I think I'm a tech guy and know my fields. I still have no real clue how passkeys work, how it is better, what it really is.
When your security feature is not as simple as - remember a name and a password and store it somewhere safe - it doesn't work.
Something about keys that are on devices. But what happens when I use a phone and a pc? How to get access then? Do I need a User/PW for the first time? Or do I need one of those keys I have to plug into the device first?
SSH is nice because you don't have to think about it. Your private key sits in your .ssh folder, and then everything is transparent. You _can_ put an SSH key in a smartcard if you want, but you have to opt-in to this kind of pain. And even if you do, almost all SSH servers will support that login method without issue.
Passkeys don't sit in your .passkey folder. Your browser doesn't look for passkeys in a standard folder at all. You don't just do passkey-keygen like you would ssh-keygen and forget about it.
Websites might support various combinations of FIDO/U2F/TOTP security keys, your USB security key might support various combination of FIDO2/CTAP/WebAuthn, and the user will be left confused what any of this mess means, why there are so many competing standards, and why they're asked to scan a QR code when they plug in their dongle, and it doesn't just work at all.
Passkeys ought to be exactly like SSH keys. Unfortunately, they are not.
The attempts to restrict when and how they are stored, and how you can access them - those are going to cause a lot of pain and confusion.
I have all of my SSH keys stored in KeepassXC, which (imho) is a lot more secure than having them hang around in my .ssh directory. Open KeepassXC, and the keys are available. Close it, and they're gone. Synchronizing the KeepassXC-file across devices means that I have access to the keys on all of my devices.
The big companies pushing passkeys are trying very hard to prevent this kind of convenience.
They shouldn't be exactly like SSH keys. With SSH keys, you can go and copy/paste your private keys on a scammer's website because they asked you nicely. People will totally do it as they don't understand what they're doing.
The main thing with passkeys, and key dongles in general, is that you simply can't do that as the keys are inaccessible and you can only prove possession of a key when asked by a domain you've explicitly registered with (the proof-of-possession is never sent to any other domain than that which you registered with).
What OP says is that opens the possibility for key providers to lock-in users, as that seems like an unavoidable side-effect of the legitimate goal of preventing phishing (phishing is the biggest security issue today, to increase security means making phishing impossible, so I still support passkeys as the best solution for that).
There's a big difference between "can't just hit the copy button and paste in the key" and "can't export the key as part of a backup." Physically preventing users from ever accessing their own keys is an absurd user-hostile proposition. Even more absurd when the they're software keys stored in a database the user can decrypt. The FIDO alliance is just ensuring that password managers will require 3rd party backup tools to be useful.
Password managers have prevented phishing just fine by binding passwords to particular domains, ssh keys prevent phishing with IdentitiesOnly and passkeys are bound in the same way as regular password managers.
There has been a pretty insane number of times I've asked someone for their SSH public key and I get a response of ---- BEGIN RSA PRIVATE KEY ----. From people employed in tech jobs. Now imagine someone who barely understands how to use a computer, they're an easy target to get their identity phished.
I don't think the answer to these problems building system that treats users the same as an attacker when it comes to accessing and backing up their own private keys. Because at the end of the day the ability to export your private keys and store them somewhere securely is the account recovery of last resort.
Passkeys aren't HSMs -- the fact that you can sync them via your iCloud or Google account should dispel any such nonsense. It's fine for Apple or Google to store your keys at your request and they should keep them secure but the model of "here's my key, now don't ever let me look at it but let me use it via what is effectively DRM" is silly.
If a warning message on export "Never share this with anyone. Even someone you trust. Even your IT department. There is no reason anyone but you should have access to this key." isn't enough to stop people giving it away then no security was ever going to work for them. They would give away the credentials that lets them use the key in its absence.
> Because at the end of the day the ability to export your private keys and store them somewhere securely is the account recovery of last resort.
Or just have multiple passkeys for the same account. It doesn't matter if I lose the passkeys on my laptop because I've got other passkeys to those accounts on several other devices.
> Passkeys aren't HSMs -- the fact that you can sync them via your iCloud or Google account should dispel any such nonsense
Resident keys practically are HSMs, aren't they? None of my passkeys are backed up to a Google or iCloud account.
> If a warning message on export "Never share this with anyone. Even someone you trust. Even your IT department. There is no reason anyone but you should have access to this key.
