I’m sad PGP didn’t become a popular way to log into websites. A challenge-response protocol could have even been built into web browsers. Big tech is reinventing that idea as Passkey, but with a very big tech flavor.
I’m already hearing about restrictions on exporting passkeys and some apps requiring that you’re not running a custom ROM on Android and stuff like that. Makes me worried they’re going to fuck that up and make it restrictive bs
From what I heard passkeys need google services framework for some reason. Don’t know technical reasons behind it but I would assume its bs given its google.
I’m living this pain with a custom ROM already, with some banking stuff, Google Wallet, WhatsApp passkeys and I think Netflix (haven’t installed it) block you for tripping up Google’s security tests.
If passkeys become a big thing and they’ll start enforcing them and apps that have those security measures I’m going to fucking firebomb something. REEEEEE
Passkeys or WebAuthn are an open web standard, and the implementation is flexible.
An authenticator can be implemented in software, with a hardware system integrated into the client device, or off-device.
Exportability/portability of the passkey is up to the authenticator.
Bitwarden already exports them, and other authenticators likely do, too.
WebAuthn relying parties (ie, web applications) make trust decisions by specifying characteristics of eligible authenticators & authentication responses & by checking data reported in the responses.
Those decisions are left to the relying party’s discretion.
I could imagine locked-down workplace environments allowing only company-approved configurations connect to internal systems.
WebAuthn has no bearing on whether an app runs on a custom platform: that’s entirely on the developer & platform capabilities to reveal customization.
The California DMV requires you to renew your vehicle registration every year by paying with a bank account number (no card) which is like a 30ish digit number and they disable paste. If you get it wrong they won’t notify you in any way until you get pulled over by a cop who is one bad sneeze away from murdering you. It’s a great system.
I have renewed my CA registration with a credit card going back to at least 2016. A responsible driver would know their renewal failed when their registration document did not arrive via mail.
A bit of a hacky workaround on Android. Get Keepass2Android, use the included keyboard.
“Paste” whatever via the inbuilt password input functionality. It basically auto types out your passwords. (You protect this behind a master password/and optionally quick accessed by biometrics)
I think my question was clear enough. The comment didn’t mention banks, I’ve never had a bank that did that, and we generally don’t try to hide our identities from our banks anyway. My best guess was that they misunderstood how public/private keys work, but since that was only a guess, I asked.
I want to preface this response saying I full agree with this, I want something like this to happen, I am responding because of some concerns I have. The real major one: How do you verify the authentication part of the data security chain?
A PGP key alone does not authentically validate that you are who you say you are. When the source is the untrusted party, it doesn’t accomplish the site’s goal. It’s the equivalent to me handing you a piece of paper saying “I’m John Smith and this is what I use to say I’m this” which works amazing for trusted exchanges, but when the source is “just trust me bro” it doesn’t solve anything for the website owner.
Websites get around this by having trust certificates/root servers that are co-signed with the PGP key. However, we lack any system like that for personal identities. Arguably, setting up such a system would isolate most of the known internet, as it is a significant roadblock, much like how SSL certificate usage was a huge roadblock for sites before Let’s Encrypt became a thing.
This setup would be amazing for logging into sites. However, it fails to accomplish what the websites that are asking for PII are looking for, which is verification that their user is who they say they are, and not a random third party.
To reliably use this setup, we would need something similar to Let’s Encrypt, but for user identification. The issue with that is it would become the de-facto attack vector (for both law enforcement and criminal parties), and that site would need to require PII to address the biggest concern on these sites, which is that you are who you say you are, and not Jo Smo or a bot looking to harvest data. Additionally, as mentioned earlier, a massive retraining of the internet would need to be done, which would mostly affect non-tech folk.
I am hopeful that an easy function that won’t violate users privacy comes out, but I don’t think the two topics are compatible sadly
How do they currently solve this problem for passwords?
You could just have the register/create account button lead to a pubkey upload instead of a ‘set password’, no?
This problem isn’t addressing password authentication, its the website knowing who you are and that you are legitimate. Websites that collect things such as phone numbers during account creation don’t collect your PII as part of your password procedure. They collect it as a verification that you are an actual being and not a fake account/bot. The ease of being able to go through a forgot password thing is just a positive side effect.
This solution would work amazingly for logging in, there’s no argument for that, but it doesn’t address the elephant in the room: That the website wants to make sure you are a person/legitimate account and not a fake alias or a bot to scrape info, and when you are the only one providing that information that claim can’t be verified.
The solution here is distributed trust by proxy. You start with a single exchange between two trusted peers, and build from there. As long as every individual link within the network is trusted, then any route between two disconnected endpoints can be trusted as well. As the network grows there is a very high statistical likelihood that there will exist many individual trust graphs between two nodes, which provides redundant validation.
I have always thought this would make a cool chat app. You enter the network by scanning someone’s QR code to become their validated peer, and then you can theoretically communicate with anyone else on the network by exchanging keys via trust graphs. You could then build a social network on top of it which shows you how many hops it takes you to get to some celebrity or some shit.
This should be what digital ID looks like:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZ26+ARYJKwYBBAHaRw8BAQdAsUGMjbGNUyyz9PHsHKP4xj/tIfYIuHb4miPH 0iCPpu60K0VSUk9SOiBFYXJ0aC5leGUgaGFzIGNyYXNoZWQgPG5vQGVtYWlsLmV4 ZT6IcgQTFggAGgQLCQgHAhUIAhYBAhkBBYJnbr4BAp4BApsDAAoJEI6E3uMn31Z3 028BAM5o8ER0dqTsxFlZSgZOvvgFHGuy2eFgF3rULkGKl1KrAP9fdE7WwnYbBer/ AVmw5jr0P5m/XsEQQrSueuk/FLYBBbg4BGduvgESCisGAQQBl1UBBQEBB0BDR0Bv pf4jxbwp9rVowFTnL59NGqnnh6XyF/LjAoYDGgMBCAeIYQQYFggACQWCZ26+AQKb DAAKCRCOhN7jJ99Wd1dMAP45xmN03SodkWHi7PYOORqNXJUBdMzzfsRXdqE8ZXaW vAD+PqNqPcbwJYCOEAXkg7DlZ0SX3o9MViZLdzHFQ3TpUA8= =krDh -----END PGP PUBLIC KEY BLOCK-----
PGP Key Fingerprint: 857957d40f06cc816fd3d29a8e84dee327df5677
Should be good until quantum computers come around
I’m sad PGP didn’t become a popular way to log into websites. A challenge-response protocol could have even been built into web browsers. Big tech is reinventing that idea as Passkey, but with a very big tech flavor.
I mean, passkeys are… sort of… PGP… 🤷♂️
I’m already hearing about restrictions on exporting passkeys and some apps requiring that you’re not running a custom ROM on Android and stuff like that. Makes me worried they’re going to fuck that up and make it restrictive bs
Why should my OS be any of their concern?
From what I heard passkeys need google services framework for some reason. Don’t know technical reasons behind it but I would assume its bs given its google.
Yes, they don’t work without Google Play Services. Google didn’t implement passkeys in Android, only their own services.
I’m living this pain with a custom ROM already, with some banking stuff, Google Wallet, WhatsApp passkeys and I think Netflix (haven’t installed it) block you for tripping up Google’s security tests.
If passkeys become a big thing and they’ll start enforcing them and apps that have those security measures I’m going to fucking firebomb something. REEEEEE
Shit like this is why I don’t have a smartphone anymore. I have a brick phone that half the time I don’t even take out with me.
Passkeys or WebAuthn are an open web standard, and the implementation is flexible. An authenticator can be implemented in software, with a hardware system integrated into the client device, or off-device.
Exportability/portability of the passkey is up to the authenticator. Bitwarden already exports them, and other authenticators likely do, too.
WebAuthn relying parties (ie, web applications) make trust decisions by specifying characteristics of eligible authenticators & authentication responses & by checking data reported in the responses. Those decisions are left to the relying party’s discretion. I could imagine locked-down workplace environments allowing only company-approved configurations connect to internal systems.
WebAuthn has no bearing on whether an app runs on a custom platform: that’s entirely on the developer & platform capabilities to reveal customization.
Now type it a form that doesn’t allow copy and paste.
The California DMV requires you to renew your vehicle registration every year by paying with a bank account number (no card) which is like a 30ish digit number and they disable paste. If you get it wrong they won’t notify you in any way until you get pulled over by a cop who is one bad sneeze away from murdering you. It’s a great system.
Bank account numbers are, like, 8-10 digits. Certainly not 30ish.
What? Mine are 6 digits. Plus the routing number
Still, not 30ish digits like that person said. Hyperbole be damned.
I have renewed my CA registration with a credit card going back to at least 2016. A responsible driver would know their renewal failed when their registration document did not arrive via mail.
Nah dude fuck that. The burned of compliance with laws shouldn’t fall so hard on people.
A bit of a hacky workaround on Android. Get Keepass2Android, use the included keyboard.
“Paste” whatever via the inbuilt password input functionality. It basically auto types out your passwords. (You protect this behind a master password/and optionally quick accessed by biometrics)
Profit
Yeah… I did this kind of thing before as a password and found that out the hard way
tbh ive never had a password box that I can’t copy/paste into
I’ve seen a few. They’re super annoying when trying to use a password manager with a decent password.
Can’t your password manager do autotype? That’s what I use mostly, because I don’t want all my passwords in my clipboard.
