Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.

Administered by:

Server stats:

289
active users

shakedown.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.4

#passkeys

1 post1 participant0 posts today
Public *
Karl Voit :emacs: :orgmode:

#TroyHunt fell for a #phishing attack on his mailinglist members: troyhunt.com/a-sneaky-phish-ju

Some of the ingredients: #Outlook and its habit of hiding important information from the user and missing #2FA which is phishing-resistant.

Use #FIDO2 with hardware tokens if possible (#Passkeys without FIDO2 HW tokens are NOT phishing-resistant due to the possibility of being able to trick users with credential transfers: arxiv.org/abs/2501.07380) and avoid Outlook (or #Microsoft) whenever possible.

Further learning: it could happen to the best of us! Don't be ashamed, try to minimize risks and be open about your mistakes.

Note: any 2FA is better than no 2FA at all.

Troy Hunt · A Sneaky Phish Just Grabbed my Mailchimp Mailing ListYou know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing
#email#malware#security
Replied in thread
Public *
Erik van Straten

@zak @zenbrowser : a still unfixed vulnerability: if NOT using Touch ID, on some websites you may be able to sign in using a passkey WITHOUT authenticating locally - using biometrics or your passcode (screen unlock code).

⛓️💥 This vulnerability also exists WITH Touch ID set up, provided that "Password Autofill" is disabled.

BTW this vulnerability also permits access to:
icloud.com
account.apple.com
(When asked to provide your fingerprint, tap the X at the top right and tap in the "Email" field one more time).

This is a HUGE risk for people who do not want to use biometrics: if a thief grabs their iPhone when unlocked, or watches them enter their passcode and later steals their iPhone, the thief can use ALL of the owner's passwords and some of their passkeys stored in the "Passwords" app (formerly known as iCloud Keychain).

🎬 This increases the risks of theft as shown by WSJ's Joanna Stern in youtube.com/watch?v=QUYODQB_2wQ.

👶 In addition, a (grand) child or anyone else who (shortly) borrows your iPhone/iPad may have access to more of your cloud-accounts than you're aware of.

🔧 Workaround if you don't want to use biometrics to unlock your iPhone/iPad (this does not fix any problem if a thief learns (or successfully guesses) your passcode (screen unlock PIN or password):

• Set up a Touch ID anyway, for example for your left pinky finger (if you're righthanded)

• Disable "iPhone Unlock" in "Touch ID and Passcode" (visible in the first screenshot).

• Use a safer password manager (such as KeePassium) than the Apple "Passwords" app (iCloud KeyChain).

🚨 In any case:

• Make sure that "Password Autofill" (in settings -> "Touch ID and Passcode") is set to ENABLED;

• When you enter your passcode in a public place (such as a bar, bus or train), make very sure that nobody gets to see you enter it.

No fingerprint comfigured. However, even WITH a fingerprint configured, the vulnerability also exists if "Password Autofil"l is off.
Assuming that you already created a passkey for passkeys.io, tap in the "Email" field.
Tap "Use Passkey"
Tadaa... logged in WITHOUT local authentication.
#iPhone#iPad#Vulnerability
Public
Ölbaum

Any #passkeys experts around here? My government’s IT service maintains that they are correct when they use the term “passkey” to mean “hardware security device” (YubiKey and stuff,) and that I’m wrong for (1) saying those have never been called “passkeys” before the real passkeys were introduced and (2) expecting passkey support to mean the software passkeys provided by Safari or 1Password. #passkey

Public
EdTech Situation Room

Better late than never... It published instantly to YouTube, but now you can check out our Episode 338 "AI Security Concerns" from October 23, 2024 on both edtechSR.com and Substack!
edtechsr.com/2025/02/14/edtech

The Substack version contains BOTH links we discussed during the episode AND those we found but didn't have time to talk about:
edtechsr.substack.com/p/edtech

A visualization of the key themes from the podcast episode. There's a computer screen with a Zoom meeting in progress. A floppy disk is placed on a table. A device with the passkey logo is displayed. A fiber optic cable is coiled up. A brain with AI circuitry is shown. A chatbot with a sad expression is depicted.
#edtechSR#AI#edtech
Public
Erik van Straten

Passkey/password bug: iOS 18.3.1

Ook in iOS versie 18.3.1 is de eerder door mij gemelde iCloud KeyChain (*) kwetsbaarheid nog niet gerepareerd (eerder schreef ik hierover, Engelstalig: infosec.exchange/@ErikvanStrat).

(*) Tegenwoordig is dat de app genaamd "Wachtwoorden" (of "Passwords").