In those conversations with people who should be experts I usually made a point to tell them send me the public key and told them to never share the private. They still sent the public. People have been told to never share passwords either but I still often hear "yeah my password for this is blahblah123..." when asking for help.
Any security solution that involves lay people having access to keys is NOT secure. What you call "absurd user-hostile" is actually basic security in the real world with non-technical people.
Technical people can already be secure using appropriate protections, but even for them it's very difficult to do it properly.
Lay people will, without understanding what they're doing, ask the password manager to give them their password to enter manually on any phishing website as they'll think that it's not working because it's "broken". So , absolutely no, password managers do NOT prevent phishing.
If you think I am exaggerating, well, I work with this and I assure you it's even worse than that.
I would say the exact opposite, traditional ssh key management should eventually give way to resident keys. Aka, treating them just like passkeys.
We've been storing ssh keys directly on our yubikeys since before passkeys were a thing.
Not only is it clearly more secure it's also been a usability lift. Plugin your yubikey, start an ssh agent, and run ssh-add -K to get all your resident keys added to your current session.
I understand this, but the person who responded said Passkeys are exactly the same as SSH and used the same, when asked what they are. If that was true, then we would just teach non-technical users to use SSH Keys.
You should produce a key per device, and produce a backup key that is safely stored & not used anywhere.
You can recover if you lose all devices via your break-glass backup key, and you limit the blast radius of "my key got stolen" from rotating all your keys to just a single device (or maybe the more likely "I screwed up and pushed my key somewhere public")
... which is completely nonviable if you connect to more than a single service.
I agree that you should use a different key per device, but when you connect to over a dozen different services/machines it quickly starts to become a serious chore to add another key. Have fun spending an hour enrolling your new device - provided you can even remember every single usage it should be enrolled with.
Unfortunately SSH certificates have really poor uptake in practice, and it's essentially unheard of to have a personal CA instead of a per-company CA.
But yes, having a single long-living "primary key" everyone can trust which you'd use to generate short-living per-device "secondary keys" would indeed be the ideal solution.
Sure, but then limits you to a handful of keys. The WebAuthn people don't like this, they want one key per service, so basically YubiKeys no longer really work with WebAuthn (unless you're fine with only ever using a max of 25 services).
For me that means having multiple keys in `authorized_keys` for the same user and never transferring private keys between devices. From what I gathered from the discussion here, this is not a given.
Why would you want to? Just create a new passkey on the other machine. If you're saving them in a password manager, just create a new entry, "Another Machine's Passkey."
I went to school in a brutalist building from the 70ies? and I always hated it. I didn‘t know why at the time but the concrete everywhere and the soullessness influences the inhabitants.
This could be done better with wood paneling or painting it. But even as architecture from the outside it just looks sad, cold, depressing.
There's a video on YouTube of the Smithsons - a couple who built some landmark Brutalist projects in the UK.
They're clearly either mentally unstable, or on drugs, or both.
They made a name for themselves by designing a modernist not-quite-brutalist-yet school - plenty of concrete, glass and rectangles, which turned it into a greenhouse in summer, a fridge in winter, and an echo chamber for shrieking kids all year round.
Some architects are very strange people, far more interested in building huge sculptures that happen to have rooms in them than creating inspiring usable spaces.
That's true. We restrict access to Snapchat, TikTok, Instagram, FB, they can use WhatsApp, YT, iMessage, Phone and Pinterest. I'm fucking annoyed by other parents that don't set boundaries that way. I have so much discussions about other platforms. Pushing them to physically meet is hard too.
We grew up at a time where SMS was a thing when I became 16. I know that keeping up is cool, but social media is a disease. The amount of dumb and uneducated people that couldn't even listen to expert advice during a fucking pandemic is driving me up the wall.
I'm annoyed mainly because people around me make bad decisions that have an influence on my own life.
People tend to agree with expert advice when that advice align with their own personal views and values. Sadly both smart and dumb, educated and uneducated people falls for this and the pandemic demonstrated this in waves and continues to do so.
Take this study (https://www.nature.com/articles/s41562-020-01009-0?error=coo...). How many people on HN will agree with the ranking of those interventions? Early restrictions on travel and preventing people from gathering are the most effective measure to prevent an pandemic, but what people want to form sides around are the discussion around masks. Shutting down airports and imposing general self isolation are not in alignment of what either smart and dumb people believes in.
One of the criteria I used when choosing my son's school is that mobile phones are not allowed at all in school. It's a primary school (until 12 years old) so you wouldn't think that mobile phones would be that common at that age but from what I've heard of other parents, smart phones are common already this early.
