#WindowsHello will soon offer users an option to sync their passkeys to their Microsoft account making them no longer device-bound
again, this changes the threat model for enterprises, if they care about such details. a device-bound passkey means the private key material exists no where else in the world. Cloud syncing of private keys is basically the same for TOTP private seeds -- those cloud providers, while encrypting the data at rest, do in fact have clear-text access to those secrets -- making them targets of social engineers, law enforcement, nation states and other hackers.
(only an end-to-end encryption cloud storage solution like Apple's Advanced Data Protection would protect synced passkeys)
HT jesterchen42 (npub1sml…np04)
https://blogs.windows.com/windowsdeveloper/2024/10/08/passkeys-on-windows-authenticate-seamlessly-with-passkey-providers/
#infosec #IAM #cybersecurity
christopher :rebel: /
npub1hu…evz3q
2024-10-09 09:53:21
in reply to nevent1q…z0fm
Author Public Key
npub1hu0ujc4n4xeg3k9p3575rn46ltppfvkd2g5vk7zy7exa6hf2cwvsuevz3qPublished at
2024-10-09 09:53:21Event JSON
{
"id": "c6b95ab9e783dd940710415e2df90d36a7dccc45c4e0b57a800f2fe3886f32c6",
"pubkey": "bf1fc962b3a9b288d8a18d3d41cebafac214b2cd5228cb7844f64ddd5d2ac399",
"created_at": 1728467601,
"kind": 1,
"tags": [
[
"p",
"bf1fc962b3a9b288d8a18d3d41cebafac214b2cd5228cb7844f64ddd5d2ac399"
],
[
"e",
"7961fb5248eb4cb2a56cfa76c04db36947468c9bc116e7cbb316906ca9dffced",
"",
"root",
"bf1fc962b3a9b288d8a18d3d41cebafac214b2cd5228cb7844f64ddd5d2ac399"
],
[
"p",
"86fe9ee508e1ade1756c82c421da2856eb8b41d57df2fe93a3dc73970083b663"
],
[
"t",
"infosec"
],
[
"t",
"iam"
],
[
"t",
"cybersecurity"
],
[
"t",
"windowshello"
],
[
"proxy",
"https://disobey.net/@yawnbox/113276852730058375",
"web"
],
[
"proxy",
"https://disobey.net/users/yawnbox/statuses/113276852730058375",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://disobey.net/users/yawnbox/statuses/113276852730058375",
"pink.momostr"
],
[
"-"
]
],
"content": "#WindowsHello will soon offer users an option to sync their passkeys to their Microsoft account making them no longer device-bound\n\nagain, this changes the threat model for enterprises, if they care about such details. a device-bound passkey means the private key material exists no where else in the world. Cloud syncing of private keys is basically the same for TOTP private seeds -- those cloud providers, while encrypting the data at rest, do in fact have clear-text access to those secrets -- making them targets of social engineers, law enforcement, nation states and other hackers.\n\n(only an end-to-end encryption cloud storage solution like Apple's Advanced Data Protection would protect synced passkeys)\n\nHT nostr:npub1smlfaegguxk7zatvstzzrk3g2m4cksw40he0ayarm3eewqyrke3spfnp04 \n\nhttps://blogs.windows.com/windowsdeveloper/2024/10/08/passkeys-on-windows-authenticate-seamlessly-with-passkey-providers/\n\n#infosec #IAM #cybersecurity",
"sig": "200fdf066ff6084d5d05c808fe4b2092252324c6991d1c983bfec2f36ffa7b6eed1005e50ba77c2527bb8250fc5dce6b94733197a47ad11cef1b18b7ef0242b5"
}