andrewe - Network

While twitter is down, I’m noticing the thoughtful details available to Mastodon apps via API. Author credit in preview cards:...

While twitter is down, I’m noticing the thoughtful details available to Mastodon apps via API.

Author credit in preview cards: https://docs.joinmastodon.org/entities/PreviewCardAuthor/

Goggle’s format is not the industry standard and Apple’s version was never identical, so an update alone to Apple Developer would...

Goggle’s format is not the industry standard and Apple’s version was never identical, so an update alone to Apple Developer would help.

But if Apple wants more developers to adopt one-time verification codes, otpauth needs a draft internet standard.

https://otpauth.dev

A password manager can ideally suggest the right account(s) at the right time. This saves time but also avoids the user attaching...

A password manager can ideally suggest the right account(s) at the right time. This saves time but also avoids the user attaching verification codes to the wrong account. The most direct way to identify those accounts is to match a domain name.

1. Not every browser or platform shares the domain name or other heuristics during a handoff on the same device.

2. QR codes in particular need the domain name included in the URL (and encoded in the image) for handoff.

Always include a domain name!

Apple suggests using a domain name for the “issuer parameter” and a proper name for the “issuer label prefix” — which somewhat...

Apple suggests using a domain name for the “issuer parameter” and a proper name for the “issuer label prefix” — which somewhat conflicts with Google. (June 2021) https://developer.apple.com/documentation/authenticationservices/securing-logins-with-icloud-keychain-verification-codes

Google recommends using both the “issuer label prefix” and “issuer parameter” — and that they should be equal. (November 2018)...

Google recommends using both the “issuer label prefix” and “issuer parameter” — and that they should be equal. (November 2018) https://github.com/google/google-authenticator/wiki/Key-Uri-Format

The first part of the handoff is the otpauth scheme: https://iana.org/assignments/uri-schemes/prov/otpauthGoogle and Microsoft are...

The first part of the handoff is the otpauth scheme: https://iana.org/assignments/uri-schemes/prov/otpauth

Google and Microsoft are mentioned, but the scheme is not limited to any one password manager. Apple supported it for years and now officially: https://developer.apple.com/videos/play/wwdc2024/10125/?time=751 (timecode 7:51)

The second part is the otpauth specification, which is perhaps an industry standard but not an Internet Standard.

Apple and Google are aligned but offer different recommendations on how to identify the issuer of a verification code.

Apple and Google have similar recommendations for this handoff, but one difference can improve the user experience (or it hold back) by...

Apple and Google have similar recommendations for this handoff, but one difference can improve the user experience (or it hold back) by allowing a password manager to suggest the right account (or none at all) to add a verification code to.

QR codes are most common way to set up a verification code today. Users are often prompted to scan one with an “authenticator app.” These QR codes are just an encoded URL like this example:

otpauth://totp/Example:username?secret=key&issuer=example‍.com

The internet needs a standard for setting up one-time verification codes. Apple should draft one. SMS codes are effortless, but less...

The internet needs a standard for setting up one-time verification codes. Apple should draft one.

SMS codes are effortless, but less secure.

One-time verification codes offer a more secure alternative, but require a password manager — and an initial handoff that lacks an internet standard.

Try this demo of an ideal handoff and verification codes in general: https://otpauth.dev

Great annual report from Defector — a cooperatively owned and operated media business:...

Great annual report from Defector — a cooperatively owned and operated media business: https://defector.com/defector-annual-report-year-four

Appreciate the overall transparency, but (as a payments nerd) particularly enjoy these insights into Stripe and subscriptions: “a new annual subscription projects to be worth ~20% more to us during its first year than a new monthly subscription.”

@rmondello Also, perhaps otpauth needs a proper draft specification, to clarify the (minor) differences between Apple and Google that I’ve...

@rmondello Also, perhaps otpauth needs a proper draft specification, to clarify the (minor) differences between Apple and Google that I’ve highlighted: https://otpauth.dev

This draft specification does not reflect Apple’s recommendations and its own implementation: https://www.ietf.org/id/draft-linuxgemini-otpauth-uri-01.html

@rmondello Apple developer documentation on verification codes could use an update. For example,...

@rmondello Apple developer documentation on verification codes could use an update. For example, [https://developer.apple.com/documentation/authenticationservices/securing_logins_with_icloud_keychain_verification_codes] still references “apple-otpauth:” even though [https://developer.apple.com/videos/play/wwdc2024/10125/?time=751] references “otpauth:”

@Edent references:https://developer.apple.com/videos/play/wwdc2024/10125/?time=751 (Apple, WWDC...

@Edent references:

https://developer.apple.com/videos/play/wwdc2024/10125/?time=751 (Apple, WWDC 2024)
https://developer.apple.com/documentation/authenticationservices/securing-logins-with-icloud-keychain-verification-codes (Apple, 2021)
https://github.com/google/google-authenticator/wiki/Key-Uri-Format (Google, 2018)

@Edent While Apple dropped their prefix from the otpauth scheme, their approach is not “identical to Google’s.”Apple:issuer label...

@Edent While Apple dropped their prefix from the otpauth scheme, their approach is not “identical to Google’s.”

Apple:
issuer label prefix: “the proper name of your service”
issuer parameter: use a domain as “[Apple Passwords] uses this field to suggest credentials when setting up a new code generator”

Google:
“if both the issuer parameter and issuer label prefix are present, they should be equal”

(They conflict but my own tests show it is more pragmatic to follow Apple’s recommendations.)

What does the Mastodon community need to learn from WordPress.org, WordPress.com, and Matt Mullenweg?

What does the Mastodon community need to learn from WordPress.org, WordPress.com, and Matt Mullenweg?

defaults write com.apple.dock slow-motion-allowed -bool YES; killall...

defaults write com.apple.dock slow-motion-allowed -bool YES; killall Dock
https://daringfireball.net/linked/2024/09/28/hidden-pref-to-restore-slow-motion-dock-minimizing-on-macos

“Sign in with Google” prompts even appear if you are not signed in — and when you don’t even have a Google Account. (screenshot...

“Sign in with Google” prompts even appear if you are not signed in — and when you don’t even have a Google Account. (screenshot example: Medium in a new private browser window displays a rather larger prompt)

direct link to disable Google Account sign-in prompts: https://myaccount.google.com/connections/settings

direct link to disable Google Account sign-in prompts: https://myaccount.google.com/connections/settings

Yet another annoyance that follows us around the web: “Sign in with Google”You can disable these prompts, but Google buried the...

Yet another annoyance that follows us around the web: “Sign in with Google”

You can disable these prompts, but Google buried the option:

Manage your Google Account ⇢ Security ⇢ You connections to third-party apps & services (“See all connections”) ⇢ Settings (gear icon) ⇢ Google Account sign-in prompts: OFF

@barbmaclean “a franchisee of that core vendor” owch! I’m going to need to borrow this in the months to come when describing the...

@barbmaclean “a franchisee of that core vendor” owch! I’m going to need to borrow this in the months to come when describing the strategic risk inherit with this. (Who came up with this apt description?)

@gruber For what it’s worth…subscription emails via Stripe: “X (formerly Twitter)”credit card statement: “Twitter paid features”

@gruber For what it’s worth…

subscription emails via Stripe: “X (formerly Twitter)”
credit card statement: “Twitter paid features”