• General
  • Support Passkeys on the Forum

  • Edited

Dumdum see you’re making one of the worst mistakes in cybersecurity: relying on humans not to mess up. Why not take out the human error possibility entirely? That’s what passkeys do. You get all the convenience and much less possibility of human error.

Also idk about you, but my password manager fails to autofill sometimes even when I’m on the correct website.

    ticklemyIP It falls on the "attacker already knows your password by whatever means" side. Users have terrible shitty passwords all the time, while they can still use TOTP.

    I agree, which is why I find it to be simply staggering to say that TOTP provides no security benefits even in events such as leaked/hacked login information. In such events, even a randomised 100+ character password loses its strength of security and an extra barrier would obviously prove beneficial.

    • fria replied to this.
      • Edited

      Dumdum Leaked password is pretty much the only time TOTP does anything useful true. I don’t think it’s useless but the inconvenience vs security benefit is way off balance. It does more to lock you out of your own account than to keep others out. God help you if your janky separate TOTP manager that everyone uses breaks or something, all your accounts are toast.

        fria see you’re making one of the worst mistakes in cybersecurity: relying on humans not to mess up. Why not take out the human error possibility entirely?

        Except I'm not. I've never suggested anything against passkeys. I agree that passkeys are superior and obviously preferred. Merely stating the truth that password managers can be used as a security measure (albeit not as good of a security measure) does nothing more than just that. I would appreciate if assumptions stop being made.

        • fria replied to this.
          • Edited

          Dumdum you were suggesting that the autofill in password managers could be relied on for security, which is what I was arguing against. Password managers in general are an improvement in security of course, I’m only talking about the autofill feature.

            fria you were suggesting that the autofill in password managers could be relied on for security

            Once again, I never said/suggested that they could be relied on. Just that it was something you could do.

            • [deleted]

            fria Soild point. However, wouldn't i be fucked to the same extent if i lost/broke my hardware key?
            Its much easier to lose than my totp database.

              • Edited

              [deleted] Well passkeys are best used with your password manager, synced across all your devices and backed up in the cloud. So you wouldn’t be fucked in that case. If you chose to only use them in your hardware key then that would be a risk but a self imposed one.

                • [deleted]

                • Edited

                I'd also make the argument that hardware keys cant actually replace passwords because they can be taken from you by force unlike a password in your head.

                • [deleted]

                fria Ah i get it. Thanks!

                Manna Brilliant quote.

                ticklemyIP If it were true that TOTP has no value beyond random passwords from a password manager Micay would not use it.

                The quote in the post by Manna is being misinterpreted as saying that TOTP has no value, while the quote doesn't say that: "doesn't add any significant value" is not equal to "no value".

                As to the topic of this thread: in my view, developers of GrapheneOS are already busy with developing their own secure and private OS. Flarum will likely add support for passkeys anyway, and why should GrapheneOS spend dozens of hours on a feature that might get implemented upstream next week?

                  fid02 Oh yeah maybe I should bug upstream about it then.

                  An extension for passkey login exists, but we are very unlikely to use it:

                  https://flarum.org/extension/hikarilan/flarum-passkey-login

                  We have a rule to only use extensions from Friends of Flarum, as they are the only ones that are maintained long-term and have a reputation for high quality. Introducing a passkey extension that stops being maintained or breaks would be pretty catastrophic and would force our team to have to deal with it instead, which is not where we want to be.