Do I have to enable iCloud in order to set a passkey? At the mo, iCloud
remains unsetup and turned off, because like a lot of this stuff one doesn't know what it's actually doing. I'd prefer to keep things this way, but they seem to be stuffing passkeys down our throats. Which also would seem to be platform-dependent.

--
Tim

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

TimS <[email protected]> wrote:

Do I have to enable iCloud in order to set a passkey? At the mo, iCloud remains unsetup and turned off, because like a lot of this stuff one doesn't know what it's actually doing. I'd prefer to keep things this way, but they seem to be stuffing passkeys down our throats. Which also would seem to be platform-dependent.

No, but.

Passkeys are like SSH public-private keys but with some extra features:
- a check that prevents you using a passkey for a site different to the one
it was set up for, to prevent phishing
- different ways to unlock the passkey which may include biometrics, potentially with a second device over Bluetooth. These are mostly optional.

Now, SSH keys are just files on your disc and how to manage and sync them between machines is up to you. That's not really usable for regular users
so passkeys add another layer on top, which is how to sync them between machines. This is where the trouble starts.

Apple, Google, MS etc are dead keen that you use *their* passkey syncing solution, because it locks you into their ecosystem. eg Apple will not let
you export passkeys from iCloud ever, which means that if you want to switch
to Windows you have to set up every account again - this is a PITA which is extra friction for switching platforms.

Complicating matters, some websites may only allow you to register one
passkey - that's no good if you want to access the website from a Mac and an Android and iCloud holds your passkeys.

However, many password managers support passkeys. That gives you a cross-platform way to sync passkeys and manage them, and you can choose a password manager that suits your needs. You would have to install the
password manager into the browser(s) you want to use as I don't think you
can cut and paste like you can passwords.

The other issue is that many web sites have zero customer service (hello Google) and if you screw up your passkeys you might get locked out with no means to regain access to your account - email reset may be disabled in the name of security and there's no equivalent to 'show up at the police station with your passport' to bootstrap a reset procedure.

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 8 May 2025 at 22:12:04 BST, "Theo" <[email protected]> wrote:

TimS <[email protected]> wrote:

Do I have to enable iCloud in order to set a passkey? At the mo, iCloud
remains unsetup and turned off, because like a lot of this stuff one doesn't >> know what it's actually doing. I'd prefer to keep things this way, but they >> seem to be stuffing passkeys down our throats. Which also would seem to be >> platform-dependent.

No, but.

Passkeys are like SSH public-private keys but with some extra features:
- a check that prevents you using a passkey for a site different to the one it was set up for, to prevent phishing
- different ways to unlock the passkey which may include biometrics, potentially with a second device over Bluetooth. These are mostly optional.

Now, SSH keys are just files on your disc and how to manage and sync them between machines is up to you. That's not really usable for regular users
so passkeys add another layer on top, which is how to sync them between machines. This is where the trouble starts.

Apple, Google, MS etc are dead keen that you use *their* passkey syncing solution, because it locks you into their ecosystem. eg Apple will not let you export passkeys from iCloud ever, which means that if you want to switch to Windows you have to set up every account again - this is a PITA which is extra friction for switching platforms.

Complicating matters, some websites may only allow you to register one passkey - that's no good if you want to access the website from a Mac and an Android and iCloud holds your passkeys.

However, many password managers support passkeys. That gives you a cross-platform way to sync passkeys and manage them, and you can choose a password manager that suits your needs. You would have to install the password manager into the browser(s) you want to use as I don't think you
can cut and paste like you can passwords.

The other issue is that many web sites have zero customer service (hello Google) and if you screw up your passkeys you might get locked out with no means to regain access to your account - email reset may be disabled in the name of security and there's no equivalent to 'show up at the police station with your passport' to bootstrap a reset procedure.

Thanks. All of which spells AVOID in large letters.


--
Tim

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On May 8, 2025 at 5:12:04 PM EDT, "Theo" <[email protected]> wrote:

TimS <[email protected]> wrote:

Do I have to enable iCloud in order to set a passkey? At the mo, iCloud
remains unsetup and turned off, because like a lot of this stuff one doesn't >> know what it's actually doing. I'd prefer to keep things this way, but they >> seem to be stuffing passkeys down our throats. Which also would seem to be >> platform-dependent.

No, but.

Passkeys are like SSH public-private keys but with some extra features:
- a check that prevents you using a passkey for a site different to the one it was set up for, to prevent phishing
- different ways to unlock the passkey which may include biometrics, potentially with a second device over Bluetooth. These are mostly optional.

Now, SSH keys are just files on your disc and how to manage and sync them between machines is up to you. That's not really usable for regular users
so passkeys add another layer on top, which is how to sync them between machines. This is where the trouble starts.

Apple, Google, MS etc are dead keen that you use *their* passkey syncing solution, because it locks you into their ecosystem. eg Apple will not let you export passkeys from iCloud ever, which means that if you want to switch to Windows you have to set up every account again - this is a PITA which is extra friction for switching platforms.

