Update: A license was added
Update: A license was added
This is an important issue IMO that needs to be addressed and the official response by Bitwardens CTO fails to do so.
There is not even a reason provided why such a proprietary license is deemed necessary for the SDK. Furthermore this wasn’t proactively communicated but noticed by users. The locking of the Github Issue indicates that discussion isn’t desired and further communication is not to be expected.
It is a step in the wrong direction after having accepted Venture Capital funding, which already put Bitwardens opensource future in doubt for many users.
This is another step in the wrong direction for a company that proudly uses the opensource slogan.
I think its a recent addition (08/2024) on Linux.
Add support for biometric unlock on Linux
According to the device support page i should be ok, but yeah there might be something weird going on.
I hope I am not misunderstanding you. What you are worried about is passkeys in the password manager not syncing to new devices? They are though, with password managers that support passkeys like Bitwarden, ProtonPass, 1Password etc…
Currently using it on Bitwarden, if I log in to a new device, the passkeys are there.
Could you elaborate? I am assuming that everbody would have the password manager on their mobile phone with them, which is used to scan the qr code. I think that’s a reasonable assumption.
I agree that if you wanted the pc to act as the authenticator (device that has the passkey) it wouldn’t work with qr codes. But is that a usecase that happens at all for average people? Does anyone login to a mobile device that you don’t own, and you only have your pc nearby and not your own mobile phone?
The problem with passkeys is that they’re essentially a halfway house to a password manager, but tied to a specific platform in ways that aren’t obvious to a user at all, and liable to easily leave them unable to access of their accounts.
Agreed, in its current state I wouldn‘t teach someone less technically inclined to solely rely on passkeys saved by the default platform if you plan on using different devices, it just leads to trouble.
If you’re going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager
Using a password manager is still the solution. Pick one where your passkeys can be safed and most of the authors problems are solved.
The only thing that remains is how to log in if you are not on a device you own (and don’t have the password manager). The author mentions it: the QR code approach for cross device sign in. I don’t think it’s cumbersome, i think it’s actually a great and foolproof way to sign in. I have yet to find a website which implements it though.
The problem with passkeys is that they’re essentially a halfway house to a password manager, but tied to a specific platform in ways that aren’t obvious to a user at all, and liable to easily leave them unable to access of their accounts.
Agreed, in its current state I wouldn‘t teach someone less technically inclined to solely rely on passkeys saved by the default platform if you plan on using different devices, it just leads to trouble.
If you’re going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager
Using a password manager is still the solution. Pick one where your passkeys can be safed and most of the authors problems are solved.
The only thing that remains is how to log in if you are not on a device you own (and don’t have the password manager). The author mentions it: the QR code approach for cross device sign in. I don’t think it’s cumbersome, i think it’s actually a great and foolproof way to sign in. I have yet to find a website which implements it though (Edit: Might be my specific setup‘s fault).
I think it‘s fair to remain skeptical but the big organizations were part of the development, so there seems to be some interest. And it‘s not always in their interest to lock users in, when it also prevents users from switching to their platform.
Development of technical standards can often be a fraught bureaucratic process, but the creation of CXP seems to have been positive and collaborative. Researchers from the password managers 1Password, Bitwarden, Dashlane, NordPass, and Enpass all worked on CXP, as did those from the identity providers Okta as well as Apple, Google, Microsoft, Samsung, and SK Telecom.
Thanks for the link! Learned something new today.
deleted by creator
The author of your blog post comes to this conclusion:
So do yourself a favour. Get something like bitwarden or if you like self hosting get vaultwarden. Let it generate your passwords and manage them. If you really want passkeys, put them in a password manager you control. But don’t use a platform controlled passkey store, and be very careful with security keys.
The protocol (CXP) which the article is about, would allow you to export the passkeys from the “platform controlled passkey store” and import them into e.g. Bitwarden. So i would imagine the author being in favor of the protocol.
The lock-in effect of passkeys is something that this protocol aims to solve though. The “only managed by your device” is what keeps us locked in, if there is no solution to export and import it on another device.
The protocol aims to make it easy to import and export passkeys so you can switch to a different provider. This way you won’t be stuck if you create passkeys e.g. on an Apple device and want to switch to e.g. Bitwarden or an offline password manager like KeyPassXC
The specifications are significant for a few reasons. CXP was created for passkeys and is meant to address a longstanding criticism that passkeys could contribute to user lock-in by making it prohibitively difficult for people to move between operating system vendors and types of devices. […] CXP aims to standardize the technical process for securely transferring them between platforms so users are free […].
I had the same idea a while back and was wondering why no one has implemented something like this yet. This seems like an actual useful application for LLMs.
I am using Zotero (Citation Management Software) to collect scientific Articles I have read. Sometimes I forget in which Article I read about something specific. A search, where you could describe what you are looking for in a sentence, which then returns the Article with the relevant part, would be a gamechanger.
What does Ente mean?
In Malayalam, Vishnu’s native language, “ente” means “mine”. Thus “Ente Photos” has the literal meaning “my photos”.
This was a good name, but still Vishnu looked around for better ones. But one day, he discovered that “ente” means “duck” in German. This unexpected connection sealed the deal. We should ask him why he likes ducks so much, but apparently he does, so this dual meaning (“mine” / “duck”) led him to finalize the name, and also led to the adoption of “Ducky”, Ente’s mascot Source
Saying that I dont trust a homophobe is not “sharing my political opinions”. The lives of gay people may be affected by politics (just as we all are), but that doesn’t mean homophobia (or being against homophobia) is a political opinion.
I couldn’t agree more with you👍🏼
I find it rather repulsive, that people would label “being against gay marriage” as “only holding an opinion”. It makes it seem so harmless. It is depriving people of the same rights that heterosexuals have. And that is why it might matter to people. It’s not just “any” opinion, like a view on how the economy should be regulated, where one could definitely argue about. But a view, which would deprive people of the same rights that others have, is not a valid opinion to have. There is no way that it can be respected. It’s the paradox of tolerance
In a comment further down you write the following: (Edit: the comment has since been removed by a mod)
You have the right to have a liberal opinion so why not let people have their own? It’s like discrimination of black people at this point.
Which is quite ironic. You try to defend holding an opinion, which would discriminate against a certain group by not giving them the same rights. You argue that it’s discrimination to not respect their discrimination. In essence you ask the tolerant to respect the views of intolerant.
If anyone is interested these countries are ahead of the USA from 1-25: Denmark Switzerland Sweden Belgium Estonia Norway Finland Ireland Germany Iceland Portugal Austria New Zealand Canada Argentina Spain Czech Republic Italy Latvia Costa Rica Uruguay France Dominican Republic Netherlands Vanuatu