FireFox is blocking Twitter content

To view content on tw-rl, follow these steps...

  1. Click on the shield in the address bar.
  2. Toggle the switch at the top of the panel.
Sign In →
Sign In →
Read Thread
@hondanhon Yeah; just watching now, but I assume where they're going is WebAuthn. It's great, but losing your device means* losing WebAuthn certs (and thus access to all accounts secured with them), so there needs to be a fallback for resetting keys.
@hondanhon My guess is that Apple's storing recovery/private keys on iCloud to handle recovery, which is effectively the same as federated auth (as far as I'm concerned) but with the disadvantage that relying parties need to either trust that Apple/Google/etc have done their homework, or ..
@hondanhon Because we can't, also have a WebAuthn reset flow, which depends on taking a separate identifier (almost always email) and implementing federated sign-in in any event (OIDC SSO or 'magic link').
@hondanhon Now watching to see if my predictions come true. Will be genuinely delighted if they've come up with some novel way around key management. Not holding my breath, though.
@hondanhon Got to WebAuthn! 1 for 2 for me, so far! Glad they decided to go with a standard this time, rather than copying others' work and calling it their own! 🎉
@hondanhon Oh, and there we go. Storing keys in iCloud Keychain. Yeah. 2 for 2 on the prediction markets, go me! 🍰
@hondanhon So yeah, their "doesn't work on non-Apple devices" thing is a big deal ("rare events happen frequently at scale") and the usability of signing in with this goes to zero in situations where you can't use WebAuthn directly.
@hondanhon WebAuthn is *genuinely great* as a convenience method, but it doesn't solve the fundamental reset problem. Federated auth (SSO, magic link) works really well for reset (but standard approaches have usability issues that we're _very close_ to shipping some major improvements for).
@hondanhon I'll add that my assumption is that for folks implementing sign-in for users, implementing federated auth (specifically SSO) automatically/silently gets the security features of auth providers (Google, Msft, Yahoo(!), Apple), which already include WebAuthn in most cases.
@hondanhon To illustrate how much we can rely on Apple's auth methods, here's a breakdown of what percentage of users have a google/msft/yahoo/apple/other account, based on email address. Obviously iOS users represent a bigger slice, but people associate identity with their email, not OS.

My Notes:

Select to add to your #gallery:
Blaine Cook 💉⏳

Pro Curator beta

$99 /year$4 /month*

*life-time BETA pricing. Don't miss out! Price will increase as features are added, but not for you!