Complicating matters, some websites may only allow you to register one passkey - that's no good if you want to access the website from a Mac and an Android and iCloud holds your passkeys.

However, many password managers support passkeys. That gives you a cross-platform way to sync passkeys and manage them, and you can choose a password manager that suits your needs. You would have to install the password manager into the browser(s) you want to use as I don't think you
can cut and paste like you can passwords.

The other issue is that many web sites have zero customer service (hello Google) and if you screw up your passkeys you might get locked out with no means to regain access to your account - email reset may be disabled in the name of security and there's no equivalent to 'show up at the police station with your passport' to bootstrap a reset procedure.

Theo

All of which is why passkeys (and "password managers") are solutions looking for problems.

Passwords work just fine. My current iCloud password is 19 characters. It looks random, but it all has meaning to ME and is easy for ME to remember. No need for an online "password manager".

Same with my other passwords. All are at least 12 characters and look random.
Good luck guessing them.

If you are dumb enough to use something like "Drowssap-1234" then you deserve to be hacked. Get creative. There all kinds of words/numbers in your personal life that can be used and when combined with special characters make a VERY strong password.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 08.05.25 23:26, TimS wrote:

On 8 May 2025 at 22:12:04 BST, "Theo" <[email protected]> wrote:

TimS <[email protected]> wrote:

Do I have to enable iCloud in order to set a passkey? At the mo, iCloud
remains unsetup and turned off, because like a lot of this stuff one doesn't
know what it's actually doing. I'd prefer to keep things this way, but they >>> seem to be stuffing passkeys down our throats. Which also would seem to be >>> platform-dependent.

No, but.

Passkeys are like SSH public-private keys but with some extra features:
- a check that prevents you using a passkey for a site different to the one >> it was set up for, to prevent phishing
- different ways to unlock the passkey which may include biometrics,
potentially with a second device over Bluetooth. These are mostly optional. >>
Now, SSH keys are just files on your disc and how to manage and sync them
between machines is up to you. That's not really usable for regular users >> so passkeys add another layer on top, which is how to sync them between
machines. This is where the trouble starts.

Apple, Google, MS etc are dead keen that you use *their* passkey syncing
solution, because it locks you into their ecosystem. eg Apple will not let >> you export passkeys from iCloud ever, which means that if you want to switch >> to Windows you have to set up every account again - this is a PITA which is >> extra friction for switching platforms.

Complicating matters, some websites may only allow you to register one
passkey - that's no good if you want to access the website from a Mac and an >> Android and iCloud holds your passkeys.

However, many password managers support passkeys. That gives you a
cross-platform way to sync passkeys and manage them, and you can choose a
password manager that suits your needs. You would have to install the
password manager into the browser(s) you want to use as I don't think you
can cut and paste like you can passwords.

The other issue is that many web sites have zero customer service (hello
Google) and if you screw up your passkeys you might get locked out with no >> means to regain access to your account - email reset may be disabled in the >> name of security and there's no equivalent to 'show up at the police station >> with your passport' to bootstrap a reset procedure.

Thanks. All of which spells AVOID in large letters.

+1; at almost all cost (what I do)


--
"Roma locuta, causa finita." (Augustinus)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 09.05.25 08:56, Chris wrote:

Theo <[email protected]> wrote:

However, many password managers support passkeys. That gives you a
cross-platform way to sync passkeys and manage them, and you can choose a
password manager that suits your needs. You would have to install the
password manager into the browser(s) you want to use as I don't think you
can cut and paste like you can passwords.

The other issue is that many web sites have zero customer service (hello
Google) and if you screw up your passkeys you might get locked out with no >> means to regain access to your account - email reset may be disabled in the >> name of security and there's no equivalent to 'show up at the police station >> with your passport' to bootstrap a reset procedure.

Many thanks for this Theo. I have been wondering for a while what the benefits of passkeys are, especially over MFA and a strong password.

Will continue to skip the requests and hope they don't become demands.

They start to do so: Microsoft just announced to open new accounts only
with passkeys in the future.


--
"Roma locuta, causa finita." (Augustinus)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 09.05.25 09:11, Jörg Lorenz wrote:

They start to do so: Microsoft just announced to open new accounts only
with passkeys in the future.

https://www.theregister.com/2025/05/04/security_news_in_brief/

--
"Roma locuta, causa finita." (Augustinus)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Chris <[email protected]> wrote:

Many thanks for this Theo. I have been wondering for a while what the benefits of passkeys are, especially over MFA and a strong password.

The main advantages are the phishing protection and the biometrics.

The current trend nowadays is the 'evil proxy'. I send you a phishing email saying 'blah blah please [do something]' - let's say I copy a real email
from a service like an email provider saying your mailbox is full. You
aren't paying attention and click on the link in the email, which takes you
to the phishing site.

The phishing site sees your request and goes off to fetch the real website's login page, which it presents to you. Everything you do on the phishing
site is mirrored at the real website - to all intents and purposes it *is*
the real website, so the old cues like dodgy spelling or layout don't apply here.

