webauthn VS syncthing-android

These crop up every now and again but they never address my biggest concern, which how we (the users) can prevent abuse of https://w3c.github.io/webauthn/#attestation-object such that only those of us with approved devices are allowed to authenticate.

It's not hard to imagine Google and Apple and a few others finding ways to pressure authenticators into blocking access to users of devices that cannot prove that they're running firmware which bellyfeels ingsoc.

Sure, but why not preserve the option for people to use hardware keys?

Unfortunately, both the FIDO and WebAuthN working groups seem to be dead-set on making the hardware authenticator use case as painful as possible [1] [2] [3].

I just don't get it. Why even try to pretend that WebAuthN is a single API for both use cases when all stakeholders in charge seem to have given up on one of them?

[1] https://github.com/fido-alliance/how-to-fido/issues/16

[2] https://github.com/w3c/webauthn/issues/1612

[3] https://github.com/w3c/webauthn/issues/1822

I'm not trying to do callout posts or anything here, I know that the people involved are genuinely trying to do their best. I'm grateful that Bitwarden is involved with passkeys. But, for all of that gratitude, I still have to say: Bitwarden got a huge amount of attention for being the Open Source implementation of this, and Bitwarden and 1Password were both used as examples that shut down criticisms about portability, and lack of communication and clarity is a big part of how Bitwarden/1Password got used to spread what I would genuinely consider to be misinformation about the current state of the passkey ecosystem.

It's not just that export wasn't supported, it's that this giant limitation that was in many ways the reason why people were so excited about Open implementations in the first place was quietly left unsaid.

I really genuinely do appreciate the work everyone is doing. But at no point when Bitwarden was writing posts and releases about passkey support did anyone writing that stuff think, "people will think this means export is supported, we should clarify that."?

It's so hard not to look at this communication and not think that these kinds of details were deliberately omitted. I'm sure they weren't! I know that emotions are wrong and that everyone involved means the best. But crud, that is how it feels.

How many people who got excited about Bitwarden's implementation even know that they still can't export and import their passkeys? Maybe that'll be a fun surprise for them next time they try to do an import into a new account. Bitwarden's announcements didn't mention this limitation, and as a result no press coverage of Bitwarden mentioned this, and any casual observer who didn't know to go read the documentation and deliberately ask about it would come away from this coverage thinking that export was supported -- and in fact I would argue people did. People think the portability problem is solved because Bitwarden and 1Password exist.

Needing to double-check this kind of stuff, not having transparency or open conversations about any of it is part of the regular frustration of trying to learn about the passkey ecosystem. Very often when I talk to people in industry about passkeys, I will get answers that really sound like they are addressing people's concerns. And then you dig into them, and... they don't. But that's never communicated unless you do the research. So much of the advocacy is saying stuff that is technically true, but has huge unmentioned caveats or that doesn't actually when you dig into it address the concerns that people have or is using some weird definition that isn't what most people would use.

"Passkeys are portable now!"

"So I can export them?"

"Well, that depends on what your definition of portable is."

Bitwarden never technically said that it supported export, but I'm going to go out on a limb and say that a lot of casual observers reading about portability and sync and OS-independence think that Bitwarden does support export, and Bitwarden really isn't going out of its way to avoid that impression. I mean, props for having it in the user docs, that is better than 1Password. +1 for Open Source being more transparent than proprietary software, genuinely I appreciate it. But the only reason I know that Bitwarden doesn't currently support export... is because I knew that I couldn't assume it and I knew that I needed to check the docs. It's not something that's communicated in the announcement, it's not something that's communicated in the FAQ, it's not something that's communicated in any press coverage, it's not something that's communicated unless you know what to Google search.

----

> The best place to argue this “in the open” is by raising issues in the w3c/webauthn repo, or meetings, which is open.

Here are the open issues about portability: https://github.com/w3c/webauthn/issues?q=portability

Maybe I'm searching wrong? Here's migration: https://github.com/w3c/webauthn/issues?q=migration

What am I missing here? I apologize if there's some thread that I just haven't been able to find, but... if this is an open process, where is the conversation happening? I don't want to be a jerk about this; should I be showing up at w3c meetings and complaining about other meetings that aren't happening there? That doesn't seem helpful to anyone, I don't see how that would be productive. But if this is genuinely happening as part of the w3c/webauthn space, then where in that space are the conversations about portability and export? What issues should I be following?

Is the problem that nobody has raised an issue in that space? Because that's a very weird thing if true; I've been told for nearly a year that work is ongoing on migration/export. In all that time, none of that conversation ended up on the webauthn repo, the ostensibly official place for the spec to be discussed?

