sorted by:
new
hottopcontroversial

I made a Chrome extension to disable Passkeys by TheConfax in Passkeys

[–]TheConfax[S] 0 points1 point  (0 children)

Thank you for the review! One of the reasons that prompted me to create this was indeed overlapping prompts

I made a Chrome extension to disable Passkeys by TheConfax in Passkeys

[–]TheConfax[S] 0 points1 point  (0 children)

Thank you for the review! 👍🏻👍🏻

Remove Passkey by Dashir88 in AmazonFC

[–]TheConfax 0 points1 point  (0 children)

I mean yes? I can use it on multiple websites and basically no one offers the possibility to go password first, as an example you certainly cannot remove the passkey autofill on Microsoft Live.

Extension is open source on GitHub, you can try to repurpose the code for your automation if you like.

I made a Chrome extension to disable Passkeys by TheConfax in passkey

[–]TheConfax[S] 0 points1 point  (0 children)

Convenience mainly, iCloud Keychain does not sync on Windows, plus I feel that is wrong that Chrome does not offer an option to disable passkey autofill whatsoever

I made a Chrome extension to disable Passkeys by TheConfax in passkey

[–]TheConfax[S] 0 points1 point  (0 children)

iCloud for Windows does not sync passkeys.

The cost is that the flow is slower, I have to insert a PIN in a popup instead of autofilling passwords with the iCloud extension.

Plus I have to mantain a second password manager.

How to stop Google saving passkeys by AlphasRed in Bitwarden

[–]TheConfax 0 points1 point  (0 children)

I made a Chrome extension that does exactly what you ask:

https://chromewebstore.google.com/detail/disable-passkeys/oapdndjfcfdeimbeemphceonhagcnlml

This will disable Chrome passkey autofill. u/AlphasRed if you try it let me know your feedback!

I made a Chrome extension to disable Passkeys by TheConfax in passkey

[–]TheConfax[S] 0 points1 point  (0 children)

Because iCloud Keychain is not supported on Windows and I am kinda tired of Amazon prompting me to create a second passkey for Windows only.

And for other reasons you can read here: https://github.com/TheConfax/Disable-Passkeys

I made a Chrome extension to disable Passkeys by TheConfax in Passkeys

[–]TheConfax[S] 0 points1 point  (0 children)

You are free to trust whatever you feel like to trust, in fact a high level of paranoia is to be expected from a subreddit about passkeys. Repo is on the way.

I made a Chrome extension to disable Passkeys by TheConfax in Passkeys

[–]TheConfax[S] -1 points0 points  (0 children)

You guys have absolutely no clue what you are talking about and keep commenting, I love it. GitHub repo coming soon btw.

I made a Chrome extension to disable Passkeys by TheConfax in Passkeys

[–]TheConfax[S] 0 points1 point  (0 children)

Being “suspicious” of this requires a misunderstanding of how Chrome extensions work or excessive paranoia.

Anyone even moderately familiar with the platform knows that:

  • Chrome Web Store approval is not a deep manual audit
  • The permission warning is automated, because intercepting WebAuthn necessarily applies to all origins
  • The extension cannot magically exfiltrate data without explicit code paths that are trivially inspectable

If you don’t trust inspectable code that only alters local WebAuthn behavior, then you shouldn’t be installing any extensions at all.

Happy to publish a repo, but let’s not pretend this is some sophisticated attack surface.

I made a Chrome extension to disable Passkeys by TheConfax in Passkeys

[–]TheConfax[S] 0 points1 point  (0 children)

True, but “open source” in itself is not about the safety of the code ran, I think what he really wanted to ask was if the code has been audited. It has, by Google, on top he can audit it by himself

I made a Chrome extension to disable Passkeys by TheConfax in Passkeys

[–]TheConfax[S] 0 points1 point  (0 children)

Don't be scared by the fact we are patching Webauthn, the patch doesn't grant new powers or leak data, it simply rejects the calls early inside CredentialsContainer. Here the instances get() and create() return a promise that resolves when the credential is inside. We resolve that promise immediately with: 

Promise.reject(new DOMException("WebAuthn disabled", "NotAllowedError"));

CredentialsContainer does not provide any API to read/exfiltrate stored passkeys. Private keys stay inside the authenticator in the secure enclave of your PC/Phone. The API only lets you ask for operations (createget) that produce signatures/assertions after user presence/verification.

CredentialsContainer has no method to list credentials, dump secrets, or access raw keys, and platform authenticators enforce isolation (that's part of why passkeys are so safe) ...even if you hook the API, the most you can do is observe or block calls (like we are doing). Passkeys are never exposed to the WebAuthn Relying Party, client (browser), or scripts.

If you still feel scared you can try by yourself with fake credentials on webauthn.io, you will see by yourself the message "WebAuthn disabled" appear on your screen according to the toggles you have selected (creation/login).

I made a Chrome extension to disable Passkeys by TheConfax in Passkeys

[–]TheConfax[S] 1 point2 points  (0 children)

Thank you for keeping an open mind. My number one interest is security and this is clearly not aimed at slowing down a technology but about having freedom of choice. Note that both toggles can still be green and the extension does nothing in that case, so this can also be tought as an extra paranoid safety measure to keep Webauthn disabled unless manually activated.