The only thing different is that the phishing site sees your password, your
MFA code and your login cookie. Once they have the login cookie they are logged in as you and can do anything you can do.

Passkeys prevent this because the system will never present a passkey for a site different to the one the passkey was set up for.

In-browser password managers also do that, but if you aren't paying
attention it's easy to override them, especially if you become habituated to manually searching the password manager for a login password rather than letting them lookup based on site URL (some sites don't play nicely with
these matches). Fundamentally any site where you can cut and paste the password can be phished.

It also means theft of password databases are no longer a problem. The site only holds the public keys of logged in users - no amount of cracking is
going to be able to convert them to private keys that can be used on other sites.

Biometrics are also helpful because they let you only unlock one key at a
time, whereas password managers typically unlock once and then have access
to all your passwords. It's more like signing into each bank app with your face/fingerprint and then locking when you close the app.

Will continue to skip the requests and hope they don't become demands.

I'd keep an eye on things until they settle down. Passkeys are a good thing IMHO, but the various kinks need to be worked out. In particular the
various standards for syncing and support in places like password managers
are not fully baked yet. Give it a bit of time and it may be clearer and hopefully also easier to understand.

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 09.05.25 15:37, Chris wrote:

Jörg Lorenz <[email protected]> wrote:

On 09.05.25 09:11, Jörg Lorenz wrote:

They start to do so: Microsoft just announced to open new accounts only
with passkeys in the future.

https://www.theregister.com/2025/05/04/security_news_in_brief/

That's ok. The only MS account I have is through work, so it's their
problem not mine.

Google will fowllow and others too.


--
"Roma locuta, causa finita." (Augustinus)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 09.05.25 11:52, Theo wrote:

I'd keep an eye on things until they settle down. Passkeys are a good thing IMHO, but the various kinks need to be worked out.

They are another layer of dependency on big tech.


--
"Roma locuta, causa finita." (Augustinus)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Jörg Lorenz <[email protected]> wrote:

On 09.05.25 11:52, Theo wrote:

I'd keep an eye on things until they settle down. Passkeys are a good thing
IMHO, but the various kinks need to be worked out.

They are another layer of dependency on big tech.

They don't have to be. You can manage them yourselves, just like you can manage your SSH keys by hand. No doubt sooner or later someone is going to come up with a passkey manager that uses git as a syncing mechanism and 'everything is a file'.

The problem is that most people can't cope with that, just like they can't
cope with 400 passwords. With passwords many just take the easy approach
and share passwords across sites. Passkeys enforce safer behaviour. The downside is they need more software to help them out, just like they need password managers today.

There is no reason why you have to get that from big tech. Many people do,
of course, but they don't have to.

I suppose one difference is the passkey manager has to be on a computer, whereas a password manager could be on paper (which has pluses and minuses). But I bet many people with paper password management are not using strong enough passwords. I hope somebody will come up with a way to manage
passkeys with similar transparency and ease of use as a paper system.

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Chris <[email protected]> wrote:

Theo <[email protected]> wrote:

Chris <[email protected]> wrote:

Many thanks for this Theo. I have been wondering for a while what the
benefits of passkeys are, especially over MFA and a strong password.

The main advantages are the phishing protection and the biometrics.

The current trend nowadays is the 'evil proxy'. I send you a phishing email
saying 'blah blah please [do something]' - let's say I copy a real email from a service like an email provider saying your mailbox is full. You aren't paying attention and click on the link in the email, which takes you to the phishing site.

The phishing site sees your request and goes off to fetch the real website's
login page, which it presents to you. Everything you do on the phishing site is mirrored at the real website - to all intents and purposes it *is* the real website, so the old cues like dodgy spelling or layout don't apply here.

The only thing different is that the phishing site sees your password, your MFA code and your login cookie. Once they have the login cookie they are logged in as you and can do anything you can do.

Passkeys prevent this because the system will never present a passkey for a site different to the one the passkey was set up for.

So we should have been using ssh keys all along?

Sorta. There are several problems with them:

- SSH doesn't authenticate sites very well (ie anti phishing protection)
It'll tell you whether it's seen the host before and if the key mismatches,
but that's it. If it hasn't seen the host before you're supposed to
confirm the host key out of band (which people don't do), and it'll happily
let you offer a key to the wrong site.

- Getting an authorised key set up at the other end requires some action to
get it there. Too often you have to login with a password first, then
ssh-copy-id, which means you have to have password auth enabled.

- On the user side there's no help whatever with syncing between devices,
you have to cook up some local solution. That's beyond ordinary users.

- 2FA/biometrics is possible but a PITA (PC/SC smartcards and stuff) so in
reality only enterprisey people use them. Yubikeys exist, but only crypto
nerds have worked out how to use them (and big limitations eg max 25 keys)


I tend to view SSH keys as an implementation of a kind of layer 2 in the
auth stack (the 'physical layer' being the basic crypto I suppose), and passkeys come along and provide a similar layer 2 with a new layer 3 and
maybe 4 on top for syncing etc. Passkeys layer 2 seems to be solid, but
their layers 3 and 4 are still evolving.