This just feels like a dismissal; if the webauthn repository is where these conversation should be happening, then why aren't they happening there? This isn't Bitwarden's fault, I'm speaking broadly to anyone involved in this process -- this is a multi-company process that has been happening for months and months and months and I would love to know where those industry-spanning conversations actually exist, so that I can stay up to date on what's going on without needing to search for crumbs of developer updates on Reddit, Mastodon, and Twitter.

I agree, FIDO and webauthn. As for implementing, here's the API GitHub link .

https://github.com/w3c/webauthn/issues/1667

If you're doing something like passwordless and usernameless, then your locally stored credential has an ID that was generated during registration. This is sent as part of the authentication request, and the relying party has a way of association which credential ID's are linked to which user accounts. The credential portion is talked about in section 5.1 of the https://w3c.github.io/webauthn docs.

> Apple's passkeys do not provide attestation

Apple has their own anonymous attestation format[1] that some (unclear which?) of their WebAuthn authenticators support.

In principle the relying party could use this to verify the authenticity of the authenticator back up to Apple's WebAuthn root CA[2]. In practice, I'm not sure if that attestation is included by default (or whether significant portions of users opt out of it, when prompted by their browser).

[1]: https://github.com/w3c/webauthn/pull/1491

[2]: https://www.apple.com/certificateauthority/Apple_WebAuthn_Ro...

There is a great comment thread in the WC3/WebAuthn Github Issues (January 2022) that was pre-publication of the Multi-Device FIDO white paper that prompted all the Passkey stuff (March 2022). https://github.com/w3c/webauthn/issues/1691 The OP of this issue is rightly pointing out that Passkey/MD FIDO is somewhat broken without enforcing the devicePubKey extension. The detractors in the thread are pointing out that it's not something they can enforce.

The idea of authenticator hardware is inherently hostile to DIY and open source because you cannot produce or extract a keypair to generate valid attestation statements. Unless you are part of the cartel of course.

https://w3c.github.io/webauthn/#attestation-statement

Given the Webauthn standard, there could be more than one answer to this question, so here is a list of relevant information:

I've got another one on topic of self-hosted file sharing:

- FileBrowser running in Docker (https://filebrowser.org/features)

- Syncthing running in another container (https://syncthing.net/)

Syncthing keeps the files on your PC, Mac, BSD systems updated, and FileBrowser can point to the share and supply a convenient web UI. It works for me, it's kind of like a local Dropbox-lite.

We use syncthing to share files between our machines. It avoids is having to use dropbox / OneDrive etc. You just choose a folder and it automatically syncs it in the background.

https://syncthing.net/

This very hn entries is bust contradicting your statement.

Also what about syncthing[1] (for recurrent/permanent sync) and croc[2] (for one time copies) ?

I have used both for a number of years already.

[1] https://syncthing.net/

[2] https://github.com/schollz/croc

I would use syncthing, which is open source at https://syncthing.net/.

After minimal setup, it just works(tm).

You have a normal directory in your filesystem, that is synced to the other peers (which you set up in the "minimal setup").

I have been using it for years, and it works well. It has no problems crossing os'es (i.e. windows -> linux, linux -> mac)

For windows I usually recommend https://github.com/canton7/SyncTrayzor, but vanilla syncthing works fine too (but don't try to mix them!)

Do consider Syncthing particularly if you are using Android. If using apple iOS you'd need the möbius sync client.

https://syncthing.net/

https://www.mobiussync.com/

One thing that it beats the cloud / centralized sync on is because the connection is direct between devices when the initial transfer is completed the file is completely there on the other device. With a cloud type of sync you do the transfer twice. I've seen stack up on large media or with the structure of cloud services pricing making it expensive depending on how your workflow is setup with inside and outside parties. For example, Dropbox deduction from all parties' storage limits not just the sharer.

You can also point Syncthing at a local sync of Dropbox or Google drive and then forward the files to other recipients from that for some purposes.

I think sync is a non-feature, as you can just ride on your existing solution.

For example, I use syncthing [1] with Obsidian to sync files off-cloud.

https://syncthing.net/

When I was 14 and just getting started, I used Notepad. Upgraded to Wordpad when I realized I loved putting italics in every other sentence, moved to Google Docs at around 25 when I started writing on my phone and wanted to sync with my computer, finally moved to Obsidian a few months ago (with Syncthing for syncing) when I decided I don't want to live in Google's house where they can burn my stuff down whenever they want.