trevor (he/they)

A lot of incorrect assumptions in this article. If you don’t like the idea of a key exchange over passwords, I hope you use password auth when you SSH into things 😁

The word passwordless is nonsense. In most cases, most passkey implementations, you need a PIN to unlock your private key to authenticate. PIN = password, except it’s numbers only. Nonsense. Passkeys simply obfuscate the problem and move it somewhere else, most often into a PROPRIETARY key management tool. For example, Microsoft wants you to use THEIR authenticator app. Not just any app that adheres to the standard. Nope. This effectively means super-vendor-lock-in. Absolute nonsense.

You can argue that the term “password less” is nonsense, but there is literally nothing about the spec that prevents you from using passkeys as they were designed: with hardware keys that support the open FIDO2 authentication protocol. Yes, you still need a second factor to verify the authentication attempt (via a PIN), but unless you’re mailing that key to hackers, the private key generated by your SoloKey, NitroKey, or another open source hardware key, is more secure than any password ever will be.

Passkeys usually require a phone - this is a single point of failure, and one that gives the big companies extra control over you. Phone, number, SIM, and so forth. A beautiful bevy of data. The whole idea of actually having to use your phone as an identity vector is horrible.

Phones support storing passkeys. Phones also support storing passwords. In no way does this mean you must use them for this. You can either use hardware keys, or you can use your favorite open source password manager to store passkeys where you should already be storing your passwords anyway.

You need “biometrics” to supposedly prove you’re you to unlock your private key. Biometrics are a form of password, except you can’t replace it, and it also gives yet more of your personal data to the big companies. More nonsense.

This is literally a direct contradiction of what the author said in their first bullet point. Use a PIN if you don’t like using biometric auth.

The implementation of passkeys is fragmented, vendor-specific, and complicated. Only diehards who love technology can use this. The same kind of people who were “all in” when IoT/cloud crap came out, and now they see their smart homes slowly go offline as big vendors almost arbitrarily cut support for old gadgets and effectively kill products. Because cloud.

Most of this is actually a fair critique. The FIDO Alliance is still working on the spec, and I think they should require any implementation of passkeys to follow the spec to a tee without adding any kind of nonstandard bullshit to their authentication.

However, most advancements in tech begin with only appealing to enthusiasts and later become adopted by wider audiences. It doesn’t make them bad that they aren’t immediately popular with everyone.

Passkeys only solve one use case - phishing where the user inputs their password and MFA into a fake site.

I’m glad the author can at least recognize that there’s at least one thing that passkeys solve that passwords can’t. But it’s not the only thing. When you enter a password on a site, you’re hoping like hell that the service you’re using hashes it and hashes it properly. When you authenticate with passkeys, you’re sending the site a public key. This key will have way more entropy than any password will, so anyone trying to crack a hashed public key is in for a long, miserable time (obviously not impossible though). But even if they wasted their time doing that, it’s a public key. Who cares?

Any service you use passkeys with instead of passwords won’t put you in another leaked password database. The public key just needs to be invalidated and you can move on with your life.

Gross.

Fuck that. The Linux gate is wide open! Anyone that wants to use Linux, come on in!

And for your own sake: use anything but Ubuntu and their buggy Snaps.

Thanks! That first link is an excellent resource for a security tool I’m working on. Specifically, gVisor, which I hadn’t heard of, but looks like an excellent way to harden containers.

I may rebase to secureblue from Bluefin at some point to give it a try.

I’m asking this because I haven’t tried secureblue: in what ways is Linux behind in security, and what does secureblue do to mitigate that?

And do any of those mitigations negatively impact usability?

Yeah. This is useless.

Can someone explain why, and what to use them for?

The well deserved Snap complaints 😏

Running x86_64 emulation on an ARM CPU is a miserable experience and should be avoided. I’ve done this on an M-series Mac with UTM, and you’re looking at ~10-minute boot times just to get the VM booted, and ~3 minutes for it to render a response to whatever you click.

It’s honestly wild that they seriously suggest doing this on their Wiki.

This is the way. The uBlue derivatives benefit from the most shared knowledge and problem-solving skills being delivered directly to users.

Between that, and using a decorative distrobox config, I get an actually reliable system with packages from any distro I want.

Has anyone ever explained the meaning behind the Asahi logo? It always reminded me of a cartoon anvil (in a good way).

I like YAML, as long as you aren’t using complicated syntax. Using the | operator will get you some flexible usage that’s mostly easy enough to read. YAML definitely has its problems though. If you want, I can share some snippets of my config.

Sadly though, due to Espanso not having a working RPM build for Wayland (or a Flatpak, which they’re working on), it’s not quite as cross-platform as I want it to be. It won’t work on any of the cool uBlue-derived distros that I’ve gravitated toward, so I’m hoping we get a nice, big update this year.

Espanso is probably the most useful software that nobody is using. I can’t live without it.

I hope it gets an update soon…

As someone that has never used Puppet, I also wonder this. Ansible is agentless and works on basically anything. What do you gain by requiring an agent, like with this?

I’ve been running fish from the development branch for about a year, and I’m happy to say that nothing about it feels like it’s beta. It’s rock-solid (IMO) and my favorite shell 🐟