The nice thing though is that with passkeys being accepted by websites you
can now begin to use them for real, even if you choose not to use the
syncing features iCloud/etc provide. That means if you're the kind of
person who wants to hand curate your passkey sync using UUCP then I think in theory you are allowed to do that.

In particular a key thing is the website doesn't get to know how you are managing your passkeys so they don't get to say things like 'you are running this banking app on an Android phone with an aftermarket OS, we don't
support that, you're in violation of the T&C and we've locked your account'. That's a very real risk where the websites are exposed to the auth process. With passkeys they don't get to see how you choose to sync at your end.

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

J�rg Lorenz <[email protected]> wrote:

On 08.05.25 23:26, TimS wrote:

On 8 May 2025 at 22:12:04 BST, "Theo" <[email protected]> wrote:

TimS <[email protected]> wrote:

Do I have to enable iCloud in order to set a passkey? At the mo, iCloud >>> remains unsetup and turned off, because like a lot of this stuff one doesn't
know what it's actually doing. I'd prefer to keep things this way, but they
seem to be stuffing passkeys down our throats. Which also would seem to be
platform-dependent.

No, but.

Passkeys are like SSH public-private keys but with some extra features:
- a check that prevents you using a passkey for a site different to the one
it was set up for, to prevent phishing
- different ways to unlock the passkey which may include biometrics,
potentially with a second device over Bluetooth. These are mostly optional.

Now, SSH keys are just files on your disc and how to manage and sync them >> between machines is up to you. That's not really usable for regular users >> so passkeys add another layer on top, which is how to sync them between
machines. This is where the trouble starts.

Apple, Google, MS etc are dead keen that you use *their* passkey syncing >> solution, because it locks you into their ecosystem. eg Apple will not let
you export passkeys from iCloud ever, which means that if you want to switch
to Windows you have to set up every account again - this is a PITA which is
extra friction for switching platforms.

Complicating matters, some websites may only allow you to register one
passkey - that's no good if you want to access the website from a Mac and an
Android and iCloud holds your passkeys.

However, many password managers support passkeys. That gives you a
cross-platform way to sync passkeys and manage them, and you can choose a >> password manager that suits your needs. You would have to install the
password manager into the browser(s) you want to use as I don't think you >> can cut and paste like you can passwords.

The other issue is that many web sites have zero customer service (hello >> Google) and if you screw up your passkeys you might get locked out with no >> means to regain access to your account - email reset may be disabled in the
name of security and there's no equivalent to 'show up at the police station
with your passport' to bootstrap a reset procedure.

Thanks. All of which spells AVOID in large letters.

+1; at almost all cost (what I do)

+1!
--
"He who heeds discipline shows the way to life, but whoever ignores correction leads others astray." --Proverbs 10:17. TGIF even tho hot?
Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly.
/\___/\ Ant(Dude) @ http://aqfl.net & http://antfarm.home.dhs.org.
/ /\ /\ \ Please nuke ANT if replying by e-mail.
| |o o| |
\ _ /
( )

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-05-09, Theo <[email protected]> wrote:

Jörg Lorenz <[email protected]> wrote:

On 09.05.25 11:52, Theo wrote:

I'd keep an eye on things until they settle down. Passkeys are a good thing
IMHO, but the various kinks need to be worked out.

They are another layer of dependency on big tech.

They don't have to be. You can manage them yourselves, just like you can manage your SSH keys by hand. No doubt sooner or later someone is going to come up with a passkey manager that uses git as a syncing mechanism and 'everything is a file'.

The problem is that most people can't cope with that, just like they can't cope with 400 passwords. With passwords many just take the easy approach
and share passwords across sites.

Good point! I'm currently reviewing all my passwords and found that I've fallen into that trap a few times but have now made appropriate changes using 'strong' passwords.

--
Cheers, Alan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Chris <[email protected]> wrote:

What's the situation if someone dies but they want people to still have access?

I have shared my pw manager master password with a trusted person who has
it in their pw manager, so at least all is not lost.

It reads like passkeys are more restrictive.

If you use a password manager to store your passkeys, in theory exactly the same. If they have chosen to use a biometric to unlock individual keys then maybe you can't unlock them, but that's a choice they make when setting them up. You don't have to use biometrics if you don't want to, although some workflows will try to corral you into doing so.

If you let iCloud/Google/MS store your passkeys then it's down to their own access/recovery procedures - I'm not familiar with those.

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10 May 2025 at 10:47:17 BST, "Theo" <[email protected]> wrote:

Chris <[email protected]> wrote:

What's the situation if someone dies but they want people to still have
access?

I have shared my pw manager master password with a trusted person who has
it in their pw manager, so at least all is not lost.

It reads like passkeys are more restrictive.

If you use a password manager to store your passkeys, in theory exactly the same. If they have chosen to use a biometric to unlock individual keys then maybe you can't unlock them, but that's a choice they make when setting them up. You don't have to use biometrics if you don't want to, although some workflows will try to corral you into doing so.

