#dev 2023-08-27

2023-08-27 UTC
eitilt1, bterry, superkuh, [schmarty], [jeremycherfas], btrem, win0err, jeremycherfas, [fluffy], pharalia, AramZS and geoffo joined the channel
#
vikanezrimaya
with the advent of "passkey" syncing, is there a way for a web developer to guarantee that a new shiny webauthn credential that a user creates will stay on device and not get leaked into cloud?
#
vikanezrimaya
I am honestly wary of these new developments in regards to syncing webauthn credentials. To me, their entire point was that they stay on-device and are not (trivially) extractable.
#
vikanezrimaya
And I was even going to use that on my own website...but now I am unsure if it's worth implementing.
#
vikanezrimaya
(on an unrelated note, Firefox's webauthn story seems extremely bad, since as far as I understand, it only supports USB FIDO2 devices on desktop Linux)
#
sknebel
I think the APIs to let websites know too much about where the credentials are coming from havent been implemented?
#
sknebel
because we dont want websites to say "no, you cant use a usb stick, you need to use cloudsynced credentials because SECURITY!"
hs0ucy joined the channel
#
vikanezrimaya
and my point is that I want to do the opposite: say "No, you can't use cloudsynced credentials, that defeats the entire point!"
#
aaronpk
vikanezrimaya: this is a common concern in enterprise scenarios so there are and/or will be tools to manage
#
aaronpk
but in the mean time, even cloud synced credentials are far better than passwords
#
vikanezrimaya
hopefully they won't be too hard to use, and hopefully they won't require me to delve into checking attestation chains (which I believe to be an antifeature, since whenever I turn off attestation in Firefox, my NitroKey gets rejected, and I get a sketchy feeling from that)
#
vikanezrimaya
as for being better than passwords: I guess so, I just don't trust the E2EE claims that are thrown around by big corpos
[jacky] joined the channel
#
[jacky]
Tbh Firefox's Linux story is _kinda_ what I'd prefer everywhere (but that runs counter to corporate authentication requirements like remote revocation)
#
vikanezrimaya
[jacky]: not sure I understand; isn't revocation of a webauthn credential entirely server-sided since you can just forget the public part and it stops working to actually authenticate you?
#
sknebel
vikanezrimaya: IMHO the "entire point" is that the user should be able to choose what they use, browsers are supposed to be "user agents" after all, not "website enforcement helpers" ;)
#
[jacky]
I'm thinking like a company provisioned phone that's used as a passkey (so like if you're fired or if someone messes up device management, you're locked out)
#
[jacky]
Lol "website enforcement helpers" has a similar abbreviation to a particularly funky proposal for Chrome
#
vikanezrimaya
well, I don't see any controls to choose as a user either whether the credential stays where it's supposed to or gets leaked to the cloud. On my phone, where I was logging into Binance, it just asked me for a UV and bam, I got a passkey and I know nothing about whether it will stay on device or get yanked into cloud
#
vikanezrimaya
it didn't seem to work on my tablet though. probably because the tablet lacks a fingerprint reader?...
#
vikanezrimaya
might also be because the passkey actually stayed on device
#
vikanezrimaya
or might be because the Binance app is weird
#
aaronpk
the thing that generates the passkey decides whether it's cloud synced
#
aaronpk
not the thing you're logging in to
#
vikanezrimaya
well, maybe the user should get to decide?
#
aaronpk
you can decide to not use ios synced passkeys
#
vikanezrimaya
otherwise the browser becomes a Big Corpo enforcement helper
#
vikanezrimaya
aaronpk: oh, nice, so iOS has controls for it
#
aaronpk
no, i mean you can use a password/passkey manager that doesn't sync if you want
#
vikanezrimaya
I'm an Android pleb, last time I touched an iPhone was when a girl in college asked me to charge hers from a conveniently placed outlet I was sitting near
#
vikanezrimaya
I believe the entire syncing passkeys thing was actually pushed hard by apple, wasn't it?
#
aaronpk
yes, so the built in ios passkey thing will be cloud synced just like their safari saved passwords are. but you can swap out your password manager on ios and use something different
#
aaronpk
i use 1password on ios so i don't have anything in the icloud keychain
#
vikanezrimaya
I think the Google Credential Manager thingy that manages android passkeys is also swappable, but I don't remember how easy it is to swap and how easy it is to get an alternative implementation going
#
vikanezrimaya
in typical google fashion, I expect things to break the moment I disable the Google thingy
#
aaronpk
there aren't too many alternative implementations right now, but there will be in the future. 1password is already working on it
#
vikanezrimaya
even their own google thingies aren't reliable tbh
#
aaronpk
they have a decent explainer about it https://1password.com/product/passkeys
#
vikanezrimaya
huh, looks like their "beta" implementation (I'm using "beta" in quotes because aside from *some* corpos (ahem microsoft ahem) "beta" means "it's really stable enough to use, we're just scaredy cats because there is a 0.0000000000001% percent chance that a user presses a button incorrectly and our code eats their data) actually supports Firefox on Linux, as in it's explicitly
#
vikanezrimaya
mentioned.
#
vikanezrimaya
I wonder if I'll be able to actually pay for 1password... if I manage to set up billing for it, it might be worth the shot
#
vikanezrimaya
I would really love an open-source solution, but alas, these take time and nobody has time to work on something open-source these days...
#
vikanezrimaya
...wow. tried passkeys.io on my phone — Firefox works (albeit without resident keys, it seems? I still need to enter an email) and Chrome's fancy implementation doesn't work.
#
vikanezrimaya
google as usual
#
vikanezrimaya
not even surprised at this point
#
[jacky]
For micropub syndication (like bridgy), I'm noticing that it potentially requires PTD to understand what kind of request to make
#
[jacky]
Like if I wanna send a reply, the request to the Micropub syndication endpoint _should_ be also structured as a reply to the target URL
#
[jacky]
Noodling on this because I'm looking to write out a test case for this
#
[jacky]
My qualms on passkeys aside, I'm definitely integrating them for Sele and pushing it above magic link sign in
#
sebbu
vikanezrimaya, it's limited to 5 email adresses :(
#
sebbu
(passkeys.io)
#
sebbu
i wanted to put all my email to the same account like on gravatar/libravatar
#
sebbu
but it does work in chrome
#
sebbu
on another topic, just thought that it would be nice if relmeauth (on indieauth/indielogin) could detect the "proofs" in gpg keys (like on keybase / metacode / keyoxide) and check if thoses services are supported (so it'ld be a level of indirection), not just the rel="me" links
bterry, sp1ff, Loqi_, rubywarden, strugee-, geoffo, [tw2113_Slack_], sebbu2 and jacky joined the channel