Yes, and they don’t develop Firefox (legally can’t) since they made a for-profit entity for that purpose.
Bitrot
joined 1 year ago
The Mozilla Corporation does not accept donations.
Poorly written article with little substance but a zinger of a headline. Think they’re trying to take advantage of announcements of Intel and TPM security flaws in the past to get more clicks.
This is a UEFI firmware issue that can be patched by BIOS vendors. It is an issue at a very low level, but not an issue with Intel or the TPM.
The exploit is in the UEFI firmware code for handling the TPM and used for privilege escalation in that firmware, “TPM won’t save you” doesn’t really make sense because no shit. The vulnerability doesn’t mean the TPM unseals its contents though, and I’m curious if the exploit modifies the PCR values enough that OS security could trigger (Bitlocker recovery and whatever). Wouldn’t help if the malicious software was already there though.
It’s what happens when the driver swerves into the crossing arm pole to not hit the train in front of it.
This sort of story is what made me switch away from Google Fi and ultimately mostly degoogling. Privacy was a big part later on, but initially it was realizing that a YouTube comment or a file in my drive could get my cell service turned off.
That’s when Nintendo reaches out to CloudFlare instead.
In that case it does sound better, and many sites using passkeys still have you enter your username first anyway, at least at this point. I don’t know how Android implements it, I think iOS likely supports this use case and know that it also works as a second factor to a password through the same Passkey workflow. Unlike the Yubikey it always stores the key when you register though, even if it isn’t fully passwordless. Unfortunately what’s easy for the consumer will dominate.
Yes, but do you need to unlock your key to use it? Possession is not enough to access discoverable credentials.
You edited, but I don’t see this as significantly more secure than the Passkeys, and most keys are not the bio series (not that I trust fingerprint readers anyway).
Are your non-discoverable credentials also locked on the key, or can someone who knows your handle and possesses your key access your accounts? Online usernames are not well protected, I’d rather my key lock out after a few failed attempts to access it.
Passkeys are FIDO2. The issue is the tokens don’t have much storage for them. For passwordless vs use as a second factor, it has to store it instead of dynamically generating a response to a challenge. They are two features of the protocol.
Much of the complexity described here comes from the question “which password manager?”
Neither has its own extension repository, so maintaining support enables side loading but isn’t all that useful for normal people or those who want their extensions to be up to date.
Brave shields work better than the built-in protection in Vivaldi, so it’s less of an issue there but still frustrating.