If you let iCloud/Google/MS store your passkeys then it's down to their own access/recovery procedures - I'm not familiar with those.

When I first had an iPhone 6S, I enabled the fingerprint stuff for unlocking, but it was so unreliable that I scrapped that and went back to using a passcode. But perhaps it's bettter now.

--
Tim

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

TimS <[email protected]> wrote:

On 10 May 2025 at 10:47:17 BST, "Theo" <[email protected]> wrote:

Chris <[email protected]> wrote:

What's the situation if someone dies but they want people to still have
access?

I have shared my pw manager master password with a trusted person who has >>> it in their pw manager, so at least all is not lost.

It reads like passkeys are more restrictive.

If you use a password manager to store your passkeys, in theory exactly the >> same. If they have chosen to use a biometric to unlock individual keys then >> maybe you can't unlock them, but that's a choice they make when setting them >> up. You don't have to use biometrics if you don't want to, although some
workflows will try to corral you into doing so.

If you let iCloud/Google/MS store your passkeys then it's down to their own >> access/recovery procedures - I'm not familiar with those.

When I first had an iPhone 6S, I enabled the fingerprint stuff for unlocking, but it was so unreliable that I scrapped that and went back to using a passcode. But perhaps it's bettter now.

I’ve never had a problem with fingerprints especially if you setup more
than one. Now using Face ID on my iPhone 16e again with no problem as long
as you look straight at the device.

--
Cheers, Alan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10.05.25 12:50, TimS wrote:

On 10 May 2025 at 10:47:17 BST, "Theo" <[email protected]> wrote:

Chris <[email protected]> wrote:

What's the situation if someone dies but they want people to still have
access?

I have shared my pw manager master password with a trusted person who has >>> it in their pw manager, so at least all is not lost.

It reads like passkeys are more restrictive.

If you use a password manager to store your passkeys, in theory exactly the >> same. If they have chosen to use a biometric to unlock individual keys then >> maybe you can't unlock them, but that's a choice they make when setting them >> up. You don't have to use biometrics if you don't want to, although some
workflows will try to corral you into doing so.

If you let iCloud/Google/MS store your passkeys then it's down to their own >> access/recovery procedures - I'm not familiar with those.

When I first had an iPhone 6S, I enabled the fingerprint stuff for unlocking, but it was so unreliable that I scrapped that and went back to using a passcode. But perhaps it's bettter now.

First of all: The more senior people become the weaker the fingerprints.
The solution I used was to store two finger prints of the same finger.
Then it is foolproof.


--
"Roma locuta, causa finita." (Augustinus)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10 May 2025 at 14:26:40 BST, "Jörg Lorenz" <[email protected]> wrote:

On 10.05.25 12:50, TimS wrote:

On 10 May 2025 at 10:47:17 BST, "Theo" <[email protected]> >> wrote:

Chris <[email protected]> wrote:

What's the situation if someone dies but they want people to still have >>>> access?

I have shared my pw manager master password with a trusted person who has >>>> it in their pw manager, so at least all is not lost.

It reads like passkeys are more restrictive.

If you use a password manager to store your passkeys, in theory exactly the >>> same. If they have chosen to use a biometric to unlock individual keys then
maybe you can't unlock them, but that's a choice they make when setting them
up. You don't have to use biometrics if you don't want to, although some >>> workflows will try to corral you into doing so.

If you let iCloud/Google/MS store your passkeys then it's down to their own >>> access/recovery procedures - I'm not familiar with those.

When I first had an iPhone 6S, I enabled the fingerprint stuff for unlocking,
but it was so unreliable that I scrapped that and went back to using a
passcode. But perhaps it's bettter now.

First of all: The more senior people become the weaker the fingerprints.
The solution I used was to store two finger prints of the same finger.
Then it is foolproof.

Agree. I never could get TouchID to work satisfactorily on my iPhone. Neither could Anne.
It seems to be better on the iMac as long as I hit the sweet spot.
FaceID OTOH works perfectly on my iPhone 11 and my iPad 11.
I wonder why FaceID isn't available on the iMac?

Old John.
--
Classic computing: Computers do what you tell them to do,
not what you want them to do.
Modern computing: Computers do what they want to do,
no matter what you tell them to do.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-05-11, John Hill <[email protected]> wrote:

On 10 May 2025 at 14:26:40 BST, "Jörg Lorenz" <[email protected]> wrote:

First of all: The more senior people become the weaker the fingerprints.
The solution I used was to store two finger prints of the same finger.
Then it is foolproof.

Agree. I never could get TouchID to work satisfactorily on my iPhone. Neither could Anne.
It seems to be better on the iMac as long as I hit the sweet spot.
FaceID OTOH works perfectly on my iPhone 11 and my iPad 11.
I wonder why FaceID isn't available on the iMac?

Or MacBooks Pro & Air or any monitor which has a built-in camera?

--
Cheers, Alan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 11.05.25 09:55, Alan B wrote:

On 2025-05-11, John Hill <[email protected]> wrote:

On 10 May 2025 at 14:26:40 BST, "Jörg Lorenz" <[email protected]> wrote:

First of all: The more senior people become the weaker the fingerprints. >>> The solution I used was to store two finger prints of the same finger.
Then it is foolproof.

