this post was submitted on 26 Jan 2024
15 points (72.7% liked)
Fediverse
17683 readers
14 users here now
A community dedicated to fediverse news and discussion.
Fediverse is a portmanteau of "federation" and "universe".
Getting started on Fediverse;
- What is the fediverse?
- Fediverse Platforms
- How to run your own community
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
@maegul How would servers share accounts and passwords? Allowing any server to know what a user’s password should be is not very good for security.
@fediverse @maegul @1984 @mindlight
Trusting other peoples identification and authorizattion isnt about sharing accounts and passwords. If user A of server X want to log in at server Y, server Y asks server X if it knows this user A. If so server X handles the password/mfa check and just gives the green light to server Y.
@joeldebruijn Ah, that makes much more sense. I guess this could be also used for phishing, but that may be unavoidable.
@fediverse @maegul @1984 @mindlight @maegul
True! One of the main building blocks, sadly.
@Aatube @maegul@hachyderm.io @1984 @mindlight @maegul@lemmy.ml
Couldn't it be like public-private keys such PGP protocols, where the users have the private key and the platforms have the public key? It's seems quite good privacy, some would even say it's "pretty good privacy".
@Sean Nice pun :D
I don’t think requiring users to use a really long and virtually unmemorizable password (the private key) would be a pretty good idea for a social network either.
@fediverse @maegul @1984 @mindlight @maegul
@Aatube @maegul@hachyderm.io @1984 @mindlight @maegul@lemmy.ml
The private key doesn't need to be memorized, it stays saved on the device that the client software is on, allowing the user to integrate mobile device's biometric reader (fingerprint/face/iris/whatever) to confirm identity, or use security key, there are already different ways to implement it that doesn't require pw memorization.
I've got a long unmemorizable string for Firefox sync, Brave, Proton Mail/Pass, it's still more secure than pw memorized
@Sean Not all devices support passkeys.
Unmemorizable passwords are not the kind I like to use. I'd rather be able to login on some random incognito guest computer.
@fediverse @maegul @1984 @mindlight @maegul
@Aatube @1984 @mindlight @maegul@lemmy.ml
Yea I don’t know the best approach to that. Either a separate server for managing IDs. Or you always a principal server that manages authentication for its platform and others within the trusted “circle”. And then, should the principal server fail, you can switch to another server as your principal. Hubzilla/Streams has some process like that AFAIK.
@Aatube @1984 @mindlight @maegul@lemmy.ml
The key idea is that you can have a single unified identity on all the platforms you want. Signing into multiple platforms doesn’t require a new account every time. And cross posting from one platform to another, under your single identity is easy from every platform.
Then leveraging those features (and an open API), a good unifying client will make that easy.
There must be a way of doing that without fatal security issues or decentralisation.