@publicvoit @keno3003
Ich habe 2 FIDO2 HW-Token und bin davon begeistert. Für den durchschnittlichen Anwender gut geeignet. Sehr einfach anzuwenden. Schade das nicht viel mehr Anbieter davon Gebrauch machen.
Zum Vergleich: Mit TOTP bin ich gescheitert. Das ist aufwändiger, und wenn man nicht richtig weiß wie es geht, kann man sich leicht ausschließen (Backup Schlüssel bei Einrichtung sofort sichern nicht vergessen.)
#fido2 #token #passkeys #security
@keno3003 (2/2) Der einzige Schutz dagegen ist, wenn man physische #FIDO2-Tokens verwendet ("device-bound passkeys" nur in der "roaming-authenticator"-Variante!), die das Auslesen des Geheimnisses prinzipiell ausschließen. Dies ist also die einzige wirklich Phishing-resistente Authentifizierungsmethode.
IMO sollten also die Tipps am Ende vom Video *mit Fokus auf Sicherheit* anders lauten:
- am besten 2 #FIDO2 HW-Tokens besorgen und für alle #Passkeys verwenden (für #IDAustria Österreich: https://www.oesterreich.gv.at/dam/jcr:972a25a0-65e6-4c2e-9422-a2e02ce16f2d/20230613_ID-Austria_FIDO.pdf)
- keine phishing-gefährdeten Fall-Back-Mechanismen verwenden: also nur den 2. FIDO2-Token
- jede 2FA ist besser als keine
- niemals Passwörter in die Cloud schicken (Cloud-PW-Manager)
HTH 
@keno3003 ad "Das Problem mit Passkeys" https://www.youtube.com/watch?v=u7Ti-Jc-b3A&pp=ygUYZGFzIHByb2JsZW0gYmVpIHBhc3NrZXlz
Sorry, dass #Passkeys immer absolut resistent gegen #Phishing sind, stimmt leider nicht.
https://arxiv.org/abs/2501.07380
"Another concern could be social engineering, where a user is tricked into sharing a passkey with an account controlled by an attacker."
Meiner Interpretation nach ermöglicht also das Transferieren von Passkeys zu anderen Personen eindeutig Phishing-Methoden. Die sind vielleicht noch nicht in der Praxis aufgetaucht aber ausschließen kann man es keinesfalls.
(1/2)
I was surprised last night to see that the latest Yubikeys support 100 #Passkeys, as opposed to the previous limit of 32, but it still doesn't feel like the best solution.
Apropos #Passkeys: c't 3003 hat sich im letzten Video mit dem Thema Synchronisation des Schlüsselmaterials auseinandergesetzt. Die Möglichkeiten der Herstellerclouds oder eigener Passwortmanager werden kurz gezeigt. In Sachen User Experience gibt es für die geräteübergreifende Nutzung von Passkeys allerdings noch keine so gute Note...
Ich empfahl ja neulich auf den #clt2025 den Vortrag über #Passkeys, die man für #2fa oder bei manchen Anbietern auch als einzige Authentifizierungsmethode nutzen kann. Auch den Vortrag könnt Ihr nachschauen. Link und Materialien sind hier: https://chemnitzer.linux-tage.de/2025/de/programm/beitrag/188
@yacc143 FYI: #Passkeys and #FIDO2 (= "device-bound #passkey" which can be divided into "platform-" and "roaming-authenticators") are identical except the #cloud-sync mechanism (as of my current understanding).
So unfortunately, they get mixed up or are considered as totally different things. Both is wrong.
In reality, they are very similar except that FIDO2 hardware tokens ("device-bound passkeys" only in their "roaming-authenticator" variant) are designed that way, that Passkeys are not being able to extracted from the device (at least for the moment).
Therefore, users of HW tokens can't be tricked into transferring their passkey to a rogue third party, which is possible with all other Passkey variants. Therefore: passkeys are NOT #phishing-resistant in the general case.
#TroyHunt fell for a #phishing attack on his mailinglist members: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/
Some of the ingredients: #Outlook and its habit of hiding important information from the user and missing #2FA which is phishing-resistant.
Use #FIDO2 with hardware tokens if possible (#Passkeys without FIDO2 HW tokens are NOT phishing-resistant due to the possibility of being able to trick users with credential transfers: https://arxiv.org/abs/2501.07380) and avoid Outlook (or #Microsoft) whenever possible.
Further learning: it could happen to the best of us! Don't be ashamed, try to minimize risks and be open about your mistakes.
Note: any 2FA is better than no 2FA at all.
New blog post! A casual explainer on password managers and passkeys.
Goal: have something I can share with friends & family when they ask what I do.
Would love feedback, Fediverse 
https://willmartian.com/posts/passwords-managers-passkeys-oh-my/
Honestly, I don't really get the point of NFC-enabled FIDO2 tokens / hardware #Passkeys: Obviously, their NFC support is meant for phones, but to actually use the key, your phone's operating system must support #FIDO2 in the first place.
Instead of connecting your #NFC token, you could just as well use your phone's internal FIDO2 storage (usually biometrically secured). NFC is not even useful for ungoogled devices, as #MicroG also has internal FIDO2 support (which I use all the time).
@technotenshi #Passkeys are not prone to #phishing according to my understanding of:
https://arxiv.org/abs/2501.07380
The paper describes that it's possible to fool Passkey owners to transfer their #Passkey to attackers: "Another concern could be social engineering, where a user is tricked into sharing a passkey with an account controlled by an attacker."
However, the authors disagree with my interpretation.
The only really secure method is hardware #FIDO2 tokens where the secrets can't leave the device.
@0xF21D Any more reason to switch to FIDO2 with hardware tokens or #Passkeys.
The latter only if you trust the service providers and if you don't need protection against phishing. With Passkeys and their optional delegation feature you can be tricked into transferring to a hacker. 
With a #FIDO2 hardware token, you're really safe.
#Passkeys and the evolution of authentication: A secure, seamless future
https://bitwarden.com/blog/passkeys-and-the-evolution-of-authentication-a-secure-seamless-future/
Passwords are annoying, vulnerable to attack, and prone to human error. Our latest article explains how passkeys can lead to more secure and private online accounts
https://www.privacyguides.org/articles/2025/03/08/toward-a-passwordless-future/
Discover PasskeyIndex.io: Your Community Hub for #Passkeys
https://bitwarden.com/blog/discover-passkeyindex-io-your-community-hub-for-passkeys/
I am not a fan of #Passkeys but maybe they are the solution for the 20 different 2FA apps people keep on their phones.
New post: Basic Internet Security for Authors – Strong Passwords
What are good passwords (spoiler: long ones) and how can i use them so that they don't annoy me?
https://www.viennawriter.net/blog/basic-internet-security-for-authors-strong-passwords/
Der #adminForge Account unterstützt ab sofort auch #Passkeys für die passwortlose Anmeldung in verschiedenen Diensten.
Eine bebilderte Anleitung findet ihr direkt auf der adminForge Account Seite https://adminforge.de/account/ .
Because I found out via try & error: some pages don't find their #passkeys with #Firefox on #Android, which they just created. This happens if you have a password service as default like #Keepass2Android. Creation works though. Chrome just works.
Easy solution: setup Google wallet as your default password service, then switch to Keepass2Android again and add Wallet as additional service.
Do this via settings password, default password service
This should be a blog post.