Agree. I never could get TouchID to work satisfactorily on my iPhone. Neither
could Anne.
It seems to be better on the iMac as long as I hit the sweet spot.
FaceID OTOH works perfectly on my iPhone 11 and my iPad 11.
I wonder why FaceID isn't available on the iMac?

Or MacBooks Pro & Air or any monitor which has a built-in camera?

Cameras work only when logged in.

--
"Roma locuta, causa finita." (Augustinus)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 11 May 2025 at 08:55:40 BST, "Alan B" <[email protected]d> wrote:

On 2025-05-11, John Hill <[email protected]> wrote:

On 10 May 2025 at 14:26:40 BST, "Jörg Lorenz" <[email protected]> wrote:

First of all: The more senior people become the weaker the fingerprints. >>> The solution I used was to store two finger prints of the same finger.
Then it is foolproof.

Agree. I never could get TouchID to work satisfactorily on my iPhone. Neither
could Anne.
It seems to be better on the iMac as long as I hit the sweet spot.
FaceID OTOH works perfectly on my iPhone 11 and my iPad 11.
I wonder why FaceID isn't available on the iMac?

Or MacBooks Pro & Air or any monitor which has a built-in camera?

No camera on my Minis here. And that's the way I'll keep it. We have an Air
for any Zoom/Teams shit.

--
Tim

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-05-11, TimS <[email protected]> wrote:

[...] any Zoom/Teams shit.

Well that's something we can agree on ;-)

--
Cheers, Alan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 11.05.25 11:11, Alan B wrote:

On 2025-05-11, TimS <[email protected]> wrote:

[...] any Zoom/Teams shit.

Well that's something we can agree on ;-)

That's why I use Facetime. *SCNR*

--
"Roma locuta, causa finita." (Augustinus)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 09/05/2025 17:50, Theo wrote:

- 2FA/biometrics is possible but a PITA (PC/SC smartcards and stuff) so in
reality only enterprisey people use them. Yubikeys exist, but only crypto
nerds have worked out how to use them (and big limitations eg max 25 keys)

Indeed, Yubikeys can work with SSH but they are quite a fiddle to set
up. Irritatingly, Apple's openssh client build doesn't support them -
the solution for that is (in MacPorts) to build it with fido2 support:

port install openssh+fido2

Yubikeys are a bit of a faff as well, at the very least you need to
remember to bring it with you all the time.

The open source Secretive app has a nice UI and lets you generate keys
in the Mac's secure enclave, and to use touch ID. You end up with
host-specific SSH keys, but that seems pretty OK to me.

--
Chris

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

John Hill <[email protected]> wrote:

On 10 May 2025 at 14:26:40 BST, "Jörg Lorenz" <[email protected]> wrote:

On 10.05.25 12:50, TimS wrote:

On 10 May 2025 at 10:47:17 BST, "Theo" <[email protected]> >>> wrote:

Chris <[email protected]> wrote:

What's the situation if someone dies but they want people to still have >>>>> access?

I have shared my pw manager master password with a trusted person who has >>>>> it in their pw manager, so at least all is not lost.

It reads like passkeys are more restrictive.

If you use a password manager to store your passkeys, in theory exactly the
same. If they have chosen to use a biometric to unlock individual keys then
maybe you can't unlock them, but that's a choice they make when setting them
up. You don't have to use biometrics if you don't want to, although some >>>> workflows will try to corral you into doing so.

If you let iCloud/Google/MS store your passkeys then it's down to their own
access/recovery procedures - I'm not familiar with those.

When I first had an iPhone 6S, I enabled the fingerprint stuff for unlocking,
but it was so unreliable that I scrapped that and went back to using a
passcode. But perhaps it's bettter now.

First of all: The more senior people become the weaker the fingerprints.
The solution I used was to store two finger prints of the same finger.
Then it is foolproof.

Agree. I never could get TouchID to work satisfactorily on my iPhone. Neither could Anne.
It seems to be better on the iMac as long as I hit the sweet spot.
FaceID OTOH works perfectly on my iPhone 11 and my iPad 11.
I wonder why FaceID isn't available on the iMac?

Old John.

Because it’s not the camera that does the FaceID stuff, there’s a different sensor for that. It actually scans your face profile using multiple points,
and is not based on a photo.

--
Andy H

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 11 May 2025 at 08:43:53 BST, John Hill wrote:

When I first had an iPhone 6S, I enabled the fingerprint stuff for unlocking,
but it was so unreliable that I scrapped that and went back to using a
passcode. But perhaps it's bettter now.

First of all: The more senior people become the weaker the fingerprints.
The solution I used was to store two finger prints of the same finger.
Then it is foolproof.

Agree. I never could get TouchID to work satisfactorily on my iPhone. Neither could Anne.
It seems to be better on the iMac as long as I hit the sweet spot.
FaceID OTOH works perfectly on my iPhone 11 and my iPad 11.
I wonder why FaceID isn't available on the iMac?

