Readit News logoReadit News
uzyn commented on Passkey can detect auth cloning via signCount, but big tech do not support it   uzyn.com/posts/passkey-ha... · Posted by u/uzyn
palata · 3 months ago
Say the user has two devices and hence two copies of the same passkey, let's call them A and B. They have a shared signCount.

Say an attacker manages to make a copy C of A. They have the signCount as part of it, right? So they can immediately connect to the server. The server will increment signCount and sync it with A and B, but C is already in and C knows that the signCount is probably lastSignCount+1.

The only way I could imagine signCount to be useful is if somehow the server synchronises it between A and B in a way that C - who got access for a while - cannot access. It would mean that C has access until A or B connects, and after that the next time C connects, it will be out of sync. This does not sound super useful, and it assumes that C cannot access the sync process even though it has unlimited access to the passkey (until A or B is used).

What am I missing? To me signCount doesn't bring anything here...

uzyn · 3 months ago
If C uses it without the knowledge of the original owner (A or B). With proper signCount check, C would have to increment it at its end; A or B would not have known.

When A logs in with an unincremented signCount. A and the relying party are now aware of a potential cloned authenticator and disable the compromised passkey.

uzyn commented on Passkey can detect auth cloning via signCount, but big tech do not support it   uzyn.com/posts/passkey-ha... · Posted by u/uzyn
palata · 3 months ago
I'm a bit confused: how does signCount ever bring security in a shared-passkey scenario?

The only way I can see it be useful is if you have exactly one instance of the passkey (e.g. a security key), because if `signCount` got incremented without the security key being aware of it, then you have a problem.

uzyn · 3 months ago
Same reason how signCount is useful in a non-shared passkey. Yubikeys are not supposed to be cloneable afaik, but this helps to detect if somehow it got done.

Also, why not.

uzyn commented on Passkey can detect auth cloning via signCount, but big tech do not support it   uzyn.com/posts/passkey-ha... · Posted by u/uzyn
palata · 3 months ago
Probably a naive question, but: if the passkey is synchronised between multiple devices, doesn't it just trivially render the signCount useless?

Say I have a passkey shared between my laptop and my smartphone. When I log in with the smartphone, the signCount is incremented and the new value is synchronised with the laptop, as suggested in the article.

Now say my passkey is compromised, and an attacker logs in from somewhere else. Won't the signCount just be incremented and synchronised with the smartphone and the laptop? How does signCount prevent that?

uzyn · 3 months ago
You made a good point, esp. if your passkey vault is comprosed, e.g. Apple iCloud's credentials are leaked. signCount, incremented or not, would not help here in informing you of your hacked iCloud account – that would be dependent on iCloud's service itself for detecting and informing you of your compromised account.

I would still like to see big tech passkey providers implement signCount for the following 2 reasons:

1. It helps to push relying parties to implement signCount verification. Right now most relying parties do not implement it as many providers are returning `0` for `signCount`.

2. This would be an odd one, it helps against detecting leaked private keys of passkeys, if a malicious attacker, internal or external, manages to obtain the private key.

Posted by u/uzyn 3 months ago
Passkey can detect auth cloning via signCount, but big tech do not support ituzyn.com/posts/passkey-ha...
Posted by u/uzyn 4 months ago
Anthropic Development Partner Programsupport.anthropic.com/en/...
uzyn commented on CSS Zen Garden   csszengarden.com/... · Posted by u/onat1
uzyn · 4 months ago
Loved the site and the companion book. Borrowed it at my local library and kept renewing it. Taught me CSS, coming out of hacking CSS with all the weird tricks at that time, and made me realize that you _can_ make beautiful semantic websites without the crazy hacks.
uzyn commented on Less Htmx Is More   unplannedobsolescence.com... · Posted by u/fanf2
DeathArrow · 5 months ago
I thought HTMX is useful mostly for SPA style apps. If you want a website with individual pages you can mostly use HTML and a bit of vanilla JS for the stuff that needs to be dynamically updated.
uzyn · 5 months ago
It's the other way around. HTMX is not suitable for client-side scripting heavy app like SPA. It's more for "traditional" AJAX-style web app.
uzyn commented on Claude can now search the web   anthropic.com/news/web-se... · Posted by u/meetpateltech
gizmodo59 · 5 months ago
How much % it’s significant compared to say openai or google? Because if I’m paying 20$ I want other things too not just coding. And if the moat for coding compared to other vendors is not significant, it doesn’t make any difference tbh
uzyn · 5 months ago
Fair point. I wouldn't say it's by a lot because I am getting quite good results with ChatGPT's models too. A part of it could also just be confirmation bias too.
uzyn commented on Magical Instant Bullets   militaryrealism.blog/2025... · Posted by u/baud147258
uzyn · 5 months ago
In-game sniper that you have to aim inches above the head is just not as fun, especially for an extremely fast-paced game like Unreal Tournament.
uzyn commented on Claude can now search the web   anthropic.com/news/web-se... · Posted by u/meetpateltech
uzyn · 5 months ago
Surprised that Claude (the app, not model) not only has done well for so long, but has somewhat consistently clinched the top spot in coding, all without a feature that is considered somewhat of a basic feature for most consumer-facing AI apps.
u

u/uzyn

KarmaCake day242December 14, 2010
About
https://uzyn.com
View Original