailinglist members: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/
Some of the ingredients: #Outlook and its habit of hiding important information from the user and missing #2FA which is phishing-resistant.
Use #FIDO2 with hardware tokens if possible (#Passkeys without FIDO2 HW tokens are NOT phishing-resistant due to the possibility of being able to trick users with credential transfers: https://arxiv.org/abs/2501.07380) and avoid Outlook (or #Microsoft) whenever possible.
Further learning: it could happen to the best of us! Don't be ashamed, try to minimize risks and be open about your mistakes.
Note: any 2FA is better than no 2FA at all.
Troy Hunt · A Sneaky Phish Just Grabbed my Mailchimp Mailing ListYou know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing
Even the best of us can fall for phish.
https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/
That should not happen, but it does because:
- All tech nowadays is so unreliable that when the password manager fails to auto-fill, it's not a strong enough signal that something is really wrong. It's just another day and another piece of tech which does not work reliably so we just get conditioned to work around it.
- Designers rule the game, and they want clean interfaces over anything that might look cluttered even if that means hiding one of the few reliable signals. We spent years and millions to implement SPF, DKIM and DMARC only for the App designers to go "naah the sending domain doesn't look good on my canva, let's just show the user-provided name that has zero validation instead as the canonical From".
- We are all humans, humans make mistakes and we make more mistakes when tired, stressed or otherwise not able to fully focus on something.
So, do we just give up? Sadly that is not a option.
So I think we need to
1 and 2. Demand better tech. The EU product (inc software) liability directive is far from perfect and might end up just enriching lawyers, but at least it's an attempt to make software makers liable for when their software causes harm.
- Accept that everyone will do mistakes and design for it. In this case Mailchimp should have done another 2FA or email validation prompt for rare but "high impact" stuff like exporting the mailing list.
Also #Passkeys
Thanks @troyhunt for being open and transparent about this. I'll add it to my list of examples showing experts getting phished that I like to refer to every time someone says "the user should have known better".
Troy Hunt · A Sneaky Phish Just Grabbed my Mailchimp Mailing ListYou know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing
New blog post! A casual explainer on password managers and passkeys.
Goal: have something I can share with friends & family when they ask what I do.
Would love feedback, Fediverse 
https://willmartian.com/posts/passwords-managers-passkeys-oh-my/
willmartian.comPasswords & Password Managers & Passkeys, oh my!Passwords are a flawed technology. What are our options?
@0xKaishakunin Danke für deinen gewinnbringenden Talk über #Passkeys auf den #clt2025!
Heißt das, es gibt wirklich gar keine Möglichkeit einen physischen Backup-Passkey in den Tresor zu legen und Zugänge damit einzurichten?? 
Wäre doch ein klassischer Anwendungsfall für Public/Private Key Crypto …
Ich könnte einen Datei-Passkey in den Tresor legen und lokal verschlüsselt vorhalten, aber ich will den ohne Notfallgriff zum Tresor gar nicht entschlüsseln können