• 0 Posts
  • 11 Comments
Joined 2 years ago
Cake day: August 8th, 2023
  • 4am@lemm.eetoFediverse@lemmy.worldA "Sign in with fediverse" button?English
    1·
    2 hours ago

    If someone runs an auth server, and I use it to identify me, and then it goes away, then I’m out of luck, my account is gone. This is the same problem we have now (with logins being tied to instances), except that it introduces a new place for a failure to occur. Rather than just relying on a lemmy instance, I also need to rely on an auth server to be maintained, safe, and secure.

    If I went to another auth server, then it’d give me a different identity and that would not make much sense.

  • 4am@lemm.eetoFediverse@lemmy.worldA "Sign in with fediverse" button?English
    1·
    2 hours ago

    We can, passkeys are being adopted all over the web. If you specifically mean for Lemmy or fediverse services, it’s probably just a matter of adding support. It isn’t hard, per se, but it is important to get it right.

    You can store passkeys in a password manager like BitWarden and they become portable. Then it doesn’t matter if you have a centralized authentication server. You just get logged in with your passkey, supplied by your password manager.

  • 4am@lemm.eetoFediverse@lemmy.worldA "Sign in with fediverse" button?English
    5·
    2 hours ago

    So we should make a remote single point of failure, maintained by someone who probably isn’t a security expert or working on it full time?

    No, this is unfortunately the opposite of what we should be doing.

    EDIT: I should also add that people who make password managers literally focus on only that. They understand what they are making is a huge target and any of them worth their salt have independent audits and spend much of their time on design decisions related to security. Point being: typically the weakest link in a password manager is you. Set a good password, use a YubiKey or some other device, use 2FA, etc.