banner
LightNews
jcoglan.com
[foreign Object]
@jcoglan.com
1.2K followers 840 following 3.8K posts
this is him here I write books about programming --> https://shop.jcoglan.com/
shop.jcoglan.com
Posts Media Videos Starter Packs
jcoglan.com
[foreign Object] @jcoglan.com · 1h
yeah, and for me, being able to back up my totp keys because they are just files is where I landed
2
jcoglan.com
[foreign Object] @jcoglan.com · 1h
yeah the backup story seems to be "register 2 yubikeys on every site you use" which is user hostile in so many ways I have lost count
1 3
jcoglan.com
[foreign Object] @jcoglan.com · 1h
which, once you know how trivial it is, makes this whole arrangement even more baffling and infuriating. the vendor lock in is completely illusory
2 6
jcoglan.com
[foreign Object] @jcoglan.com · 2h
the same argument for forbidding users from exporting key material is what makes Google Authenticator so user hostile and pushed me into implementing my own TOTP agent
2 1 6
jcoglan.com
[foreign Object] @jcoglan.com · 2h
right but this is precisely my problem with passkeys. nobody is explaining users' obligations to retain a specific datum or piece of hardware, or what happens when they fail to do so. to me, passkeys mostly look like a way for me to get locked out of my own accounts by miseducation
2 9
jcoglan.com
[foreign Object] @jcoglan.com · 2h
even without the 'none' problem you can fool JWT into using symmetric keys with asymmetric algorithms with disastrous results. it is a profoundly bad design
4
jcoglan.com
[foreign Object] @jcoglan.com · 2h
JWT isn't even bad due to complexity per se, it just makes flat out bad design choices. "you can direct the other peer to use arbitrary combinations of keys and algorithms" is just bad cryptography design
2 4
jcoglan.com
[foreign Object] @jcoglan.com · 2h
again: the totp algorithm fits on one screen in a big font
1 1 6
jcoglan.com
[foreign Object] @jcoglan.com · 2h
passkeys took a basically good idea i.e. "ssh keys were good let's do that again" and then attached so much incidental complexity that it is functionally impossible to implement without an enormous budget. this creates an enormous barrier to entry that works against its ostensible security goals
2 2 6
jcoglan.com
[foreign Object] @jcoglan.com · 2h
literally just give us totp with asymmetric keys I am begging you
1 8
jcoglan.com
[foreign Object] @jcoglan.com · 2h
reason I've read *half* the spec is it is absolutely enormous because they bolted tons of incidental functionality onto the core thing of "prove you know a secret key" and I gave up any hope of ever implementing it
1 1 8
jcoglan.com
[foreign Object] @jcoglan.com · 3h
to a first approximation nobody understands what a passkey even is. I know what one is but can barely explain how they're supposed to work, and I have read half the specification. the UX is an absolute nightmare
3 1 13
jcoglan.com
[foreign Object] @jcoglan.com · 3h
passkeys are a dead end unless they are adequately explained to users, which so far they emphatically have not been
4 6 24
jcoglan.com
[foreign Object] @jcoglan.com · 8h
have you played the game
1
jcoglan.com
[foreign Object] @jcoglan.com · 1d
having a cut-off where existing totp users can keep using it but nobody else can commence using it is baffling. either its security properties are acceptable for your problem space or they're not, how does banning it for new users help
1 3
jcoglan.com
[foreign Object] @jcoglan.com · 1d
me: [finally feeling like I'm getting back on track after a weeks-long insomnia event that's shattered my ability to manage my time and attention]

npm: hey you're free this weekend right
7
jcoglan.com
[foreign Object] @jcoglan.com · 1d
did you just tell me to go fuck myself stanley
1
jcoglan.com
[foreign Object] @jcoglan.com · 1d
why has my *pension provider* implemented sms-based 2fa against my express wishes and without verifying my phone number, I am so god damn mad about this
jcoglan.com
[foreign Object] @jcoglan.com · 1d
ah. well, nevertheless
1
jcoglan.com
[foreign Object] @jcoglan.com · 1d
lmao
2
jcoglan.com
[foreign Object] @jcoglan.com · 1d
what if I don't want ci based publishing
2 2
jcoglan.com
[foreign Object] @jcoglan.com · 1d
the totp algorithm fits on a screen in a very big font
1 1
jcoglan.com
[foreign Object] @jcoglan.com · 1d
I swear up and down, totp has *by far* the biggest security value to implementation effort ratio of any widely deployed web security mechanism. why do people keep avoiding it
1 5
jcoglan.com
[foreign Object] @jcoglan.com · 1d
why does everybody hate totp
2 3
jcoglan.com
[foreign Object] @jcoglan.com · 1d
you know what's real security? dropping busywork in people's laps that they have to deal with on the weekend
1 3