Anyone know much about "passkey" security feature? Seems exchanges are moving to require this additional security. Gather sms or authentication tools will no longer be sufficient.
Appear to be 3 options, fingerprint scan with devices that enable that, some sort of keychain thing, and devices like yubikey.
Not 100% sure on all this, but best I could gather from what I was told.
#asknostr
My instincts flag this as part of the same gaslighting as "end to end encrypted chat apps"
Good instincts probably. Don't know much about it, but smells like further kyc of sorts, at least for first two options I listed (if I understand say iCloud keychains...which I kinda don't, but it's connected to appleid so that's not great)
The one benefit I can see is maybe a way to hold 1 company accountable for all your login security
"You made this device, you told me it could handle logins securely with your backend, you handled my logins, I am writing you this letter to inform you I will be suing you in court and/or bombing you for this money I lost when I was hacked"
That makes sense.
Just get off of and as far away from exchanges...
Pure peer-to-peer is the future, starting now. To hell with exchanges, KYC, regulations, taxes, etc., etc.
I agree with you in theory, but it's still the best way to stack for cold storage, or god forbid sell 😱, in size for most people, from what I know anyway.
Friend called me about it. Really am asking for a friend in this case lol
Robosats and bisq work great without risking your personal data and family safety. $5 wrench attacks can ruin your life.
Volume and speed kinda suck. It's a chore at the very least, and not something I'm gonna talk a semi-normie into doing or caring about
You don’t have to talk anyone into it. Just send them articles about the brutal wrench attacks: kidnapped family members and chopped up fingers should be convincing enough. But if it isn’t, then who cares. Whatever security feature he uses doesn’t matter if he’s stacking into cold storage right away.
Do you seriously use these methods to stack? Yeah, he's pretty good on security thanks to me in part. I see getting exposure as priority 1, a close second is cold storage, all the rest a distant third, so I don't push that
fear is not a good driver imO, MAHDOOD, wdyt*/*ya
1 reason i like meet - uPz - p2p 2 get{GITIT}familiar but th@ IZ just mE*/*trust is an issue
Meetups with Rand would be lit
The less data about you online the better. No one needs to know where you live or how much you have. You could use a different address when you sign up on the exchange like a PO Box but if a data leak happens, they have enough information to probably still find your real address online. A little inconvenience is worth it to protect your family.
Fear is what worked for me. It’s what even got me to look into bitcoin.
k, i understand th@ but i reverse the incentive w/a lovelenz & operate thru th@*/*my friend - IT can work both\/\/ayz/*****
Carrot and the stick. You can frame it as a way to protect your family. Just add a heart emoji to the end of the message lol
g'O;.;O'd answer dO;.;Od nostr:npub1ghcetnluhryhynhuyj8s2pazldjm27wl40nu6dfeskvpv09twcnsneygat 🧡
Yubikey are great. I have an onlykey and love it because it also does passwords.
Yeah, one of those security enhancing steps I always mean to look into more and never do.
I sometimes shudder to imagine what would happen if all my authy, Google etc, apps popped the bed somehow... had that happen to a friend a few years ago and he was very stressed for a couple weeks
The magic with FIDO security keys is the same public key encryption as nostr uses. Your private key is on the USB key and the server gets the public key. The private key never leaves the USB, the event signing happens on the key.
This way you need physical access to the key to get in. A password leak doesn't let some rando in Nigeria into your account. Account access is still susceptible to wrench attacks but that is a smaller attacker pool than anyone on the planet with internet.
One thing to keep in mind is a Yubikey is a one of a kind deal. Lose it and you are toast. The solution is, register 2 keys on you account. 1 key for use and 1 goes in your safe and treated as seriously as your seed.
An onlykey offers an encrypted backup feature that allows you to clone keys. So I register 1 and clone it both now work. Hardware passwords are nice too. The only downside is some services don't properly support FIDO auth, they scan to see if it is a yubikey and refuse to work with other brands.
Google forced employees to go to hardware key 2fa years ago and it saved them a fortune because accounts accessed by social engineering attacks went to 0. It isn't a guarantee, but limiting unauthorized access to wrench attacks really cuts down the number of successful attacks.
I'd be willing to DM for use case details but I don't want to layout a roadmap publicly of how I secure all my accounts.
TLDR, this is a big jump in preventing hackers from accessing your accounts and I highly recommend you get 2 and use them.
Sure DM anytime if you feel inclined. Can use non-nostr too, like simplex.
Appreciate the answer, very informative. I always equated 2FA auth apps with the hardware RSA (?) token things workplaces would sometimes give (just less secure due to being digital versions). This felt equal in security but I guess it comes down to my lack of understanding of the cryptography employed between the two methods. Sorry if I botched the summary, figured I'd summarize in case I missed something.
The private key for this instance appears to just be digital thing stored with iCloud/keychain, so wasn't clear what possible advantage there was.
Those rolling number things are similar concept but slightly worse security in my opinion. They are called TOTP. These days very few use a token, most use an app to generate the numbers.
The reason I think they are worse is the secret now lives in that app which is usually running on an always internet connected device. The FIDO USB keys the secret is generated on the key and never leaves the key, the key signs the event.
Gonna have to go back and reread, and maybe google a couple things. But I think I've more or less got it.
FIDO2 features are great
Using at apple, github etc..
attack surface become smaller
Ok, you seem to know about these. I don't understand how scanning something into an additional cloud keychain is more secure than standard Authenticator apps, but don't expect you to explain that.
What I am curious about is if in any way sneaks in additional kyc of some sort. Fingerprint seems like obvious yes, and less clear on option 2 (cloud keychain).
Passkeys are physical keys on online services. It’s not enough secure if stored on cloud.
There’s no additional KYC, but they are trying to shift the responsibility to the customer.
Cuz if keys are valid, they can blame and nothing to do with their fault.
Ah ok, kinda makes sense. Thanks!
