#dev 2023-08-27
2023-08-27 UTC
eitilt1, bterry, superkuh, [schmarty], [jeremycherfas], btrem, win0err, jeremycherfas, [fluffy], pharalia, AramZS and geoffo joined the channel
# vikanezrimaya with the advent of "passkey" syncing, is there a way for a web developer to guarantee that a new shiny webauthn credential that a user creates will stay on device and not get leaked into cloud?
# vikanezrimaya I am honestly wary of these new developments in regards to syncing webauthn credentials. To me, their entire point was that they stay on-device and are not (trivially) extractable.
# vikanezrimaya And I was even going to use that on my own website...but now I am unsure if it's worth implementing.
# vikanezrimaya (on an unrelated note, Firefox's webauthn story seems extremely bad, since as far as I understand, it only supports USB FIDO2 devices on desktop Linux)
# vikanezrimaya ugh.
hs0ucy joined the channel
# vikanezrimaya and my point is that I want to do the opposite: say "No, you can't use cloudsynced credentials, that defeats the entire point!"
# vikanezrimaya hopefully they won't be too hard to use, and hopefully they won't require me to delve into checking attestation chains (which I believe to be an antifeature, since whenever I turn off attestation in Firefox, my NitroKey gets rejected, and I get a sketchy feeling from that)
# vikanezrimaya as for being better than passwords: I guess so, I just don't trust the E2EE claims that are thrown around by big corpos
[jacky] joined the channel
# vikanezrimaya [jacky]: not sure I understand; isn't revocation of a webauthn credential entirely server-sided since you can just forget the public part and it stops working to actually authenticate you?
# vikanezrimaya well, I don't see any controls to choose as a user either whether the credential stays where it's supposed to or gets leaked to the cloud. On my phone, where I was logging into Binance, it just asked me for a UV and bam, I got a passkey and I know nothing about whether it will stay on device or get yanked into cloud
# vikanezrimaya it didn't seem to work on my tablet though. probably because the tablet lacks a fingerprint reader?...
# vikanezrimaya might also be because the passkey actually stayed on device
# vikanezrimaya or might be because the Binance app is weird
# vikanezrimaya well, maybe the user should get to decide?
# vikanezrimaya otherwise the browser becomes a Big Corpo enforcement helper
# vikanezrimaya aaronpk: oh, nice, so iOS has controls for it
# vikanezrimaya I'm an Android pleb, last time I touched an iPhone was when a girl in college asked me to charge hers from a conveniently placed outlet I was sitting near
# vikanezrimaya I believe the entire syncing passkeys thing was actually pushed hard by apple, wasn't it?
# vikanezrimaya I think the Google Credential Manager thingy that manages android passkeys is also swappable, but I don't remember how easy it is to swap and how easy it is to get an alternative implementation going
# vikanezrimaya in typical google fashion, I expect things to break the moment I disable the Google thingy
# vikanezrimaya even their own google thingies aren't reliable tbh
# aaronpk they have a decent explainer about it https://1password.com/product/passkeys
# vikanezrimaya huh, looks like their "beta" implementation (I'm using "beta" in quotes because aside from *some* corpos (ahem microsoft ahem) "beta" means "it's really stable enough to use, we're just scaredy cats because there is a 0.0000000000001% percent chance that a user presses a button incorrectly and our code eats their data) actually supports Firefox on Linux, as in it's explicitly
# vikanezrimaya mentioned.
# vikanezrimaya I wonder if I'll be able to actually pay for 1password... if I manage to set up billing for it, it might be worth the shot
# vikanezrimaya I would really love an open-source solution, but alas, these take time and nobody has time to work on something open-source these days...
# vikanezrimaya ...wow. tried passkeys.io on my phone — Firefox works (albeit without resident keys, it seems? I still need to enter an email) and Chrome's fancy implementation doesn't work.
# vikanezrimaya google as usual
# vikanezrimaya not even surprised at this point
bterry, sp1ff, Loqi_, rubywarden, strugee-, geoffo, [tw2113_Slack_], sebbu2 and jacky joined the channel