How on pureos do i get a “platform authenticator” that can handle webauthn “passkeys” and all the associated protocols?

dear fellow users of libre software and as-libre-as-feasible hardware,

[ note: this topic also deserves to be in the category “general: security & privacy”, but discourse does not seem to allow crossposting. ]

how on pureos do i get a “platform authenticator” that can handle webauthn “passkeys” and all the associated protocols? more and more entities are starting to use them. see for example this page at github:

there is an earlier discussion on this forum which did not go into how to actually do this in pureos:

for now, as my hardware does not support verifying the consent or presence of a particular human, i suppose my “platform authenticator” can just lie and say “i verified he’s here, really!”. but it needs to do this with the correct protocol.

how do others here do this?

long live libre software and hardware!

Based on this resource below, it seems to be incompatible with Linux unless the passkey is created on an Android, iOS, or iPadOS device first.

Seems that

1. Firefox on macOS finally supports passkeys in the latest releases of both of these

2. Hopefully something will come to Firefox on Linux at some point, but as pointed out above that would probably depend on some lower-level platform support from GNOME, KDE, etc

3. You might want to try Bitwarden – at least the browser extension seems to hijack my passkey login attempts (as well as my yubikey 2FA attempts) by default (can turn that off, or click a button to bypass Bitwarden), at leasst it does so in Firefox and Safari no macOS. Haven’t tried in Linux yet. Haven’t checked if Vaultwarden (self-hostable reimplementation of Bitwarden’s service) also supports passkeys or if it’s 100% dependent on the Bitwarden.com vaults.

Something that might help, perhaps, until the FLOSS platforms catch up?

Not for me.

After trying out a bit more, Firefox only supports reading passkeys from icloud, it won’t register/save new ones.

Not sure about Bitwarden/Vaultwarden still.

I just skimmed through the description of “passkeys” on GitHub, and as someone who is not familiar with the system it sounds like a lot of verbiage to say that they’re using standard RSA or other public/private encryption.

But, if they are using standard public/private key encryption, then why did they give it a new name and require it to be a new system? Why can I not simply log into GitHub using the SSH keys that are already registered to my account and that have permission to push code on my behalf?

GitHub is owned by Microsoft so I am left wondering the end result answer to my “why” question here might be that it is in Microsoft’s best interest for people to think of an RSA login as independent from an SSH key or GPG key, so that Microsoft can push users into doing something or other that Microsoft wants users to do.

If you want free software systems to “catch up” with whatever GitHub/Microsoft wants, can you express to people why “passkeys” are something they would want that they don’t already have? Why doesn’t Microsoft simply fix their website so that I can log in with my existing SSH keys or GPG keys that they have on file? Why doesn’t Microsoft catch up with the concept of freedom?

Go contact them yourself and let us know what answers they respond with to your questions.

You might also want to look at Passkeys support?

Passkeys is pushed by the FIDO Alliance, of which Microsoft is one member. It makes sense for all Microsoft-owned platforms to move in the direction of using Passkeys. Given the industry weight behind it, I would assume that FOSS will need to support this.

I don’t think that the intention is malevolent but I think the end result could be bad. For this technology to be viable from the perspective of privacy, there will need to be hosting options that are independent of Big Tech or, in the extreme, self-hosting options.

All that aside though, if you don’t trust Microsoft (and who does?) then you should be migrating off GitHub. Simples.

Hmm. So, I am on a Librem 5 at the moment. I logged into one of my old GitHub accounts. It asked me to setup a 2 factor auth since they’re pushing that now, so I configured my Librem 5 authenticator solution for 2 factor auth TOTP keys. The TOTP keys are compatible with the principles of free software because Microsoft offered a back door into the system, whereby rather than using their QR code I can copy a key they generated out of the website into my own free software ecosystem, store the key in a secure place of my choice, and then run software of my choice to create corresponding TOTP keys that I can provide back to Microsoft.

However, sitting here on my Librem 5, I then tried the button on GitHub to do the Passkeys, for my own curiosity. Unfortunately, the non-free JavaScript embedded in GitHub web page printed out an error that they decided not to let me use Passkeys.

So, until GitHub is updated to support the principle of user freedom, meaning that they offer a system whereby I choose what application to use for providing my Passkeys independent of their non-free JavaScript, users of free software will presumably be locked out of the Passkeys due to its poor design as a system. Given the interaction I just had with GitHub, I cannot see this any other way.

This is one of those cases where free software cannot catch up because they are artificially blocking us with intention. I am even having this problem despite the fact that I am already allowing my device to run non-free JavaScript to have gotten this far, which is already contrary to the principles of free software.

So, even allowing myself to be partially a hypocrite, they are offering me no option to use Passkeys. We cannot design software to support a system that locks us out. So, free software cannot “catch up,” so to speak.

Perhaps if I connected to this non-free JavaScript using Mozilla Firefox, or the Google Chrome, the browser’s JavaScript function library would include some new function to allow interacting with the Passkeys database. But this encourages monolithic browsers and locking out users from connecting however they want and with whatever program they want.

Instead, I would imagine the proper design for Microsoft GitHub to have a secure public/private key based login would be for them to provide me with some challenge data or whatever that I could copy into my local security application, and a text box for me to enter proof of identity. Then I could sign the challenge data they provided with my locally known private key to prove my identity, and enter this signed proof of identity in the text box.

As a note, I am not a security researcher nor someone trained specifically in any advanced computer security, so my opinion may be misinformed or simply incorrect. But this is how the issue of Passkeys appears to me.

Since Github = MicSoft, I no longer use that platform.

I still access GitHub, but I have not made an account on it. Usually I migrate repositories or show off code snippets, which you may have seen already.

I was wrong. The Bitwarden extension was interfering with passkey functionality on localhost. Once I disabled that, FireFox was working fine to register and use passkeys.

Also the Vaultwarden server does not yet support passkeys so it would be a nogo anyway.

Guess it’s up to the FLOSS platforms now to handle it at the platform level or some extensions to handle it on their own (yay fragmentation but that’s the way lol)