Probably. It works >99% of the time I need it so I haven’t poked around in the settings too much.
Or even just a paper form.
Why?
Wdym why? That’s how most bank portals are designed. Copy-paste functionality is disabled and you have to type username, password, authentication code
I think my question was clear enough. The comment didn’t mention banks, I’ve never had a bank that did that, and we generally don’t try to hide our identities from our banks anyway. My best guess was that they misunderstood how public/private keys work, but since that was only a guess, I asked.
Thanks, gonna need your phone number to verify that though.
I want to preface this response saying I full agree with this, I want something like this to happen, I am responding because of some concerns I have. The real major one: How do you verify the authentication part of the data security chain?
A PGP key alone does not authentically validate that you are who you say you are. When the source is the untrusted party, it doesn’t accomplish the site’s goal. It’s the equivalent to me handing you a piece of paper saying “I’m John Smith and this is what I use to say I’m this” which works amazing for trusted exchanges, but when the source is “just trust me bro” it doesn’t solve anything for the website owner.
Websites get around this by having trust certificates/root servers that are co-signed with the PGP key. However, we lack any system like that for personal identities. Arguably, setting up such a system would isolate most of the known internet, as it is a significant roadblock, much like how SSL certificate usage was a huge roadblock for sites before Let’s Encrypt became a thing.
This setup would be amazing for logging into sites. However, it fails to accomplish what the websites that are asking for PII are looking for, which is verification that their user is who they say they are, and not a random third party.
To reliably use this setup, we would need something similar to Let’s Encrypt, but for user identification. The issue with that is it would become the de-facto attack vector (for both law enforcement and criminal parties), and that site would need to require PII to address the biggest concern on these sites, which is that you are who you say you are, and not Jo Smo or a bot looking to harvest data. Additionally, as mentioned earlier, a massive retraining of the internet would need to be done, which would mostly affect non-tech folk.
I am hopeful that an easy function that won’t violate users privacy comes out, but I don’t think the two topics are compatible sadly
How do they currently solve this problem for passwords? You could just have the register/create account button lead to a pubkey upload instead of a ‘set password’, no?
This problem isn’t addressing password authentication, its the website knowing who you are and that you are legitimate. Websites that collect things such as phone numbers during account creation don’t collect your PII as part of your password procedure. They collect it as a verification that you are an actual being and not a fake account/bot. The ease of being able to go through a forgot password thing is just a positive side effect.
This solution would work amazingly for logging in, there’s no argument for that, but it doesn’t address the elephant in the room: That the website wants to make sure you are a person/legitimate account and not a fake alias or a bot to scrape info, and when you are the only one providing that information that claim can’t be verified.
The solution here is distributed trust by proxy. You start with a single exchange between two trusted peers, and build from there. As long as every individual link within the network is trusted, then any route between two disconnected endpoints can be trusted as well. As the network grows there is a very high statistical likelihood that there will exist many individual trust graphs between two nodes, which provides redundant validation.
I have always thought this would make a cool chat app. You enter the network by scanning someone’s QR code to become their validated peer, and then you can theoretically communicate with anyone else on the network by exchanging keys via trust graphs. You could then build a social network on top of it which shows you how many hops it takes you to get to some celebrity or some shit.
Nah, there are more than enough algorithms available that won’t work on quantum computers, I’m not too worried about that
-----BEGIN PGP MESSAGE----- hF4D7cLqolaUp8cSAQdAOCdAgwhjdDgwk6TsYbey9XLZrKT7ny+KRAORyTPJsmUw Fl1llKK3dYtwrPDUts8CA71uU8D2SOWwrk/mrQxlrP/btjNNj6j1vXehQJ0+FIuc 0sBPAU3onDQoAiPLDU7qky1cgtbgitMp4nGEnZ48Xh8OhWS03d9YfU4iIIuf/AWA MTzzbMLZCLqZrIiJGyE2EgJOLIMAOToxidQ6Z/blrT6W9effeu4GwEB622O0eIv5 ct0jm/e2A6j1Gf/7UsnzeC21ME55/JkDIFQQ5ZrYqRGp9+M0yNHXIhJXQvO+QmHz 1CclNIdwbnupIIy0+eiy+Wn41An/IUV2NJy+bmCxRmqTXZyNrfnPMrelY5imknd9 1oZGuHc6tWqNq0ntjV1sBBsxHtAXtFIBWcqEmUgnpxEBglRxx20thoWvQINisCB4 9ptHAUM9Qjr3tWFdvL5MqOHZ14XQ65bbKXhx5MJmr5yijA== =JKT0 -----END PGP MESSAGE-----No one except this guy will be able to read this. Die out of curiosity muhahahaha
That… very thoughful… 😅
I’ll make sure to remember your kinds words and never give you up, and never let you down 😎