I don't believe in completely forbidding access to everything when my son is older but there's a time to introducing things like this and it's not this young.
> you wouldn't think that mobile phones would be that common at that age
Elsagate videos got many tens (hundreds?) of millions of views at the time. If you know where to look you can see the cumulative engagement of babies in front of their tablets.
There's this old stat about video games, oft quoted a decade or more ago in context of Zynga, etc., that one of the largest game market is casual games, and the players are predominantly working-age women.
There's also this hypothesis I saw the other day, that the above is a misattribution: it's not the working-age women who somehow have time to play so much, but rather babies and kids playing on their mothers' devices.
> There's also this hypothesis I saw the other day, that the above is a misattribution: it's not the working-age women who somehow have time to play so much, but rather babies and kids playing on their mothers' devices.
I also wonder what the breakdown of Netflix streaming hours is. I suspect a huge chunk of it is just toddlers and pre-schoolers watching the same episodes of Cocomelon over and over again.
This sounds like a really good way of approaching it. From what I understand the argument against is clear but enforcing it in the face of peer pressure a little more complicated!
My nephews school allows basic 'dumb' phones but not smart phones which seems a fair compromise.
Yes, the peer pressure is exactly the point. The older your child is, the more his peers will influence his behavior. I hope by the time he goes to middle school, I'll find a school with this kind of restrictions.
> The amount of dumb and uneducated people that couldn't even listen to expert advice during a fucking pandemic is driving me up the wall.
If you stay home and others don't, it doesn't affect you. If you're isolated and safe, why would you care if others go out and do what they want?
A commenter in a sibling thread asked why "people are so nitpicky" and "why people are so hostile to each other". This comment is why. It's exemplary even. You should look inward and figure out if you're part of the problem.
It seems you are a good example of what they were talking about. Not understanding cause and effect such as using up medical resources that could otherwise be used for regular emergencies.
That's a fine stance if staying home is an option for you, but many people are not that fortunate with their logistical and financial situation.
Meanwhile, it transpires that the outside world is full of people who I am sure are upstanding and willing to self-sacrifice for their fellow man in theory, but will point blank refuse to bear the mild inconvenience of a piece of cloth over their face in shared spaces for the comfort of those around them in practice.
I mean, it's not news; most humans have never cared much about the welfare of strangers; people doing what they want and ignoring the externalities happens all the time - smoking in public spaces, drink driving... the pandemic simply served to viscerally ram home just how self-centered we all are.
And thus we come full circle to the start of the thread. Hell is other people. The more we interact with other people, the more obvious this becomes. As our world becomes more connected, no room is left for illusions on the subject; it's little wonder teens end up holing up in their rooms avoiding everyone.
People should not go out when they are sick. That they do so because of a logistical and financial situation, trading other peoples health for economical gain, is a very bad situation for everyone involved. A piece of cloth over their face may be a symbol for "better than nothing" solution, but it is a very problematic starting point for a discussion regarding pandemics.
The best solution to this problem in general is social welfare. One such choice that countries did during the pandemic was to encourage or force work-from-home, and reducing the economical friction of sick leave. When the situation is so bad that people have to choose between externalities and major negative personal impact, society can help by stepping in by pushing the right choice while at the same time reducing that negative personal impact. It is a social solution to a social issue.
People as a group can be good and evil, just as an individual. Society can choose to ignore citizens logistical and financial problems while at the same time expect people to act altruistic. A major reason for that will coincidental also be the logistical and financial situation of that country, so they may as an alternative choose an better than nothing solution to it. Sub-optimal as it is.
I think this view sucks. A core part of being a functioning human being is being able to interact with others whose views differ from your own.
The core problem is the ostracization of opinion on social media. It also doesn't play very well when social isolation has had other consequences, such as the proliferation of viruses and the broad economic impact. Plus, COVID is now integrated in our society, thus giving more ammunition to those who thought that social isolation was pointless (even if it wasn't at the time).
We need to move on from the isolationism and vitriol of others with differing opinions.
There are 2 contexts for speech, and within each different forces change the outcome of the same conversation. This is why I can say your analysis is resulting in erroneous outputs.
For arguments sake, let’s call it - individual only scenarios vs collective scenarios.
Individual only: What thoughts you say at home in the privacy of your house.
Collective: The vote.
In collective scenarios, the median/average choice dominate.
