I made this point a few weeks ago, but... outsourcing all your IT, Networks, Service Desk (helpdesk) and operational cybersecurity is a temporary cost saving and basically paints a ticking timebomb on the org, IMHO.

they called it trickle-down economics because 'financial waterboarding' didn't poll well with focus groups

Protobufs are sparkling asn1 send toot

Fun cursed discovery. A usb-c cable where both ends need to be inverted in the correct direction, else it doesnt work.

The primary but unstated goal of HR departments is to protect employers from their employees. Once you understand that, your work and career will be so much easier.

@dawnstar plenty of examples irl too. Like mouse jigglers for hospital staff who cant wait for screen locks, or doors proped open as theyre one way only.

@dawnstar Yeah, always important to recognise what works for you may not work for others. Something I have to think about a lot in my work.

@dawnstar if its secure but unusable, then its not secure.

@dawnstar Oh yeah I completely agree again. Sms for all its flaws, really works *well* for consumers. App based second factors with push notifications are a close second. Its less fiddly than totp, and passkeys are poorly communicated, complex and fragile.

I forsee passkeys really only being a success in enterprise where they can control the whole flow more tightly and have oncall support and training.

And this coming from someone who is heavily invested in passkeys here. But we cant be ignorant to passkeys flaws, else how can we improve them? And today I dont see that happening.

@pearofdoom Then use attestation and get yubikeys, easy.

@dawnstar within enterprise you can also guarantee everyone has a security key or a certain device type (eg windows hello). Not so much for consumers. So youre 100% on it here.

@dawnstar I also wonder how much is that the developers from those vendors are influencing study groups about how it works rather than seeing natural usage. But also given they're all in the US none of them have to deal with the "minute long qr code passkey scan dance", and these vendors devs will all be on a homogenous ecosystem rather than heterogenous whoch introduces so many issues of its own.

@dawnstar I wrote the webauthn library for rust, I also did some user studies and yep, people aren't happy - even I'm frustrated. But vendors are pushing a different narrative, and I dont get why. Misreading of the data? Rose tinted glasses? Biases of some kind? Something else?

There seems to be a disconnect between how vendors feel about passkeys and how consumers feel about them so far. I feel like there needs to be more independent study on this as a lot of the marketing may be painting a rosier picture than is true.

@jonathankoren @http_error_418 @fesshole I understand (mostly) how passkeys work and I don't use them because I don't want to lose access to my accounts.

It's a shit standard that promotes vendor lock-in...

It's best to stay away if you can, the only valid usecase for it is if services allow keeping your old credentials and only using it for faster login when it can be faster. Otherwise its soooo risky....

@http_error_418 @fesshole I don’t like to use passkeys because I don’t understand how they work, and I think I’m going to get locked out of all of my accounts if I lose my phone or something.

I swear, all of computing is become very illegible.

I understand rationally why it's important, but every time two-factor authentication forces me to grab my phone when logging in I have to suppress a wave of rage and frustration.

squirrel: *points gun*
me: what do you want me to do?
squirrel: *gestures at sign*
me: alright, i get it *opens book drop*
squirrel: *makes hurry-up motion*
me: NOT A SQUIRREL!
squirrel: *disappears into book drop*
me: *whispers* forgive me, keith