Hacker News new | ask | show | jobs
by reginald78 547 days ago
Don't forgot the anti-features of:

No ability to export your credentials.*

Device attestation to allow blocking "undesirable" devices from authenticating and lock in purposes.

*keypass was working on an export feature and there were already threats to use the attestation club to ban them from the landscape for not falling in line

https://github.com/keepassxreboot/keepassxc/issues/10407#iss...
2 comments
jonpurdy 547 days ago
I found this out in October when trying to figure out this complaint.

timcappalli from FIDO Alliance mentioned in that above thread that plain text exports shouldn't be allowed, and that password managers/providers should be blocked if they implement plain text export.

Since that thread, there's a new spec that allows users to securely migrate passkeys from one provider to another, but no way to export to plain text (for debug purposes, or if there's a bug in the export/import and you need to troubleshoot, etc).

For me, threatening to block providers for implementing a feature that I desire is a great way for me to lose all interest in passkeys completely. I don't trust FIDO Alliance to make the right call nor do I trust big tech companies to produce bug-free software.

link
UltraSane 547 days ago
creds that can't be exported can't be stolen. It is a tricky tradeoff.
link
calamity_elf 547 days ago
my credentials aren't mine if I can't securely back them up and secure them in a platform independent way.

That attack on KeepassXC is despicable.

link
UltraSane 546 days ago
If you own the device the credits are stored on then they are yours.
link
nullfield 545 days ago
This very much falls into the same box as “not your keys, not your crypto”: if you’re forced to trust someone else to manage the keys for you then they have them - necessarily, in order to permit “transfer” (under this scheme, not everything) to another party - in plaintext, while you’re not allowed to “for your own good”, then you’ve lost it all.

They can: 1. Impersonate you, gaining access to anything your keys unlock 1.a. Impersonate you, claiming to be you in a violation of “key use enables non-repudiation” 2. Deny you the ability to use your keys 2.a. Change any of your keys, locking you out of things 3. Deny you the ability to transfer your keys to anyone they “don’t like” 3. Provide your keys to anyone else, e.g. “with a court order” 3.a. Anyone “benefitting” under (3) can then do (1(a)) …and surely more Bad Things.

Every single time “passkeys” seems to like “okay, maybe”… some fucktards pull another one of these.

Then I go, “okay, ssh keys, PIV, or whatever else is Just Fine, and these people who are either state agents, idiots, or power hungry idiots working to advance total control over humans with lack of freedom and no way back can go die, or as an alternative be sentenced to serious computer-things-reeducation”. …and I kinda mean it. There are certain things you just don’t come back from, as a society, etc. and I just won’t support it. You only get one chance not to.

link