Skip Navigation

InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)CO
Posts
1
Comments
249
Joined
2 yr. ago

  • Use a pair of hardware tokens and a long pin if you want maximum security. If you want to use a sync-able software token do that and set a strong pin.

    You like long passwords? Go ahead and put one on your passkeys. You don't have to use a short pin.

    It is two factor. Something you have, key in TPM or hardware token, and something you know: the PIN. Or if you choose to enable biometric it shifts to two things you have the: key and your face/fingerprint.

    Remember you only have limited attempts to guess the PIN and biometric auth is subject to configurable timeout conditions before the PIN is required.

    Any security conscious person will use a strong PIN. Many will choose to use biometrics as well for convenience. Most people are still setting their password to Sm3llyK@t42 on every website. A protected key and a 4-digit pin/finger print is a huge leap in security.

  • It doesn’t feel better? Good thing security doesn't care about feelings. The fact is it is more secure no matter what it feels like. Privacy is maintained since you use a new key with each site. There is no IMEI or anything like that in the passkey spec. Social engineering ranges from more difficult to impossible depending on if you use a synced, local software based, or hardware based passkey system.

    You have a lot of incorrect assumptions. Read https://support.apple.com/en-us/102195 and https://fidoalliance.org/passkeys/#faq.

  • I think you are unknowingly agreeing. Having hiked with typical people most would not notice that bear until it moved, made a sound, or was pointed out by someone paying above average attention.