De kwetsbaarheid bestaat indien:

• De eigenaar een "passcode" (pincode of wachtwoord) gebruikt om de iPhone of iPad te ontgrendelen - en er GÉÉN biometrie is geconfigureerd;

ofwel:

• De gebruiker wel biometrie kan gebruiken om het scherm te ontgrendelen, doch in 'Instellingen' > 'Touch ID en toegangscode' de instelling "Autom. invullen wachtw." is UITgezet.

Zie onderstaande screenshots (Engelstalig in infosec.exchange/@ErikvanStrat). Meer info ziet u door op "Alt" in de plaatjes te drukken.

Probleem: iedereen met toegang tot de ontgrendelde iPhone of iPad kan dan, *zonder* opnieuw lokaal te hoeven authenticeren:

1) Op elke website inloggen waarvan het user-ID en wachtwoord in iCloud Keychain zijn opgeslagen;

2) Met passkeys op enkele specifieke websites inloggen (waaronder account.apple.com en icloud.com), namelijk als volgt:

a) Open de website;
b) Druk op "Inloggen";
c) Druk op de "x" rechts bovenaan de pop-up die verschijnt (in de onderste schermhelft);
d) Druk kort in het veld waar om het e-mailadres gevraagd wordt;
e) Druk op de knop "gebruik passkey".

Risico: uitlenen van een unlocked iDevice (o.a. aan kinderen) maar ook diefstal nadat de passcode is afgekeken. Of als de dief geen passcode heeft, als deze wacht tot de eerstvolgende iOS/iPadOS kwetsbaarheid bekend wordt waarbij de schermontgrendeling omzeild kan worden.

Als u ze nog niet gezien heeft, bekijk in elk geval de eerste van de volgende twee video's van Joanna Stern (van de Wall Street Journal):
youtube.com/watch?v=QUYODQB_2wQ
youtube.com/watch?v=tCfb9Wizq9Q

Screenshot van mijn iPhone in 'Instellingen' > 'Algemeen' > 'Vul automatisch in en wachtwoorden'. Bovenaan staat AAN: - "Vul wachtwoorden en passkeys automatisch in" Onder het kopje "VUL AUTOMATISCH IN VANUIT" staan bij mij AAN: - "Wachtwoorden" - "KeePassium" Uit staan bij mij: - Chrome - Edge - Firefox
Screenshot van mijn iPhone in 'Instellingen' > 'Touch ID en toegangscode'. Relevante instellingen: - "iPhone ontgrendeling" staat AAN - "Autom. invullen wachtw." staat UIT Te zien is dat er een vingerafdruk is geconfigureerd. De kwetsbaarheid bestaat UITSLUITEND indien "Autom. invullen wachtw." UIT staat. Indien er géén vingerafdruk is geconfigureerd, staat "Autom. invullen wachtw." altijd uit (en kan niet worden aangezet).
#TouchID#FaceID#Passkeys
Replied in thread
Public *
Erik van Straten

@thomasbosboom : I reported the passkkey (and password) bug privately to Apple in the summer of 2023. Even after providing a near endless amount of screenshots and other proof, Apple said it's a wontfix.

The basic issue is that, if the user does not use biometrics to unlock their iPhone or iPad, they are NOT asked to enter their (screen unlock) passcode to use passwords from iCloud keychain.

IMO that on itself is already insane (considering [1]). Many people do not use biometrics.

If no bio is used (and even if it is) there are specific circumstances where someone with access to an unlocked iDevice (think of children) can use passkeys without any local authentication.

Just tested using iOS v18.3: with my iPhone unlocked, I can log in to icloud.com and (fixed URL 20:48 UTC) account.apple.com using the passkey on my iPhone WITHOUT providing any credentials.

If @rmondello reads this: thank you for adding the Safari "Not Secure Connection Warning"!

Even if it not enabled by default, this http warning should help protect against EvilTwin attacks (such as described in bleepingcomputer.com/news/secu).

[1] See WSJ's Joanna Stern in youtube.com/watch?v=QUYODQB_2wQ and youtube.com/watch?v=tCfb9Wizq9Q. And no, I do not believe that Stolen Device Protection is a good idea. Most people will not use it.

@roman78

icloud.comiCloudLog in to iCloud to access your photos, mail, notes, documents and more. Sign in with your Apple Account or create a new account to start using Apple services.
#httpsOnly#httpWarning#Passkeys
Replied in thread
Public
Erik van Straten

@thomasbosboom : onder Android is het risico niet denkbeeldig dat je al jouw passkeys kwijtraakt of dat ze niet syncroniseren naar een ander toestel.

