Recent searches
Search options
@zenbrowser Love to see it!
@zak @zenbrowser : a still unfixed vulnerability: if NOT using Touch ID, on some websites you may be able to sign in using a passkey WITHOUT authenticating locally - using biometrics or your passcode (screen unlock code).
This vulnerability also exists WITH Touch ID set up, provided that "Password Autofill" is disabled.
BTW this vulnerability also permits access to:
• https://icloud.com
• https://account.apple.com
(When asked to provide your fingerprint, tap the X at the top right and tap in the "Email" field one more time).
This is a HUGE risk for people who do not want to use biometrics: if a thief grabs their iPhone when unlocked, or watches them enter their passcode and later steals their iPhone, the thief can use ALL of the owner's passwords and some of their passkeys stored in the "Passwords" app (formerly known as iCloud Keychain).
This increases the risks of theft as shown by WSJ's Joanna Stern in https://youtube.com/watch?v=QUYODQB_2wQ.
In addition, a (grand) child or anyone else who (shortly) borrows your iPhone/iPad may have access to more of your cloud-accounts than you're aware of.
Workaround if you don't want to use biometrics to unlock your iPhone/iPad (this does not fix any problem if a thief learns (or successfully guesses) your passcode (screen unlock PIN or password):
• Set up a Touch ID anyway, for example for your left pinky finger (if you're righthanded)
• Disable "iPhone Unlock" in "Touch ID and Passcode" (visible in the first screenshot).
• Use a safer password manager (such as KeePassium) than the Apple "Passwords" app (iCloud KeyChain).
In any case:
• Make sure that "Password Autofill" (in settings -> "Touch ID and Passcode") is set to ENABLED;
• When you enter your passcode in a public place (such as a bar, bus or train), make very sure that nobody gets to see you enter it.
@zenbrowser Sweet! Does this also mean not having to re-add Zen to 1Password to work around the “Firefox has an update available” problem?
@zenbrowser how do passkeys work from the users perspective? Just plug in a USB key and it unlocks your accounts? Is it an extra step used with your passwords?
@hcal4 @zenbrowser They don't need to be a USB key, they are often stored in password managers as well. Most sites Ive seen let you use them to log in without typing a username or password.
@hcal4 @zenbrowser It's intended to be another sign-in method, essentially an alternative to passwords using cryptography. You can use a USB key or you can use a password manager. I know 1Password and Bitwarden support passkeys, and it seems like Apple's Passwords app comes with support for it.
@zenbrowser Im using pass key already with #ZenBrowser. Want to elaborate on whats coming?
@ojocle_olonam i'm using zenBrowser since several months, but passkey didn't work til now.
Do you have a beta installed?
@phpmacher no. Unless I am missing something or confusing some concepts. I use pass key with several services and my provider is proton pass as an extension. I don't have a fingerprint sensor in my computer. I am assuming it is just a matter of having a provider be it Windows Hello, Apple or, in my case, proton pass.
Am I misinterpreting something?
@ojocle_olonam yes, i think you are right.
Perhaps the fingerprinting is coming. And i love that.
@zenbrowser Do you mean Windows Hello for users on Windows and Touch ID for users on macOS? Passkey support already exists, via FIDO2 keys.
@zenbrowser but I’ve been using passkeys with proton pass for so long. What specifically is changing?
@sm32d @zenbrowser Presume this is a Mac thing? Looks like it can integrate with the Passwords app.
@Flaky @zenbrowser hate that they never replied to anyone 
@zenbrowser Amazing! I can probably sunset Bitwarden. Thanks for your work with the browser, I think I finally found my fit. Great stuff! #ZenBrowser
@zenbrowser nice, although I will keep biwarden as it works across devices and browsers.