I've stopped using Firefox since the drama a while back... Using #ZenBrowser and #LibreWolf mainly on macOS and on #Android, #Ironfox and #Cromite (as an alt browser). But I'm having quite a lot of website functionality problems when using Ironfox. Can't create accounts, forms not working, can't use #webauthn, pages not loading correctly, checkouts or shopping sites broken, etc. I guess I need to have #Firefox still installed... It's annoying. What's your workaround? #browsers #androidbrowser

Why MFA is getting easer to bypass and what to do about it - An entire cottage industry has formed around phishing attacks that bypass ... - https://arstechnica.com/security/2025/05/phishing-attacks-that-defeat-mfa-are-easier-than-ever-so-what-are-we-to-do/ #multifactorauthentication #passwords #security #phishing #webauthn #biz⁢ #mfa

LemonLDAP::NG 2.21 is out!

This new release includes improvements on OpenID Connect and CAS protocols, Loki logger, public notifications and much more.

Read our release notes: https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-21-0-is-out/

@ow2 @worteks_com

Well this is quite the surprise! Passkeys in epic-stack, brought to you by SimpleWebAuthn

https://github.com/epicweb-dev/epic-stack/discussions/937

I can consider this a feather in my cap, no?

Putting the word out here that https://webauthn.io got a bit of an upgrade today:

• You can now specify hints during authentication, if you're so inclined
• There's a new /profile page for after authentication to help with page navigation via the browser

Poke around a bit and feel free to let me know if anything seems off

GitHub - yackermann/awesome-webauthn: A curated list of awesome WebAuthn and Passkey resources https://github.com/yackermann/awesome-webauthn #OpenSource #WebAuthn #resource #awesome #passkey #GitHub #list

Passkey advice (ncsc.gov.uk)

From https://www.ncsc.gov.uk/blog-post/passkeys-not-perfect-getting-better (highly condensed by me):
❝
What then are the remaining problems with passkeys?
Inconsistent support and experiences
Device loss scenarios
Migration issues
Account recovery processes
Platform differences
Implementation complexity
Inconsistent use
Uncertainty around multi-factor status
❞

I recently wrote about a number of Android an iOS/iPadOS vulnerabilities (including account lock-out risks) in https://infosec.exchange/@ErikvanStraten/113820358011090612 and a couple of follow-up toots.

People wanting to know the basics of passkeys can read a somewhat acceptable translation from Dutch to English of my writeup "Passkeys for laymen", which can be seen by opening https://www-security-nl.translate.goog/posting/798699/Passkeys+voor+leken?_x_tr_sl=nl&_x_tr_tl=en&_x_tr_hl=nl (which seems to work in Chrome). The original article, in Dutch, can be seen in https://www.security.nl/posting/798699/Passkeys+voor+leken.

A good source of (unbiased!) info is also Dan Goodin's article in https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/.

Finally: the problem with passwords starts with a 'p': it's PEOPLE. Use a password manager as I describe in https://infosec.exchange/@ErikvanStraten/113022180851761038 (with Android screenshot: https://infosec.exchange/@ErikvanStraten/113549056619471557).

SimpleWebAuthn v13.1.0 is out! Changes include addressing a DeprecationWarning in the console about a "punycode" module; and startRegistration() and startAuthentication() now warn about but try to handle calls made using the older API call structure seen in lots of existing tutorials (with a link to help explain how to refactor.)

https://github.com/MasterKale/SimpleWebAuthn/releases/tag/v13.1.0

Why do some services use passkeys as a 2nd factor, and not the *only* factor?

Makes no sense.

@arstechnica on the usability problems with #passkey tech:

https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/

CW: DHH is quoted in this article but it's just about #passkeys.

Heya TypeScript + WebAuthn fans, I just published v13 of SimpleWebAuthn! This one includes (opinionated) registration hints support, improved support for attestation trust anchors, and a surprise retirement of the types library (for baking-in the types instead into both the browser and server libraries.) Check out the release notes for more info!

https://github.com/MasterKale/SimpleWebAuthn/releases/tag/v13.0.0

so the internet agrees, that #ed25519 is the way to do signatures (see random 1st search hit https://www.scottbrady91.com/jose/jwts-which-signing-algorithm-should-i-use) and yet, neither webauthn.io nor #yubico demo-site, nor #github actually supports that algo.

Chrome 133* is the first #WebAuthn client to be all green!

https://featuredetect.passkeys.dev

#passkeys

(*with some flags enabled)

It took nearly three weeks of refactor and getting more comfortable with how Deno works, but I'm happy to announce that SimpleWebAuthn v12.0.0 is now also available to install from JSR

https://jsr.io/@simplewebauthn

Check out the CHANGELOG for more info:

https://github.com/MasterKale/SimpleWebAuthn/releases/tag/v12.0.0

Sweet, Windows 11 Preview Build 22635.4515 is out on Beta Channel with the new Windows Hello passkey provider APIs!

https://blogs.windows.com/windows-insider/2024/11/22/announcing-windows-11-insider-preview-build-22635-4515-beta-channel/

Hey, anyone wanna take this out for a spin and report back? It's just some types so nothing too fancy, but it's my first package published to JSR.io

https://jsr.io/@simplewebauthn/types@11.0.0-alpha1