#dailyrant
Good morning, US banks and other financial institutions that STILL don't offer #FIDO: please drop the #cybersecurity awareness emails and improve real security.

It's only my life savings, and no, your mobile app doesn't help.

If they're afraid of customer loss it doesn't have to be mandatory for all accounts afaik, but I think in some countries FIDO for banking is mandatory. #joebiden

Mujtaba Haris
@mujtaba_haris
·
Follow
#Canada’s telecommunications provider, #Rogers is down across the country & around 11.3 million user's are facing, No cell phone service, no internet, no customer service. & apparently some people can’t even call 911. Also impacting #Fido
Millions people this morning went to 1994!
7:35 AM · Jul 8, 2022
-

@KiltedQueer Uh, whut?
I use a Yubico with Github all the time. Have done for at least a year, maybe 3.

#infosec #Cybersec #FIDO #2FA

If you want to push passwordless authentication using #FIDO / #FIDO2 / #WebAuthn, my recommendation is this:

Make user freedom, privacy, and open source the number 1 through 3 priorities.

Let people use Big Tech phones, rooted phones, Linux phones, old ThinkPads, YubiKeys, SoloKeys, software emulation, whatever. Do not collect or share more data than necessary. And support FOSS so that people can adapt the tools to suit them.

Just saw the term "passkey" in relation to #FIDO, and by extension #WebAuthn.

If my guess is right, this is a synonym for "public key credential source", in which case good job, this new name sounds much better!

Seems like Firefox still hasn't completely implemented #FIDO CTAP2, which is a shame. You need that for strong passwordless #WebAuthn authentication, as well as for usernameless authentication. So we're stuck with CTAP1 (U2F) for the time being, which is only good as a second factor or as a weak replacement for a password. Hope that changes soon...

So I read this, and while it doesn't make #FIDO attestation sound like a tracking mechanism, I still see some problems with it:

* If one attestation certificate is shared among 100,000 people, there's still about 17 bits of identifying information. Possibly more if the FIDO Alliance is lying.
* It requires a centralised infrastructure of "trust".

Okay for banking, but it could be problematic for services where you need anonymity.

#WebAuthn @be