Onder iOS en iPadOS zijn er omstandigheden waarbij iemand, die een ontgrendelde iPhond of iPad in handen heeft (zoals een dief die zo'n apparaat uit jouw handen grist op het moment dat je het gebruikt), met 0FA van jouw iCloud wachtwoorden en passkeys gebruik kan maken.

infosec.exchange/@ErikvanStrat

Allemaal "wontfix" door Apple/Google en het Chromium team.

@roman78

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)Attached: 1 image @ryanrowcliffe : thanks for your kind response. I fully agree that if software (instead of the user) checks the website name (domain name) before submitting *any* credentials, is a perfect solution for most of the "fake site" attacks (except https://infosec.exchange/@ErikvanStraten/112914047006977222). Unfortunately passkey implementations are insufficiently mature for the masses (I'm not talking about my *personal* situation). And I do like passkeys, but they must work flawlessly before I'm going to advise anyone to use them. People who never used a pw manager will *not* install one to use passkeys. On their tablets and smartphones (marktshare increasing) they'll use Apple's or Google's. During my research I found at least three ways to fully unexpectedly lose access to part or all of one's Android passkeys: 1) The unexplicable and fearsome Android screen reading "Your encrypted data is locked on this device" (Google it or see https://infosec.exchange/@ErikvanStraten/113730072998238596) when trying to use passkeys. This is a long time bug that, afaik, has not been fixed. 2) For privacy reasons, setting up a passphrase for Chrome sync is a good idea. However, if you ever want to change or remove that passphrase, Google directs you to the bottom of https://chrome.google.com/sync (see the screenshot below). Tapping "Delete data" will delete ALL of your passkeys (on all your Android devices) without warning. Note: this text notably is the "fix" made by Adam Langley in response to my post to https://seclists.org/fulldisclosure/2024/Feb/15 (after wasting a long time after my bugreports to the Google and Chrome team): before it read "This won't delete any data from your devices". Note: it appears to be a misconception that passkeys are synced from your device(s) to the cloud. They're cloud-based and sync to your devices. Google stores the encryption keys and, afaik, generates them on their servers. Furthermore, bugsolving is hampered by the fact that both Google and (separate) Chrome teams have to handle them. 3) If you have more than one Android device, you may run into the situation where your passkey's private keys are encrypted using *different* encryption keys. They will sync fine to other devices, but are unusable on them (see my FD post). I've not tested this for quite some time, so this issue may have been fixed (if Google did, they didn't bother to notify me). Google online help is horrific: https://infosec.exchange/@ErikvanStraten/113730722652512878. Edited 12:10 UTC to add: a somewhat acceptable translation from Dutch to English of my writeup "Passkeys for laymen" can be seen by opening https://www-security-nl.translate.goog/posting/798699/Passkeys+voor+leken?_x_tr_sl=nl&_x_tr_tl=en&_x_tr_hl=nl (it appears to work in Chrome, looks like a phishing link and has a certificate with a zillion of different domain names 🤔). The original article, in Dutch, can be seen in https://www.security.nl/posting/798699/Passkeys+voor+leken. 🧵1/2 @agl #Passkeys #Immature #ImplementationFlaws
#Passkeys#Vulns#Bugs
Replied in thread
Public
Erik van Straten

@roman78 : los van dat Brave beslist niet vrij van kritiek is: de bulk van de mensen gebruikt wat standaard aanwezig is.

Het valt mij vaak niet mee, maar om mensen zo goed mogelijk te kunnen adviseren, ga ik juist geen gekke dingen doen (zoals een alternatief OS installeren op mijn Google Pixel 6 Pro).

En test ik met passkeys van Apple en Google [1], ook al zou Bitwarden o.i.d. installeren veiliger zijn (maar mensen die *nu* geen wachtwoordmanager gebruiken, gaan dat *niet* doen om veilig passkeys te kunnen gebruiken).

Ik denk in veel gevallen (beslist niet alle) te *weten* dat ik risico's neem, en ruwweg hoe groot die zijn. Dus heb ik meerdere browsers op mijn smartphones.

@thomasbosboom

[1] Zie bijv. ncsc.gov.uk/blog-post/passkeys en een samenvatting daarvan met links naar passkey-bugs die ik vond: infosec.exchange/@ErikvanStrat.

www.ncsc.gov.ukPasskeys: they're not perfect but they're getting betterPasskeys are the future of authentication, offering enhanced security and convenience over passwords, but widespread adoption faces challenges that the NCSC is working to resolve.
#Browsers#Standaard#Passkeys
Public
Marcus Adams

I haven't adopted #PassKeys for my accounts because, as far as I can tell, there aren't really any options that let me own my private key and store it myself; they all depend on trusting somebody like Google, Meta or Apple to handle it for you, which completely defeats the purpose in my opinion. Like #PGP / #GPG, I want to own the private key so I can manage it myself. Trusting your PassKey to a third party app that's only on your phone introduces a single point of failure.