Face ID is suspiciously reliable for me - clean shaven or full beard, glasses or not, eyes open or closed. Just works, and I've never knowingly cailbrated
it for some years.

Touch ID works until I do anything like gardening or DIY.
--
Cheers, Rob, Sheffield UK

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Chris <[email protected]> wrote:

Andy H <[email protected]> wrote:

John Hill <[email protected]> wrote:

On 10 May 2025 at 14:26:40 BST, "Jörg Lorenz" <[email protected]> wrote: >>>

On 10.05.25 12:50, TimS wrote:

On 10 May 2025 at 10:47:17 BST, "Theo" <[email protected]>
wrote:

Chris <[email protected]> wrote:

What's the situation if someone dies but they want people to still have >>>>>>> access?

I have shared my pw manager master password with a trusted person who has
it in their pw manager, so at least all is not lost.

It reads like passkeys are more restrictive.

If you use a password manager to store your passkeys, in theory exactly the
same. If they have chosen to use a biometric to unlock individual keys then
maybe you can't unlock them, but that's a choice they make when setting them
up. You don't have to use biometrics if you don't want to, although some
workflows will try to corral you into doing so.

If you let iCloud/Google/MS store your passkeys then it's down to their own
access/recovery procedures - I'm not familiar with those.

When I first had an iPhone 6S, I enabled the fingerprint stuff for unlocking,
but it was so unreliable that I scrapped that and went back to using a >>>>> passcode. But perhaps it's bettter now.

First of all: The more senior people become the weaker the fingerprints. >>>> The solution I used was to store two finger prints of the same finger. >>>> Then it is foolproof.

Agree. I never could get TouchID to work satisfactorily on my iPhone. Neither
could Anne.
It seems to be better on the iMac as long as I hit the sweet spot.
FaceID OTOH works perfectly on my iPhone 11 and my iPad 11.
I wonder why FaceID isn't available on the iMac?

Old John.

Because it’s not the camera that does the FaceID stuff, there’s a different
sensor for that. It actually scans your face profile using multiple points, >> and is not based on a photo.

Are you sure about that? Yes, FaceID needs a second device, but it is an IR projector to project a special pattern on your face. The pattern is then
read by the usual camera for matching via the neural engine.

It’s all down to the use of a TrueDepth camera:system as explained in this article.

<https://support.apple.com/en-gb/102381>

--
Cheers, Alan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12.05.25 09:41, Alan B wrote:

On 2025-05-12, RJH <[email protected]> wrote:

On 11 May 2025 at 08:43:53 BST, John Hill wrote:

When I first had an iPhone 6S, I enabled the fingerprint stuff for unlocking,
but it was so unreliable that I scrapped that and went back to using a >>>>> passcode. But perhaps it's bettter now.

First of all: The more senior people become the weaker the fingerprints. >>>> The solution I used was to store two finger prints of the same finger. >>>> Then it is foolproof.

Agree. I never could get TouchID to work satisfactorily on my iPhone. Neither
could Anne.
It seems to be better on the iMac as long as I hit the sweet spot.
FaceID OTOH works perfectly on my iPhone 11 and my iPad 11.
I wonder why FaceID isn't available on the iMac?

Face ID is suspiciously reliable for me - clean shaven or full beard, glasses
or not, eyes open or closed. Just works, and I've never knowingly cailbrated >> it for some years.

Touch ID works until I do anything like gardening or DIY.

Even a slightly damp finger seems to upset it here!

Again: Register the finger you use to log into your device twice. That increases the recognition rate by factors.


--
"Roma locuta, causa finita." (Augustinus)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-05-12, Jörg Lorenz <[email protected]> wrote:

On 12.05.25 09:41, Alan B wrote:

On 2025-05-12, RJH <[email protected]> wrote:

On 11 May 2025 at 08:43:53 BST, John Hill wrote:

When I first had an iPhone 6S, I enabled the fingerprint stuff for unlocking,
but it was so unreliable that I scrapped that and went back to using a >>>>>> passcode. But perhaps it's bettter now.

First of all: The more senior people become the weaker the fingerprints. >>>>> The solution I used was to store two finger prints of the same finger. >>>>> Then it is foolproof.

Agree. I never could get TouchID to work satisfactorily on my iPhone. Neither
could Anne.
It seems to be better on the iMac as long as I hit the sweet spot.
FaceID OTOH works perfectly on my iPhone 11 and my iPad 11.
I wonder why FaceID isn't available on the iMac?

Face ID is suspiciously reliable for me - clean shaven or full beard, glasses
or not, eyes open or closed. Just works, and I've never knowingly cailbrated
it for some years.

Touch ID works until I do anything like gardening or DIY.

Even a slightly damp finger seems to upset it here!

Again: Register the finger you use to log into your device twice. That increases the recognition rate by factors.

Actually I did that some time ago but I've now set up a different finger in addition.

