Why? Passwords can be remembered and entered on other devices for recovery. The plethora of passkeys out there cannot.
A bit the same why although I love the keychain in macOS, it also makes me uncomfortable. Lose your phone and laptop in a theft or fire and you are locked out from your Apple account. Goodbye online presence.
That's exactly the issue I have with passkeys. All that lockin to big tech. I tried bit warden but most sites with passkeys didn't work with it (like Amazon and PayPal). And on android it only wants to use the Google version (I don't use a Google account on my phone so that's not possible).
It does not work for me on my Linux PC with Firefox, PayPal simply refuses to enrol passkeys and Amazon tries but then gives an error. I haven't tried chromium as I don't have it installed.
I'll give it another try though. The last time was 1 year ago. I don't normally use Bitwarden so I have to set it up from scratch with vaultwarden etc.
This is probably a Linux issue. Mac OS and Windows implement the FIDO2 Platform API, which allows them to act as authenticators themselves. Linux does not. See https://github.com/linux-credentials.
With macOS and Windows I'm still stuck in corporate ecosystems though which was my point. I used to use Mac but I couldn't deal with the increasing iOSification and I only use windows now for gaming (VR) because it's such an awful OS.
But that's another point, I do use many OSes so being locked in to one ecosystem is not an option. I must also have the option to back up my credentials at all times (eg a cloud service will never suffice)
But yeah I should have mentioned Linux. I thought it was the norm here really especially among people advocating against corporate ecosystems.
Bitwarden works just fine for Amazon. Works on my phone too. Even when supplying passkeys over QR code+Bluetooth to another computer, Bitwarden's Android integration works flawlessly.
I do believe you need Android 14 for that, though, so if your phone has been abandoned by its manufacturer/your ROM of choice, it'll break.
If Bitwarden is bugged out on your computer/phone for whatever reason, there are also alternatives like 1Password.
Hm I should try it again, the last time was about a year ago, maybe a little more. I don't normally use bitwarden so I have to set it all up with vaultwarden to make it work.
Is it possible now to export the passkey private key though? That was another thing at the time, apparently the fido consortium didn't want keys to be exportable.
But I'll try it again, good point. I think with paypal the issue was also that they refuse passkeys in firefox and I don't use chrome so I was stuck there too. With Amazon it tried to enroll me but I got a bunch of errors.
The "standard" answer is that you should either use synced passkeys, or enroll multiple passkeys with the provider. The problem is that some providers (e.g. Paypal, some banks) only support one passkey, and synced passkeys aren't supposed to be trusted for attestation (unless they're synced by Apple/Google/Microsoft).
And every couple of days we see a post or a tweet about "Google/Apple/Microsoft just nuked my account with no notice and no recourse" so trusting them to sync passkeys rightfully makes some people nervous.
There are two problems with passwords. Reuse, and site breaches. The solution to the former is the same as passkeys: credential managers. Passkeys genuinely solve the second, in exchange for a vastly less comprehensible system (see all the uncertainty people have even here on HN) that doesn't support many of the ways people want to use authentication tokens.
The problem with this is requiring everyone to own a device with a secure enclave or similar hardware capabilities because some people are prone to being phished. Let me choose the level of risk I find acceptable.
Passkeys don't require it, but relying-parties may: https://github.com/keepassxreboot/keepassxc/issues/10407#iss... If enough RPs ban clients that let users manage their own data in the name of "security," then it is effectively required by passkeys. The passkey spec could have been written to be resilient against this type of abuse, but instead this abuse is explicitly considered a feature of the spec.
Are there any credential managers that don't validate the domain with passwords? Sure, there are issues with PSL subdomain matching, but at the end of the day it's good enough in the real world. All the other stuff (MITM, malicious site, etc) falls under the other case I already mentioned.
It's security, so we're not discussing impossibility. You can still phish a passkey, we're just hoping the cryptography is good enough that it remains astronomically unlikely to succeed. Since we're all reasonable people, that chance is low enough that we're fine accepting it. What I'm saying is that the chance with passwords is still low enough that I'm fine accepting, even though it's much higher than the cryptographic security of passkeys. We're simply disagreeing about where we draw the line of "good enough".
You crack the private key and forge the challenge? Maybe the other IDs sent alongside it are hard to get for some reason, but the security of passkeys comes down to the cryptography. Cryptography can always be broken, but a good cryptosystem makes the probability low enough that any reasonable person considers it good enough.
If you trust that the cryptography employed in passkeys is effectively unbreakable, then it follows that for all intents and purposes, passkeys cannot be phished. It’s the same thing as trusting that your browsing sessions cannot be MITMed because the end to end encryption is sufficiently strong.
