shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.

Administered by:

Server stats:

245
active users

#faceid

0 posts0 participants0 posts today
podfeet<p>Has anyone else had to reset FaceID on their iPhone in the past few days? I have two anecdotes of this happening, looking for a pattern.</p><p><a href="https://chaos.social/tags/Apple" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Apple</span></a> <a href="https://chaos.social/tags/iPhone" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>iPhone</span></a> <a href="https://chaos.social/tags/FaceID" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FaceID</span></a></p>
Replied in thread

@webhat : Passwordless actually exists on iPhone or iPad under realistic circumstances - that is, not taking into account unlocking the screen (using a PIN, a password or biometrics).

Consider the situation when some stranger borrows your iPhone to make a phone call, or you let your child play a game on your iPad: in such cases they may be able to log in as you onto various websites. That is, without knowing your screen unlock code (or somehow being able to simulate your biometrics).

On specific websites this even also works when using passkeys (no PIN, password or biometrics is required to use the passkey).

It obviously is a vulnerability. But after I filed a bug report in June 2023, Apple denied that it is. And they've not fixed it either.

BTW this works (on iPhone or iPad) in Safari, Firefox, Edge and Chrome (except that in Chrome, "passkey without local auth", only works if, in condition 3️⃣ below, only iCloud Keychain is enabled and no other 'optional' password manager - such as KeePassium).

The conditions are:

1️⃣ The password or passkey is stored in iCloud KeyChain;

2️⃣ EITHER: you've NOT configured any biometrics to unlock the screen (meaning that you must use a pincode or a password to unlock the screen - a use case quite common because some people don't like to use, or don't trust, biometrics),

OR: (not common, I found it during testing) 'Settings' > 'Touch ID and Passcode': 'Password Autofill' is OFF;

3️⃣ In 'Settings' > 'Passwords' > 'Password Options' (all quite common):
• 'Autofill Passwords and Passkeys' is ON;
• ' iCloud Keychain' is ON;
• Optionally another password manager is enabled (in my iPhone 'KeePassium' is ON).

4️⃣ Passkeys only: (this is irrelevant for passwords, and applies only to iOS and iPadOS versions that support passkeys): the website you (or the borrower of your iDevice) want to sign in to (using your account) must support "WebAuthn Conditional UI" [1] AND it must specify:
    'User Verification': 'Preferred'
(the latter value, stupidly, is the WebAuthn default; the other options are 'Discouraged' and 'Required').

[1] github.com/w3c/webauthn/wiki/E

In short, "WebAuthn Conditional UI" means that the website ALSO accepts a passkey in case you activate (tap in and see a blinking cursor) the user-ID input field (instead of tapping a button labeled e.g. "Sign in using passkey"). Doing that will invoke iCloud KeyChain and lets you select the right passkey.

Two examples (there are more) of such websites (for free testing purposes) are:
passkeys-demo.appspot.com
webauthn.io

AND, NOTABLY, Apple's production SSO site: https:⧸⧸idmsa.apple.com

Note that your browser is redirected to the idmsa site (in order to SSO to Apple) when you open the bugreport that I filed in June 2023:
security.apple.com/signin?path

Here's the recipe for passwords:

🔸 Ensure that conditions 1️⃣, 2️⃣ and 3️⃣ mentioned above are met;

🔸 Open a website where you have an account with it's credentials saved in iCkoud Keychain. Invoke the log in screen and tap into the user-ID field;

🔸Tap the proposed account name. Now iCloud Keychain autofills your user-ID and passwords into the right fields.

And the recipe for passkeys:

🔸 Ensure that conditions 1️⃣, 2️⃣, and 3️⃣ mentioned above are met;

🔸 Open security.apple.com/signin?path

🔸 A box pops up from the bottom of the screen. Tap the X at the top-right to close it.

🔸Tap in the input field "Email or Phone Number", then tap your iCloud ID at the bottom of your screen. Now you will be logged in to Apple without using local auth.

Note that you'll probably see a "403 access denied" error, because (although you HAVE logged in) you are not *authorized* to view te bug report.

This is passwordless 1FA because the possession of the (unlocked) device suffices.

GitHubExplainer: WebAuthn Conditional UIWeb Authentication: An API for accessing Public Key Credentials - w3c/webauthn
#Apple#iOS#iPhone
Replied in thread

@_Bilito Si no me equivoco su funcionamiento es como el del cifrado asimétrico. Por ejemplo el que usamos para conectarnos por #SSH a un servidor. Entiendo que se generan un par de claves público-privadas, al servicio envías la clave pública y en tu dispositivo se queda la clave privada, localizada en el enclave seguro y a la que solo puedes acceder con biometría ( #Faceid, #Touchid ), por lo tanto sí que están en tu dispositivo. (1/2)

#Apple Testing New Stolen Device Protection Feature for iPhones

Available in 17.3 beta.

Trend of thieves recording people using passcodes on their iPhone and then stealing it. With the passcode, they take control of the victim's AppleID (and access saved passwords) and usually pilfer financial accounts.

With the new Stolen Device Protection feature, access to saved passwords requires #FaceID. #Security delays are enabled for other actions like erasing the phone and disabling Find My.

#cybersecurity #opsec #ios #iphone

securityweek.com/apple-testing

SecurityWeek · Apple Testing New Stolen Device Protection Feature for iPhonesApple is testing a new security feature that should limit what iPhone thieves can do with a stolen phone, even if they have the passcode.
Replied in thread

Iran installs cameras in public places to identify, penalise unveiled women

"In a further attempt to rein in the increasing number of women defying Iran's compulsory dress code, authorities are installing cameras in public places and thoroughfares to identify and penalise unveiled women, the police announced on Saturday.
After they have been identified, violators will receive “warning text messages as to the consequences”, police said in a statement."

reuters.com/world/middle-east/

ReutersIran installs cameras in public places to identify, penalise unveiled womenIn a further attempt to rein in the increasing number of women defying Iran's compulsory dress code, authorities are installing cameras in public places and thoroughfares to identify and penalise unveiled women, the police announced on Saturday.

Hello #mathstodon, it’s great to be here! Hard to #introduce myself in 500 chars but here we go:

I currently work as an #SRE where I enjoy automating my job. I’ve also studied electron #optics at one of the world’s largest #laser facilities, built robotic tools for the #Apple #FaceID team, and written firmware for #autonomouscar #radar sensors.

I’m passionate about #combinatorics , #gametheory , and #numbertheory.

In my spare moments you can find me #composing #music, #hiking, and #reading.