@kouhai the web3 people don't actually get this right as much as I thought, they consider key extraction to be a security feature. This is terrifying.

@cadey it's a conscious "availability over security" choice by that community, I guess – because inaccessible speculative instruments are ones that you no longer own

@cadey Webauthn manages to have way better UX than TOTP while being more secure at the same time, I find that honestly quite impressive. I love that I can just confirm my login by tapping my fingerprint reader (that's on Windows and Android). The only problem is, that most services that I am aware of that offer Webauthn force you to set up TOTP first

@cadey Google is even worse here, because they just add every Android phone as a push two-factor device and I have yet to find a way to remove that "feature". For good measure they made getting phished even easier by making the prompt a full-screen Popup that interrupts whatever you may be doing on your phone at that moment

@cadey Do you know of any non-corporate efforts at 2FA?

As a free software advocate, none of my devices have secure enclaves, and I'm not inclined to buy one that has.

Yubikeys are a lesser evil, but still a corp with a monopoly position in the area and no open hardware or standards (to my knowledge)

@Naughtylus somehow a hardware bitcoin wallet by trezor or ledger may be the way to go there. Trezor is open hardware in case that helps guide your decision.

In general you may want to look at OpenSK (github.com/google/OpenSK) or Canokeys (canokeys.org/, also open hardware I believe).

I personally use yubikeys because I trust them to be way more crazy paranoid than I am. I also use webauthn credentials (and even SSH keys) from my iPhone's Secure Enclave because I've seen enough of how Apple stuff works to believe that it's far more secure than what I can cook up.

Fundamentally though, something being corpo isn't totally bad. It's kind of a fact of life for living under capitalism if you want to have a convenient life.

@Naughtylus @cadey
I just noodled around on the ol' search engine and found a couple things to bookmark as this interests me as well.

I think if by standards you mean specifications then there's FIDO: fidoalliance.org/specification

As far as open hardware, this could be a good starting point: blog.thestaticturtle.fr/lets-m

Sorry if this isn't useful, I'm not very knowledgeable in this area, but I'm trying to learn!

@cadey
Thank. Webauthn seems to be really interesting in the UX part, but something that trouble me with it is its kinda dependance over dedicated hardware, were a purely software solution might still provide similar security to hardware based solution, unless the device itself is hacked.

From what I read, WebAuthn can work as well with hardware wallet than software one, but that is somehow quite hard to enable/configure. For now, the nearest thing I have for it is a password manager and TOTP.

Sign in to participate in the conversation
Manechat on Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!