That's not what phishing is. Phishing is convincing someone to give you a credential with a page that looks like the one they're supposed to give the credential on. Passkeys cannot be phished.
They must be paired with an alternative mechanism, unless you plan to unperson everyone who accidentally drops their phone in a river (this may be the plan for high-security services but it can't be the plan in general) and that mechanism can be phished.
Session cookies can't be phished either, so why aren't those sufficient?
Passkeys work well with password manager. The password manager also stores the long random password to get in without passkey. The advantage is that passkeys are immune to phishing. Sites also turn off 2FA for passkeys which reduces the hassle.
I think it's more than fair to document that some implementations lie about their intentional violation of the spec, even if that violation is done to make the login process smoother.
Still, I've never seen a website try to block Bitwarden's passkey management (though I've had plenty of issues because of its partial implementation of the API, especially in early versions) despite its spec violations.
For some of the implementations, user verification is a massive pain (as browser extensions often only have long and complicated passwords to authenticate) but for KeepassXC a quick and simple fingerprint/facial scan is an option, as it already offers integration into the native OS biometrics anyway.
> Still, I've never seen a website try to block Bitwarden's passkey management
Ideally it shouldn't be possible, or at least it should clearly be an ugly hack for a website to be doing something like this. Instead the spec authors explicitly endorse blocking clients that they feel are non-compliant. I'm not going to use a login spec that encourages websites to ban me because of the software I choose to use.
> for KeepassXC a quick and simple fingerprint/facial scan is an option, as it already offers integration into the native OS biometrics anyway.
Man don't get me started on the passkey environment's bizarre obsession with biometrics. My desktop computer doesn't have a fingerprint reader or a camera, and if my OS (Arch Linux) supports that junk I've certainly got no interest in doing the work to set it up just so I can log in to a website.
Documenting is fine, but the passkey spec author has been recommending blacklisting these so they don't work. It will end in a situation where only the Apple, Google and Microsoft passkey managers are the only way to log into any website.
And I wish passkeys could cover all the use cases of passwords, yet here we are. Passwords are simple and well understood. Passkeys have all sorts of sharp edges that you won't discover until you're hurt by them.
good thing wikipedia allows its entire database to be downloaded..... go ahead and change it to your will, we will have the data for a few years later....
That would be an unfortunate backup plan to rely on. We want to keep the full value of Wikipedia alive. Wikipedia is (1) an ideal; (2) a community of volunteers; (3) a brand; (4) a habit for many people seeking information; (5) a center (if not the center) of many online textual / knowledge ecosystems.
Peaceful, sustained, popular, legal, loud resistance is necessary to push back against an administration that is trying to kneecap influential dissenting viewpoints.
I am curious how they’re funded. How they are able to stay online. Surely there must be people, governments etc with deep pockets that would want to take them down?
Can you donate to them without someone claiming you're donating money to a criminal enterprise and getting you in trouble? I mean, without using bitcoins
Can confirm this is happening. But the money paid is tiny. Think thousands of dollars, not millions. Not enough to keep the lights on. I would assume they do pretty well from donations.
If #1 is a reference to a famous quote from Steward Brand, founder of the Whole Earth Catalog, it's only part of the quote. The rest is relevant:
> On the one hand you have—the point you’re making Woz—is that information sort of wants to be expensive because it is so valuable—the right information in the right place just changes your life. On the other hand, information almost wants to be free because the costs of getting it out is getting lower and lower all of the time. So you have these two things fighting against each other
He stated later more succinctly:
> Information Wants To Be Free. Information also wants to be expensive. ...That tension will not go away
That's not a real tension. There is no case where the inherent value of some commodity keeps its price high despite easy availability. That's the point of the "diamonds in the desert" thought experiment.
Inherent value provides a ceiling on the price of whatever it is.
Availability also provides a ceiling on the price.
If I give you two theorems that say C < 300 and also C < 10, why would you describe those as being "in tension" with each other?
The tension arises because in some cases, at least for a while, the availability can be suppressed. Like when some expert releases an expensive ebook or video course "Secrets of X". Ofc many such books are scams, but assume for sake of argument the information is actually valuable. The initial buyers are motivated not to share it. It remains a scarce commodity for a while. But all it takes is one person to make a torrent, and the game is over. So there are two incentives -- one trying to keep it scarce, and the other trying to make it free.
Copyright was created because we realized that it takes effort to put works together (in the original case it was educational information) but that distribution can be done without rewarding that initial effort. Which then results in the initial effort not happening. Which then ends up in a dumber, less intelligent, idea poor world without those works.