A screenshot of a message prompt I got when trying to set up a passkey with one of my online accounts. It doesn't give me the private key to save into the app of my choice, it demands that I use the mobile app on a Google or Apple device to set up and use the passkey.
A screenshot of a message prompt I got when trying to set up a passkey with one of my online accounts. It doesn't give me the private key to save into the app of my choice, it demands that I use the mobile app on a Google or Apple device to set up and use the passkey.
#Security#Privacy
Replied in thread
Public
Erik van Straten

@rmondello : in fact, I did.

infosec.exchange/@ErikvanStrat

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)Passkey advice (ncsc.gov.uk) From https://www.ncsc.gov.uk/blog-post/passkeys-not-perfect-getting-better (highly condensed by me): ❝ What then are the remaining problems with passkeys? 🔸 Inconsistent support and experiences 🔸 Device loss scenarios 🔸 Migration issues 🔸 Account recovery processes 🔸 Platform differences 🔸 Implementation complexity 🔸 Inconsistent use 🔸 Uncertainty around multi-factor status ❞ 🔹 I recently wrote about a number of Android an iOS/iPadOS vulnerabilities (including account lock-out risks) in https://infosec.exchange/@ErikvanStraten/113820358011090612 and a couple of follow-up toots. 🔹 People wanting to know the basics of passkeys can read a somewhat acceptable translation from Dutch to English of my writeup "Passkeys for laymen", which can be seen by opening https://www-security-nl.translate.goog/posting/798699/Passkeys+voor+leken?_x_tr_sl=nl&_x_tr_tl=en&_x_tr_hl=nl (which seems to work in Chrome). The original article, in Dutch, can be seen in https://www.security.nl/posting/798699/Passkeys+voor+leken. 🔹 A good source of (unbiased!) info is also Dan Goodin's article in https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/. 🔹 Finally: the problem with passwords starts with a 'p': it's PEOPLE. Use a password manager as I describe in https://infosec.exchange/@ErikvanStraten/113022180851761038 (with Android screenshot: https://infosec.exchange/@ErikvanStraten/113549056619471557). #Passkeys #WebAuthn #FIDO2 #Passwords
#Passkeys#NoCredsNeeded#0FA
Public
Aaron Toponce ⚛️:debian:

Hard pass. I will not use #passkeys and will tell my friends and family to do the same.

So long as attestation part of the WebAuthn spec, it allows companies to lock consumers into using specific passkey managers.

It's exactly like streaming subscriptions. Attestation sets up the dystopia of a paid 1Password account for your email passkey, a paid LastPass account for your utility account passkey, a paid Bitwarden account for your health insurance, etc.

#passwords

ncsc.gov.uk/blog-post/passkeys

www.ncsc.gov.ukPasskeys: they're not perfect but they're getting betterPasskeys are the future of authentication, offering enhanced security and convenience over passwords, but widespread adoption faces challenges that the NCSC is working to resolve.
Public
Erik van Straten

Passkey advice (ncsc.gov.uk)

From ncsc.gov.uk/blog-post/passkeys (highly condensed by me):

What then are the remaining problems with passkeys?
🔸 Inconsistent support and experiences
🔸 Device loss scenarios
🔸 Migration issues
🔸 Account recovery processes
🔸 Platform differences
🔸 Implementation complexity
🔸 Inconsistent use
🔸 Uncertainty around multi-factor status

🔹 I recently wrote about a number of Android an iOS/iPadOS vulnerabilities (including account lock-out risks) in infosec.exchange/@ErikvanStrat and a couple of follow-up toots.

🔹 People wanting to know the basics of passkeys can read a somewhat acceptable translation from Dutch to English of my writeup "Passkeys for laymen", which can be seen by opening www-security-nl.translate.goog (which seems to work in Chrome). The original article, in Dutch, can be seen in security.nl/posting/798699/Pas.

🔹 A good source of (unbiased!) info is also Dan Goodin's article in arstechnica.com/security/2024/.

🔹 Finally: the problem with passwords starts with a 'p': it's PEOPLE. Use a password manager as I describe in infosec.exchange/@ErikvanStrat (with Android screenshot: infosec.exchange/@ErikvanStrat).

www.ncsc.gov.ukPasskeys: they're not perfect but they're getting betterPasskeys are the future of authentication, offering enhanced security and convenience over passwords, but widespread adoption faces challenges that the NCSC is working to resolve.
#Passkeys#WebAuthn#FIDO2
ExploreLive feeds
About