Avatar
Dr. Hax 1y ago

I read Proton's take on Passkeys. I have thoughts...

https://proton.me/blog/big-tech-passkey

I have stayed away from the closed source implementations being pushed by big tech companies like #Apple & #Google. I have also steered clear of all #software implementations. So if was nice to be informed on what a shit show it is over there. Not because I want to validate my prior choices (although that does feel good), but so I can help advise people who have different desires than I have.

For me, this is what I want, and why:

1. Completely #OpenSource solution. I've had the rug pulled out from under me too many times to put up with another "sunset" after just a few years.

2. A #hardware implementation. I can use it on a compromised device and still be safe (sans that one login session). This is not true with pure software solutions, including those that use a secure element.

3. Never sync it to any #cloud, let alone someone else's cloud! I understand it's e2ee, but it's more risk than I want to take. I could go into the threats, but I'm trying to be brief here

4. Prefer the ability to #backup and restore, although this is not strictly necessary. It's easy enough to just register two devices to services and never have the secrets leave those devices. But it's more cumbersome than having two devices that are clones of one another. Only have to register one key, and can still recover easily if it's lost or destroyed

I'll admit that this is a high bar. It's still what I want though, and I'm only willing to compromise on that last point.

You might be wondering if anything even exists right now that can meet my demands. I'm happy to say that there is: the Trezor Model T.

https://trezor.io/trezor-model-t

Sure, it can hold the #keys to your #bitcoin, a feature which you may or may not care about, but perhaps more importantly it actually meets all of the requirements for #Passkeys / #FIDO2 / #u2f / whatever you want to call it!

Full disclosure: I do not get any compensation from #Trezor for anything.

#security #cryptography #FreedomTech

Reply to this note

Please Login to reply.

Discussion

Avatar
Sebastix 1y ago

These are some interesting thoughts, thanks.