Society agreed to copyright because of the social benefit of having people willing to put effort/expense into creating works. We're not talking zero value internet BS, but real works. People who create the works don't make them scarce, their distribution is infinitely scalable. They just make it so that they are compensated.
Most information is not easily available, it is purposefully hidden because knowledge is power and money. And that's through all fields and not only Coca-Cola recipes.
The argument is that authors will stop making information publicly available because piracy takes away the value. So instead information will be hidden in vaults and do good only for a few people. Like how maps used to be top state secrets.
The obvious fix for this is to either eliminate trade secret protections in favor of patents, or make them conditioned upon escrow with the government to be released to the public domain after some time (perhaps half the time of a patent).
Don't want to release your recipe ever? Tough cookies when your lead scientists bring it to a competitor.
Trade secrets are counter to the purpose of "IP" law. The public has no interest in protecting them and every interest in... not doing that.
Until every new born child is forcefully implanted with a microchip in their brain at birth, you will never be able to stop people from thinking and having secrets.
If people are not fairly compensated for sharing their secrets and discoveries with the public, they won't do it. They'll take it to the grave if so be. And we loose out on information which can benefit an enormous amount of people.
So the quoted person is absolutely right that there is a great tension between these two factors. How should great ideas be greatly compensated while giving the widest access possible? Neither piracy nor expensive access to information is the right solution.
Trade secrets never expire and sharing them is a crime, so currently people can take them to their grave and the government will have their backs in doing so. A single person's secret is also unlikely to matter much next to the potential of global corporations' secrets, and the nature of corporations is that they are made of people who have little reason not to take an offer with a competitor after they've learned the necessary secrets to do their job. Hence, don't protect those corporations unless they offer something in return (explicitly divulging them/contributing to the common knowledgebase). Without that protection, knowledge can more naturally spread.
The fair compensation they should be offered is time limited protection. Otherwise it should simply be legal for any of their employees to spread that knowledge. Giving unlimited protection to not divulge knowledge is counter to the entire point of "IP" law.
"The" Coca-Cola formula would have lost its patent restrictions a century ago. It's still unshared. Why exactly should we continue to grant any legal protection from an employee sharing it?
We're way off topic, and it seems like this thread is just turning into unproductive argument. I'm just arguing that there will always be tension between information wanting to be free and information creators wanting to profit from their ideas or their work. We don't even have to involve companies and trade secrets in discussing that tension, it was just an example.
It's not a quote, but a statement. And even if it were a quote, random other quotes from the same person are not relevant. "This is just a part of the quote" people are so annoying. Like guess why it is "only a part of a quote"? Because some parts are neat, insightful and true, and some other parts are irrelevant and garbage.
Sorry, this was a more general rant, because it is so annoying every single time.
In this case: Who the hell cares about that random guy's random views? How is it relevant in this conversation?
For me, it was useful to clarify that "information wants to be free" was "information wants to be gratis", not "information wants to be libre". I didn't realize it referred to cost.
What are social security numbers if not just another bit of information that wants to be free?
Or perhaps you are saying that people that have an interest in the availability of particular information should have some control on that information's freedom...
The idea that any widely transmitted identifiers' confidentiality should be its primary method of security is asinine.
The failure of any exploit regarding SSNs or the like is not on the offending party, but on each using party's failure to implement even a modicum of actual security.
A widely transmitted identifier that tons of organizations need to ask you for taxes is not secret. It's used to precisely identify who you claim to be. It's your username. There's not much to say about also treating it as your password except that it's asinine. It's like treating your first name/last name as a secret password.
People can do good things and bad things simultaneously. Unless me supporting the good things directly enables also the bad things, I don't see a reason to throw out the good thing.
He said he personally suspects, I don't think that was more than a throwaway comment. Besides, if my enemy is dismantling an institute in my society that I want dismantled, I'm not going to complain.
I'm sick and tired of this misquote; as it was merely an observation of trends, and was never meant to be a moral maxim or mandate. If you truly believe information needs to be free as a moral mandate, share your company's source code first.
Macs are around the five year mark for a full ARM transition. Remaining Intel Macs are right on the edge of not receiving software updates anymore, and the Rosetta translation layer already has a scheduled wind down.
Any Mac application will be built for ARM at this point, and anything made for Intel Macs will run seamlessly under Rosetta. And that stuff is mostly limited to developers making Intel Docker images, musicians using some VSTs that haven't upgraded, and games.
This is at least the third major architecture migration for Macs, and they always rip the band aid off and applications have to upgrade or not run. (Motorola to PowerPC, PowerPC to Intel, Intel to ARM.)
Yep, the greater bulk of Mac apps had proper ARM builds just 1-2 years after the first M1 devices launched. Third party Mac devs don’t drag their feet on arch transitions.
