today's leftovers

posted by Roy Schestowitz on Dec 10, 2022,
updated Dec 10, 2022

• mjg59 | On-device WebAuthn and what makes it hard to do well

  WebAuthn improves login security a lot by making it significantly harder for a user's credentials to be misused - a WebAuthn token will only respond to a challenge if it's issued by the site a secret was issued to, and in general will only do so if the user provides proof of physical presence[1]. But giving people tokens is tedious and also I have a new laptop which only has USB-C but does have a working fingerprint reader and I hate the aesthetics of the Yubikey 5C Nano, so I've been thinking about what WebAuthn looks like done without extra hardware.

  Let's talk about the broad set of problems first. For this to work you want to be able to generate a key in hardware (so it can't just be copied elsewhere if the machine is compromised), prove to a remote site that it's generated in hardware (so the remote site isn't confused about what security assertions you're making), and tie use of that key to the user being physically present (which may range from "I touched this object" to "I presented biometric evidence of identity"). What's important here is that a compromised OS shouldn't be able to just fake a response. For that to be possible, the chain between proof of physical presence to the secret needs to be outside the control of the OS.

• An Open Source PowerPC Notebook Edges Closer

  Back in 2020, we reported on the effort to create a brand new open-source laptop platform using the PowerPC architecture. At the time they had big plans and a PCB design, and we’re very pleased to report that in the intervening two years they’ve progressed to the point of now having some real prototypes ready for testing.