1. 17
  1. 1

    swaps out having a backup authenticator with backing up the private keys themselves.

    A private key which is backed up in a manner which is usable without using some other private key is no longer private.

    1. 2

      Yeah, my understanding of passkeys and webauthn is that the sync method is using the proprietary sync technology of the platform (iCloud, Google Account). To be honest, I don’t know enough about iCloud or Google Account syncing to say whether they use end-to-end-encryption when they share secrets between devices. However, I’d be kinda if they did. All I do know is that Firefox Sync does proper end-to-end.

      It’s quite unfortunate that this isn’t well specified, but I can also understand that device vendors do not want to invent a secondary sync service when they already have something in operation. I also want to point out that this is an improvement over the status quo (syncing passwords between devices), due to the inherent phishing protections in WebAuthn. My experience with complicated system says that you can only do so much progress and improvements and not lose your people along the way. Small steps win :/

      1. 1

        All I do know is that Firefox Sync does proper end-to-end.

        My understanding is that it does not: passwords are encrypted with a key which is encrypted with a function of one’s Firefox Account password, and it is possible for Mozilla to steal your Firefox Account password when you login via their web pages.

        this is an improvement over the status quo (syncing passwords between devices), due to the inherent phishing protections in WebAuthn

        Of course, syncing passwords between devices and using browser plugins to insert them is also protected from phishing.

        But Firefox for Android forbids use of almost any plugin! Works fine in theory on desktops and laptops, though.