--
Cheers, Alan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Alan B <[email protected]d> wrote:

Chris <[email protected]> wrote:

Andy H <[email protected]> wrote:

John Hill <[email protected]> wrote:

On 10 May 2025 at 14:26:40 BST, "Jörg Lorenz" <[email protected]> wrote: >>>>

On 10.05.25 12:50, TimS wrote:

On 10 May 2025 at 10:47:17 BST, "Theo" <[email protected]>
wrote:

Chris <[email protected]> wrote:

What's the situation if someone dies but they want people to still have
access?

I have shared my pw manager master password with a trusted person who has
it in their pw manager, so at least all is not lost.

It reads like passkeys are more restrictive.

If you use a password manager to store your passkeys, in theory exactly the
same. If they have chosen to use a biometric to unlock individual keys then
maybe you can't unlock them, but that's a choice they make when setting them
up. You don't have to use biometrics if you don't want to, although some
workflows will try to corral you into doing so.

If you let iCloud/Google/MS store your passkeys then it's down to their own
access/recovery procedures - I'm not familiar with those.

When I first had an iPhone 6S, I enabled the fingerprint stuff for unlocking,
but it was so unreliable that I scrapped that and went back to using a >>>>>> passcode. But perhaps it's bettter now.

First of all: The more senior people become the weaker the fingerprints. >>>>> The solution I used was to store two finger prints of the same finger. >>>>> Then it is foolproof.

Agree. I never could get TouchID to work satisfactorily on my iPhone. Neither
could Anne.
It seems to be better on the iMac as long as I hit the sweet spot.
FaceID OTOH works perfectly on my iPhone 11 and my iPad 11.
I wonder why FaceID isn't available on the iMac?

Old John.

Because it’s not the camera that does the FaceID stuff, there’s a different
sensor for that. It actually scans your face profile using multiple points, >>> and is not based on a photo.

Are you sure about that? Yes, FaceID needs a second device, but it is an IR >> projector to project a special pattern on your face. The pattern is then
read by the usual camera for matching via the neural engine.

It’s all down to the use of a TrueDepth camera:system as explained in this article.

<https://support.apple.com/en-gb/102381>

So yes, I probably should have said it’s not just the normal webcam/front/selfie camera. It does a lot more than just analyse an image.
It does actually analyse your face.

Other devices can be unlocked by an iPhone that has been unlocked with
FaceID, so it’s probably not actually necessary (or at least an urgent
need).

Indeed, I now have an Apple Watch (7), and I can unlock and authorise all
sorts of stuff with that too (via its security links with my iPhone).

--
Andy H

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-05-12, RJH <[email protected]> wrote:

On 11 May 2025 at 08:43:53 BST, John Hill wrote:

When I first had an iPhone 6S, I enabled the fingerprint stuff for unlocking,
but it was so unreliable that I scrapped that and went back to using a >>>> passcode. But perhaps it's bettter now.

First of all: The more senior people become the weaker the fingerprints. >>> The solution I used was to store two finger prints of the same finger.
Then it is foolproof.

Agree. I never could get TouchID to work satisfactorily on my iPhone. Neither
could Anne.
It seems to be better on the iMac as long as I hit the sweet spot.
FaceID OTOH works perfectly on my iPhone 11 and my iPad 11.
I wonder why FaceID isn't available on the iMac?

Face ID is suspiciously reliable for me - clean shaven or full beard, glasses or not, eyes open or closed. Just works, and I've never knowingly cailbrated it for some years.

Touch ID works until I do anything like gardening or DIY.

Even a slightly damp finger seems to upset it here!

--
Cheers, Alan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12 May 2025 at 07:55:01 BST, "RJH" <[email protected]> wrote:

Face ID is suspiciously reliable for me - clean shaven or full beard, glasses or not, eyes open or closed. Just works, and I've never knowingly cailbrated it for some years.

I've discovered that I can reliably fail my FaceID if I'm wearing my
anti-snore teeth rubbery thing. It moves my jaw forward and makes me
look rather more cro-magnon.

This is of course annoying in the morning. I should set it up as my
alternate look, but I'm quite groggy first thing and never think of
it...

Cheers - Jaimie
--
'It's one of those irregular verbs, isn't it? `I protect the
lives and property of my citizens; you keep the public
safe from an unreasonable and trouble-generating
minority; he maintains a totalitarian regime of
thought control.' -- Bernard, Yes Minister

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 14.05.25 18:56, Chris wrote:

Jaimie Vandenbergh <[email protected]> wrote:

On 12 May 2025 at 07:55:01 BST, "RJH" <[email protected]> wrote:

Face ID is suspiciously reliable for me - clean shaven or full beard, glasses
or not, eyes open or closed. Just works, and I've never knowingly cailbrated
it for some years.

I've discovered that I can reliably fail my FaceID if I'm wearing my
anti-snore teeth rubbery thing. It moves my jaw forward and makes me
look rather more cro-magnon.

If I have rain on my glasses that always scuppers it.

The sensor uses your eyes to determine whether you are dead or alive.

--
"Roma locuta, causa finita." (Augustinus)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)