[echohack5]

Here's a workflow:

1. Normally I run everything on my own devices, use 1Password, 2FA, etc, but rarely I need to use a locked down device and manually and painstakingly enter 100+ character passwords and 2FA keys. Installing anything on the device is out of the question, but I need to use a web browser and auth using these credentials. Copy and paste and externally using any devices to connect with the system is prohibited.

How does doing a FIDO2 dance work in this scenario?

[konha]

> Copy and paste and externally using any devices to connect with the system is prohibited.

Like a keyboard? In which case: How do you enter your password?

Is that a common scenario? Where you can use a (presumably) usb attached keyboard but you cannot insert your security key?

[hedora]

Air-gapping the machine running a web browser from the machine that stores your passwords seems completely reasonable to me.

So does preventing people from plugging random USB devices into shared machines.

[konha]

Passkeys have a fallback flow where they show a qr code you can scan from the screen of the device you want to log in to. Requires bluetooth though to prove you are "near" the device. I guess that's also disabled on these hypothetical locked down devices?

[hedora]

I can't imagine that working correctly on a machine at a library.

Also, connecting via bluetooth defeats the purpose of air-gapping.

[keep_reading]

And yet all the non-technical folks you give this advice to will look at you like you have two heads. This is completely unreasonable unrealistic user-unfriendly advice

[hedora]

Many people use shared computers at our local library. I can afford a nice quiet office and big monitor at home, but many people cannot.

I imagine they either memorized their passwords, wrote them on a piece of paper, or stored them on an (air gapped from the library machine) cell phone.

[echohack5]

There is a keyboard and mouse attached to the server already, but few if any services run, and if they do they're fairly locked down, or in some degraded state.

It's not a server I need to access often in this way. But I think these necessary-but-limited-use scenarios will be interesting should passkeys really catch on like passwords did.

[JohnFen]

> Is that a common scenario? Where you can use a (presumably) usb attached keyboard but you cannot insert your security key?

I don't know how common it is, but this is the exact issue that makes passkeys a nonstarter for me.

[heliostatic]

This is covered by the cross-platform scenario. It's not super elegant, although I'd say it's easier than typing 100+ random characters (and also trusting that the locked down device doesn't have any key logging?). Lots of providers have their own FAQ, but here's one: https://www.corbado.com/passkeys/faq#:~:text=Passkeys%20have....

[barkingcat]

why does this need a technical solution? Just type in the password. Presumably if the system is important enough to be airgapped and needs a 100+ character randomized password (without copy paste and without hardware keys), it is important enough for you to spend the time to memorize and type in the passwords.

Otherwise, it is just security theatre if you won't even spend the time to make absolutely sure that 1) you are typing into an authorized device that won't log your key strokes, and 2) that using any other "assistance" mechanisms represents a breach in the security of this system.

Just friggin memorize it and type it in. For me, I memorize my bank password and PIN even though it's very complicated. This information is important enough for me to commit the time and not cheapen out by "relying on a tool". Of course, I keep it in my password manager as a record, but in daily use I absolutely do not say to the teller: oh I need to look it up. I recite to the bank my passphrase and other id confirmation by memorization, I know it even better than my own phone number.

If you need multiple people to log in, each person should have a different password, only memorized by that person alone.

If the person can't memorize it, I would say either change the design of the system or fire this person because "they had one job: to memorize and type in this password".