Eg: The chemical expert knows that chemical X is going to kill humans and avoids it.
The collective votes Yes to elect a representative who advocates for chemical X to be added to all food packaging.
——-
This is a very common trick question where Free Speech argument proponents falter.
Free Speech is a principle for ordering the world. With the internet, this principle needs to be applied to people who would skew or influence collective decisions.
Brandolini's Law also comes to mind. Countering bullshit takes more effort than creating it. It's an understandable self-defense mechanism for an individual or even a community to just isolate and quarantine the source of a problem than to engage with them in earnest discourse. Trolling, astroturfing, and propaganda are real things, no amount of engagement will sway the opinion of bad-faith actors.
This is still too cynical. A large majority of people are not bad-faith actors but rather normal people who simply want to live their lives.
To be clear, I'm not arguing whether the lockdowns were good or bad. I do think they were necessary. I'm more arguing that we shouldn't suppress and ostracize people who disagreed with them. It's okay for people to disagree.
i think THIS view sucks. some things are objectively true. why should we have to tolerate people who literally don’t understand basic statistics and harm reduction? at all?
> If you're isolated and safe, why would you care if others go out and do what they want?
To answer this question:
Because almost nobody was isolated. Most people couldn't stay at home exclusively and indefinitely. You gotta get groceries, lots of people have to go to work, lots of people have partners and family members that can't work from home, you gotta receive parcels, you had to receive food deliveries, and some people had to be the ones delivering parcels and food, some people could get OTHER diseases. The list goes on.
You mean that "expert advice" which is increasingly questioned with passing time, and happened to change every Monday and Saturday? That expert advice which at least for Germany is now revealed to have been ordered by political forces, not based on scientific evidence? C'mon. Waving about with the pandemic as a good example is getting hilarious.
Except that nothing has been revealed. The blackened protocols of the crisis meetings of the Roland-Koch-Institut (the public health organization funded by the FRG) are incomplete and the alleged political meddling is an insinuation by "alternative facts" journalists. Let's wait and see what happens when the full protocols are released. IIRC, there is a review board for Corona measures anyway and the journalists are sueing for a full release, too.
It is shameful that citizens had to sue for the release of the partial protocols in the first place, for sure, but the conclusions are more than hasty. Anyhow, you seem to have made up your mind, so I'm leaving you to it.
This sounds like post-facto justification for following rumors and disinformation during the pandemic.
Yes, expert opinions do change as new data comes in, and yes, public policy is as much influenced by politics as by science. But during the beginning of the pandemic, the OP is absolutely correct that a shocking number of people showed very poor judgment based on social media.
And this has not changed. Social media continues to be a cesspool of conspiracy theorists and deliberately provocative content that increases "engagement". Please don't dismiss this point by putting "expert advice" in quotes.
A problem is people who are confidently wrong and hide behind science as a religion. If we were to admit a level of, I don't know, this is the best we've got right now, there would be more trust in expert advice. During the pandemic, this expert advice was abused to exercise control over some and not others which helped cast doubt over all information. For instance, political leaders hanging out in public restaurants without masks while others were directed to huddle in their homes made some wonder if this thing was as bad as those 'leaders' claimed.
I would agree with your take if we had a solution for the "who watches the watchers" problem. Since we don't, blanket criticism of critical thinking doesn't go down with me since I watched the pandemic unfold. Our state-controlled local media said 3 days after the first lockdown that we are supposed to only listen to them, and ignore every other media outlet because they are going to lie. This in a democratic country. I was schocked, and what followed didn't make me any more trusting in the powers that be. We tell our kids if they keep lying, nobody will believe them. This is what happened during the pandemic. And claiming experts are cool just because, doesn't make that deeply rooted distrust go away. We tell our kids they are not supposed to lie because after a while, nobody will believe them. But if we're being subjected to improsionment at home based on vague "scientific" experts who turn out to have followed orders from politiccians, we are supposed to forget all about it and more on? Nope, sorry. Trust has eroded, and just saying so will not reestablish it.
Because they should clarify for every web dev that technical relevant cookies that do not track the user with third parties are not requiring a banner.
I want my iPhone to connect via cloud with my Mac, because I can scan documents with the iPhone and open them there. Without me doing anything to connect the devices apart from first install.
I want to experience new things like new music hence why I use Spotify to get something new washed in (but in the past it worked better).
All the gain but without the pain of fixing it. I already have to fix packages during work time and debug through software. Not in my spare time please.
