![]() ![]() The DMG file is not digitally signed, so it won’t install unless an end user mucks around in the macOS security settings. That said, the ad hawking MacStealer says it’s in early beta and comes in the form of a standard DMG file that must be manually installed on a Mac. We only know of ads claiming that such malware exists. There are no reports of MacStealer being used in the wild, and there’s no confirmation that the malware even exists. Q: Wasn't there a recent article about new macOS malware that could steal iCloud Keychain items?Ī: This may be a reference to MacStealer, malware that was recently advertised in underground crime forums. ![]() There’s little, if any, added risk to sync passkeys as well. Again, if you already trust any cloud-based password syncing platform, it's a little late to ask for documentation now. 1Password has documentation on the infrastructure that it uses to sync passwords ( here and here). Q: What about the other syncing services? Where’s their documentation?Ī: Google has documentation here. to sync your passkeys, you shouldn't trust them to sync passkeys or any other sensitive data. Just remember that if you don't trust iCloud et al. If you don't trust Apple or any other company offering syncing and you don't want to use a single-site passkey, passkeys aren't for you, and there's not much point reading future Ars articles on this topic. The onus should be on the company claiming it's safe to proof said safety, not on others to disproof it.Ī: As noted earlier, if you don't trust Apple or any other company offering syncing, consider using a single-site passkey. ICloud is a fundamental security feature. Independent security experts have yet to report any discrepancies in Apple’s claim that it lacks the means to unlock the credentials stored in the iCloud Keychain. Apple has documented the design of this service in great detail here, here, here, here, and here. Apple’s syncing mechanism, for instance, relies on the same end-to-end encryption that iCloud Keychain already uses for password syncing. ![]() The specs don't currently mandate a baseline for this E2EE. Why should I trust syncing from any service?Ī: Currently, the FIDO specifications call for syncing with end-to-end encryption, which by definition means nothing other than one of the trusted end-user devices has access to the private key in unencrypted (that is, usable) form. Q: It seems incredibly risky to sync passkeys. If you don’t trust cloud services to sync passkeys, you shouldn’t trust them to sync your passwords, either. However, if you’re syncing passwords through a browser, a password manager, iCloud Keychain, or one of the Microsoft or Google equivalents, be aware that you are already trusting a cloud service to sync your credentials. Single-device passkeys are typically created using a FIDO2 security key, such as a Yubikey. As the name suggests, these passkeys work on a single device and aren’t synced through any service. Why would I ever use passkeys?Ī: Even if you don’t trust any cloud service to sync your login credentials, the FIDO specs allow for something called single-device passkeys. Q: I don’t trust any company to sync my login credentials I only keep them stored on my local devices. In short order, you can use passkeys even if you don’t trust Google, Apple, or Microsoft. While Google is further along than any other service in allowing logins with passkeys, new services allow users to log in to their accounts with passkeys just about every week. Within a month or two, for instance, 1Password and other third parties will support passkey syncing that will populate the credential to all your trusted devices. That said, passkey usage is quickly expanding beyond the major tech players. The original article was aimed at the hundreds of millions of people who do use these major platforms (even if grudgingly). If you don’t use Apple or Microsoft products, the situation is similar. Why should I use passkeys?Ī: If you don’t use Google, then Google passkeys aren’t for you. This author will not be monitoring or responding to comments going forward but can still be contacted through email. This FAQ will be updated from time to time to answer additional questions of merit, so check back regularly. In response, I've put together this list of frequently asked questions to dispel a few myths and shed some light on what we know-and don't know-about passkeys. My recent feature on passkeys attracted significant interest, and a number of the 1,100-plus comments raised questions about how the passkey system actually works and if it can be trusted. Aurich Lawson | Getty Images reader comments 574 ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |