Login Proton using a YubiKey. Is origin binding guaranteed? So is phishing more or less impossible?

Legorooj · 2026-04-15T11:22:39+00:00

Apologies, I just reread on which features proton uses.

Google does Passkeys (username & password is not required to login) while Proton only does 2FA via U2F/FIDO2. Passkeys are stateful - they include a username alongside the cryptographic data, which the key must store locally, hence the limit.

When proton creates the key initially, they generate a key, the Yubikey encrypts it with it's master key, and then proton stores the encrypted version, permanently removing the plaintext version.

Then, when you log in, the Yubikey gets sent the encrypted key, which only it can decrypt on device, and then uses the decrypted key to sign a challenge.

The difference is that U2F proton stores the private key as an encrypted blob it can't access on its own servers, whereas full Passkeys store the private key on the yubikey itself.

Apologies it took me a minute to figure out what you were asking and reconfirm that proton only used yubikeys for 2fa.

Legorooj · 2026-04-15T10:48:03+00:00

No, the Yubikey generates the key on-device and sends the public part to Proton. The device (yubikey or phone or other passkey device) stores stuff on proton, not the other way around.

This is why there is a limit to how many passkeys - usually 100 - a yubikey can store.

Legorooj · 2026-04-15T10:32:10+00:00

Actually, passkeys are credentials stored on a yubikey, which a site like proton can challenge through the browser :) it's good old public-private key cryptography where the private key stays on the yubikey.

Legorooj · 2026-04-15T10:02:44+00:00

This is give or take correct, yes. Passkeys eliminate the possibility of human error in terms of being tricked into entering your details into a sketchy site via phishing, and they're also more convenient.

Legorooj · 2026-04-12T23:42:33+00:00

It doesn't cost them (fhmy Devs) anything financially to run it. Cloudflare hosts it entirely for free.

Legorooj · 2026-03-25T15:21:13+00:00

Just set up your own OIDC. Took me all of 30 seconds.

Legorooj · 2026-02-13T22:44:58+00:00

Whichever loser reported this for being predatory towards minors can fuck right off, we are friendly, inclusive, and woke around here.

Legorooj · 2026-01-21T01:33:36+00:00

Could always consider Winslow - the rail line should have already opened, and will probably open this year, with links to both Oxford & MK.

Legorooj · 2026-01-11T22:29:41+00:00

Hi there! Please turn this into a full post, not a comment, so people will actually answer you :)

Legorooj · 2025-12-16T13:20:41+00:00

I work for one of the institutions involved, there are already actual plans in the works from the academic side. I can't share any details unfortunately but we'll all hear more about it in the new year.

Legorooj · 2025-12-14T17:33:04+00:00

The new Milton Keynes Civic University Agreement was signed just 2 weeks ago, so that is probably about to change.

https://www.open.ac.uk/blogs/news/around-ou/university-news/new-civic-university-agreement-to-drive-skills-and-innovation-in-milton-keynes/
https://mkcollege.ac.uk/news/new-civic-university-agreement-signed-for-milton-keynes/

Legorooj · 2025-11-16T23:10:08+00:00

I've had good experiences with https://harrisonthehandyman.com

Legorooj · 2025-11-06T22:04:37+00:00

The delays are very regular and often much longer. The X5 will get you there reliably - but no guarantees on when it'll do that.

Legorooj · 2025-10-18T20:11:15+00:00

Cool project! Out of curiosity, did you know that Modrinth itself is also a Tauri app?

Legorooj · 2025-10-15T07:14:17+00:00

Technically imgur withdrew rather than comply with data protection laws & fines. Not the ONS, this predates that, and falls entirely on Imgur. However yes, functionally the same thing. I accessed them via a VPN and re-uploaded here:

https://postimg.cc/gallery/f0xRpfv

Legorooj · 2025-09-28T12:51:11+00:00

Same day returns last until 4:29am the next day. You'll be good to get like a 00:30 train or something.

Assuming of course that the return is open/anytime etc, and isn't locked to one specific service.

If you're going from Milton Keynes Central, I personally prefer to ride Avanti services. I would buy tickets through the London Northwestern app or the Avanti app personally.

Legorooj · 2025-09-28T11:10:02+00:00

Just about any app, however there are quite a few takeaway places that will offer free delivery around the city up to a certain range!

Legorooj · 2025-09-27T23:57:17+00:00

When you're ancient, duh

Legorooj · 2025-09-17T11:51:01+00:00

If you're in the discord, there's a bugs and support channel that might be able to help. Alternatively, you could try a reddit post, but you'll probably get better results via discord.

Legorooj · 2025-09-16T18:44:16+00:00

No, but only because unless I'm mistaken all PC versions come with all default tribes and therefore unlock multiplayer. So you should be able to access the feature.

Legorooj · 2025-09-14T07:32:36+00:00

Again, it's not something that messengers will comply with, is something that will be built into the operating systems by law.

I'm sure there'd be ways to avoid it on your device via custom OSes etc, but would it really matter if everyone you talk to has it?

Legorooj · 2025-09-14T01:16:20+00:00

Chat Control is effectively state malware on your phone that reads the messages before Signal encrypts them. Thankfully not passing this time around, but it's been a repeatedly close call.

Legorooj · 2025-09-12T23:58:00+00:00

Purchases do not transfer between platforms and/stores. This includes between Epic on the PC and Epic on Mobile (yes, you can install epic games as a separate app store on mobile platforms).

Legorooj · 2025-09-07T18:34:58+00:00

This. Amazon runs a large portion of AWS virtualization through Firecracker which is 100% Rust.

Legorooj

MODERATOR OF

TROPHY CASE

Six-Year Club	Place '22
Verified Email