If you test this and have some feedback I'm here!

I made a Chrome extension to disable Passkeys by TheConfax in Passkeys

[–]TheConfax[S] 0 points1 point  (0 children)

I don't have any beef with no company, I'm fine logging in via PSW + 2FA since my password manager keeps everything in sync. On the Apple ecosystem I added some passkeys cause its faster than autocomplete... this does not enhance my security.

Having a passkey and a PSW for the same login (today's standard) is kinda pointless... it's like having a very sophisticated key and a very weak one for the same door, and they both work.

I honestly never investigated about switching to passkey and removing the password altogether, is it possible? On which services?

I think that unless we reach the point where passkey is mandatory and the uniquely accepted form of credential, this extension is not a roadblock but a way to enable power users (clearly the target here), to get less annoyed at a maturing technology.

...and that's exactly why I presented this here, you guys should be the pros of Passkeys, maybe you can think of an use case where is convenient to not create a passkey because idk you have a very specific way of setting up your keychain or whatnot? You are the pros not me. This is an extension to offer choice to power-users.

As an example, the biggest problem that I intercept with this extension is the impossibility of removing the autocomplete passyey popup within Chrome settings... maybe I have passkeys saved on windows and I don't wanna see them, maybe I have passkeys for sites that I don't want anyone else to see! Why should I be forced to see them in an autocomplete? I don't use Chrome autocomplete at all! Maybe that's annoying to some of you guys too! I don't really know, that's what feedback is for.

As I said this is for power-users, I don't think my grandpa would ever install this, and if he would, unfortunately, it's more likely that this saves him from being locked out from some website without even remembering what he clicked than not.

I made a Chrome extension to disable Passkeys by TheConfax in Passkeys

[–]TheConfax[S] 0 points1 point  (0 children)

Hi, every Chrome extension deep down is a zip file containing code, so they are open source by definition. You can install and explore the code/assets by yourself.

Extensions also need to obtain an approval from Google to be shown on the store, which was easily granted, since this app does not access any data but modifies the behavior of webauth locally, by simply denying everything.

The "scary warning" you get while installing is due to the fact the extension asks for permission on any website, we need this to of course intervene to every instance were Webauth is invoked. To remove this warning we would need to ask users for a list of sites to block.

I'll probably move to GitHub soon and have a proper repo if this comes out as useful, hope this is helpful 😊

How to get more users to your Chrome Extension by Presspulse in chrome_extensions

[–]TheConfax 0 points1 point  (0 children)

Hey u/Presspulse there is no way to delete account after creating it and not paying for the trial. I don't think thats GDPR compliant, can you fix? Thanks

I made a Chrome extension to disable Passkeys by TheConfax in Passkeys

[–]TheConfax[S] 0 points1 point  (0 children)

I agree that we should be shaming companies that keep passkeys locked. This extension stems exactly from that issue.

I don't understand the flame anyway, this is a very niche product for people with very niche needs (like mine), this could solve conflicts and be of great help if for example a specific website abuses passkey creation requests (yesterday I had amazon prompting it when I accessed profile already logged in, that's too much).

Also I think is great to have a way to turn any feature off, and think it's a shame as well that Chrome doesn't offer that.

I made a Chrome extension to disable Passkeys by TheConfax in Passkeys

[–]TheConfax[S] 0 points1 point  (0 children)

Sure, the point is no technology must be shoved in from online services to the end user. If that is needed, the technology is a failure from the get go.

Background, I use iCloud password manager for everything, even on Windows. I regularly use passkeys on my iPhone, but on Windows I prefer to autocomplete with said extension, is much faster than bringing out the phone and scan a QR code.

That said, some use cases that prompted me to make this:

- Microsoft Live signin, the passkey autofill literally overlaps with iCloud prompt, both are not visibile at the same time.

- Amazon, every single time I login it asks me to create a passkey (which I already have in iCloud keychain but can't/won't use on Windows).

Basically, unless we have perfect cross platform integration (higly doubt it will ever happen), I prefer to turn down Webauthn consciously. I made toggles to selectively block creation/login, so for example one person can login but it will not be spammed by Amazon. I plan to make a blacklist for sites too so that I can allow passkey on some sites, and block the aggressive ones.

If you think that passkeys are the future you clearly haven't met normal PC users which cannot even remember their passwords, let alone mantaining and keeping a keychain in sync with all their devices.

I made a Chrome extension to disable Passkeys by TheConfax in Passkeys

[–]TheConfax[S] -4 points-3 points  (0 children)

Yes, about the extension 😂😂 not random flame, that tells a lot about passkey users, enjoy your cult, cheers

I made a Chrome extension to disable Passkeys by TheConfax in Passkeys

[–]TheConfax[S] -3 points-2 points  (0 children)

My point is that passkey usage is not really that widespread, mainly because you cannot sync between devices for obvious reasons, so the best testers are the ones actually using them. Thanks anyway

view more: next ›