No need to do anything the hard way when you’re just starting out. The whole process with prep, safety razors, after care etc can wait. I’d also skip the disposable two blade razors.

Invest in a decent starter set of the modern 4 and 5 blade cartridge razors with the reusable handle and soap strips around the blades. They’re forgiving compared to everything else, which is perfect when you’re learning. Even if you want to try more trendy shaving equipment later, you’ll be grateful to have something fast and foolproof on hand when you’re in a rush!

As for technique tips: Any kind of soap will help the head glide, but obviously shaving cream is made for it. Light pressure is all that’s needed. Let the razor blades do the work.

Stretching the skin taught helps avoid irritation. Shaving with the direction of the hair to start can help your skin and follicles acclimate to the abrasion. Then you can try shaving against when you’re ready.

If we cut and run every time a big corporation “embraces” a new standard, just to lessen the pain of the day it’s inevitably “extinguished,“ we’d miss out on quite a lot.

This standard was open from the start. It was ours. Big corps sprinted ahead with commercial development, as they do, but just because they’re first to implement doesn’t mean we throw in the towel.

Also:

1. Bio auth isn’t necessary. It’s just how Google/Apple do things on their phones. It’s not part of the FIDO2 standard.
2. It works with arbitrary password managers including FLOSS and lots of hardware options.
3. Passkeys can sync to arbitrary devices, browsers, device bound sessions, whatever.

Yeah the moods in this thread, like

“[I don’t understand this]!”

“[I don’t trust this]!”

“[It doesn’t fix everything]!”

“[This doesn’t benefit me]!”

“[What’s wrong with old way]!?”

And like, all valid feelings… just the reactions are a bit… intense? Especially considering it’s a beta stage auth option that amounts to a fancy version of the old sec key industry standard, not the mark of the beast.

Yeah the counter-interoperability of proprietary expansions on FIDO standards sounds a lot like embrace extend extinguish to me. I know engineering standards generally require field revisions but these big corps have a track record of this behavior.

I can see how the FIDO standard’s dID requirement might be an issue at the org level, but even in the case of a fully custom/unknown rooted device they have provisions for using traditional security keys attached to one or more associated devices via USB/BT/NFC. Megacorp platforms might be first to facilitate adoption but the spec absolutely accommodates open provider integration.

I need to experiment with personal security passkey registration and authentication workflows to know how difficult it actually is in practice, but it looks like the equivalent of self-signed certificates are possible anywhere the user controls the stack like self-hosted intranetwork suites that are popular around here.

Thanks again for the write up!

I could see that. I’ve only found a few in the wild (mostly just enterprise, niche tech-related, and big platform web apps) but there’s probably some clunky implementations out there I haven’t suffered through yet.

For one, there seems to be this idea that if you lose your passkey you get locked out of your account forever.

True, plenty in this thread even. IIRC there’s usually a recovery key process same as a typical authenticator MFA, sometimes other routes in addition like combining multiple other MFAs or recovery contact assignment. Regardless, completely losing PW manager access across devices would presumably be the more immediate crisis for most.

Thanks for the great article! I had a question re: the top disadvantage you mention (lock-in).

Background: Although the on-device integration for Apple, Google, etc. use their cloud for E2E sync between devices, it appears KeePassXC using their passkey interception, discovery, and import procedures accomplish the same cross-device passkey implementation without needing a particular vendor cloud lock-in. As best I can tell, this meets the original standard’s sync fabric requirements (whether or not the big providers like it) and relies on platform-specific APIs mostly for interoperability.

Question: If KeePass has been able to implement their own sync this way, and the FIDO standard accommodates non-OS providers (e.g. browsers or PW managers), what is currently the biggest technical hurdle remaining for FOSS-based passkey providers?

KeePassXC has begun rollout of their own implementation, and I’m pretty sure they’re considered FOSS.

From a quick scan of the white paper, it appears they’re currently using on-device passkey discovery and otherwise “intercepting” passkey registration workflows, which I take to mean they aren’t originating the request as a passkey registrar. This may be the easiest method to satisfy FIDO’s dID requirements.

This is a big one. Lock-in and the threat of provider blacklisting means it will remain a shortcut like SSO (“sign in with ____”) until we’ve established federated providers.

On further reading, this may not be as far off as I thought. Passkey registration providers can be OS-level but browser and password manager based solutions were intended (overview from FIDO alliance). And it looks like KeePassXC has begun rollout of their own. If I’m reading correctly they currently “piggyback” off of an OS-based provider in various ways, so it’s not yet an end-to-end implementation, but these are early days.

The passkey options I’ve come across so far are as close to push-button as I can imagine.

Do you mean from the developer perspective, like the complexity of the API/workflow?

Exactly

Slow is smooth, and smooth is fast.

Haha that’s the one ;)

Yeah you get it. It’s a “slow = fast” type of spiel, just a bone to pick with colleagues who embrace anti-user practices needlessly.

You still need 2fa

I think most passkey implementations incorporate multiple factors already. The session factor is considered distinct from the device factor, even if it’s all on the same device.

Which isn’t super different from the traditional USB key procedure, where a user would activate a FIDO biometric after clearing an SSO portal, or what have you.

I’m not really concerned about the security of it. Moreso the inconvenience…

Honestly, convenience is security (change-my-mind lol) insofar as it measurably impacts rate of user adoption/adherence and thus outcomes.

It’s the annoyance you describe that leads most users to skip 2FA setup until it’s forced on them, for example.

Honestly I’d take that as pretty strong evidence against the idle talk from that thread. If only because kids who grew up during and shortly after the war grappled with these ideas earlier than most, and did so during a period where WS was suddenly condemned quite publicly.

Thank you!

Thanks! I lost motivation after a few lines lol

Thank you!

And honestly I don’t know that they do, since that thread is the only example I have off-hand where it was implied, and no one took time to explain.

These days I’m not terribly surprised to find WS ideas lurking in high-fantasy and scifi of yesteryear. (I mean, beyond the most pedestrian forms invited by the very notion of differing races/species coexisting.) ETA: I just don’t want to “cancel” some author I don’t know about without knowing why.

I was asking about this author recently (in this post) because a number of people referred to “Stormbringer” as an obvious white-supremacist reference but I couldn’t confirm with a fair amount of digging what everyone else seemed to know off-hand.

Is this author associated with WS? Or is this just an unfortunate result of an easy assumption that anything “storm-x” is WS-adjacent? Since I haven’t read any Moorcock, I don’t yet know. I’m just curious because I try to be aware of such things.

SO ANYWAY, IN THE ETERNAL CHAMPION ITERATION HE’S CALLED EREKOSE AND HE COMMITS THE ORIGINAL SIN WHICH SETS THE CHAMPION ON HIS CURSED PATH. BUT IN COUNT BRASS IT’S REVEALED THAT IT’S NOT HIS FAULT AND HE CAN FINALLY REST AFTER DESTROYING THE BALANCE USING THE BLACK SWORD IN IT’S PUREST FORM. YOU SEE, IN MOORCOCK’S UNIVERSE, THE SWORD IS THE CHAMPION’S NEMESIS BUT HE HAS TO USE IT TO BREAK FREE WHICH IS MOORCOCK’S BIG ANTI-WAR STATEMENT ABOUT THE FOLLY OF FIGHTING FOR PEACE. THIS IS ALSO EXEMPLIFIED OF COURSE IN ELRICS’S STORY WHERE STORMBRINGER LITERALLY DRINKS THE SOULS OF HIS ENEMIES AND WILL DRINK HIS IF HE STOPS KILLING. BUT IN CORUM’S TALE THERE’S A WHOLE CLASS-ELEMENT TO THIS THAT REALLY SHOWS HOW MOORCOCK WAS ALSO AN ANARCHIST. HAWKMOON IS ALSO LIKE THAT, HE’S A PARALLEL TO THE NOBILITY OF THE SWORD WHEREAS

I’m no Fahrenheit expert, but I’m coming up with -175 C = -283 F, so… not a typical typo but perhaps an LLM discrepancy, which doesn’t inspire confidence in either figure.

And in fact, it turns out the original paper gives as their cryo temp 77 Kelvin, which is closer to -196 C or -321 F.

I’m not sure from where the other temps in that report originated but more than likely they were just hallucinated at some point and included with subsequent summaries as confidence-inspiring “datapoints.”