Anders Åberg

🔒 Sign in with FaceID / TouchID using asp.net and #dotnet. After 2 years of open source work, it's finally easy to add to existing asp.net web apps ❤ Full post: ideasof.andersaberg.com/development/pa… 🧵A thread on how it works:

@johannesmauerer @Bitwarden I think your DMs are set to private/following.

@andersaberg @Bitwarden Absolutely, would love to hear what you're building. DM me and we can find a time.

I built a secret broker for an AI agent today. @Bitwarden's BWS CLI fetches credentials from a remote vault, but only after I tap approve on a phone notification. Sounds great, right? Except the secret still lands in the agent's process memory to be useful. And the agent has full system access.

@diegogurpegui @moxie @Bitwarden The team is still working to resolve the blockers for this!

@andersaberg @moxie Any progress or moving up in the plan regarding this? The feature request in the @Bitwarden community is gaining a bit of momentum: community.bitwarden.com/t/support-for-…

I've been building Confer: private AI chat where your conversations are end-to-end encrypted so that only you can access them. It's still new, but I've been using it every day and beta testing it with friends. Let me know what's missing! confer.to/blog/2025/12/c…

@moxie I hear you! It’s planned but we have some blockers we need to roll out before we ship prf

@andersaberg Lots of people have been wanting to use Confer with Bitwarden, and right now the only advice I can give them is to use a different authenticator. Would be great if Bitwarden released passkey prf support!

@ColeMickens @Bitwarden Oh i saw your other message just now; Android. Got it.

@ColeMickens @Bitwarden Creating a passkey should be instantaneous, will run some tests with corrupted network and see if we can repro the faulty conditions. Was browser and browser extension version did you use?

@ColeMickens @Bitwarden What client did you use (browser extension?) and what browser?

@ColeMickens @Bitwarden Hi Cole, I work at Bitwarden and do a lot of work on passkeys. What you're describing sounds like a very unexpected behaviour. Bitwarden should not "loose" your passkeys, even if your client is offline. We store your ciphers locally and sync them once your client reconnects.

@moxie @Bogorad @Bitwarden @signalapp Yes that’s right. Yeah, the number of sites that use PRF has been very limited so we’ve prioritized other passkey feature over extensions historically.

Ah thanks, I saw bitwarden.com/blog/prf-webau… and didn't read it closely enough; you're using PRF to generate your own key material from the platform authenticator, but don't yet support PRF for apps using Bitwarden as the authenticator? Would be great if you added support so Confer could work for Bitwarden users =)

@moxie @Bogorad @Bitwarden @signalapp Oh wait this was for Confer, not signal. Well, point still stands. Are passkeys on the map for @signalapp?

@moxie @Bogorad @Bitwarden Hey @moxie. I work on passkeys at Bitwarden. We currently don’t support passkeys with extensions like PRF in the vault (we do support PRF for login+unlock) Happy to see a good reason to implement vault support with @signalapp.

@somoscode Hey Rafael, the challenge needs to be generated randomly to remain secure. The challenge is generated as part of the assertion/attestation-options.

@andersaberg Hi Anders, I'm checking out your FIDO2 .net library and was trying to figure out where the challenge issued by the rp is being created. I was hoping to test with custom challenge. Thanks.

@adamshurwitz @Bitwarden @safe @candidelabs Android support for passkeys is coming soon. I’d recommend reaching out to nkhan@bitwarden.com for devrel

@andersaberg @Bitwarden @safe @candidelabs On my Android device @Bitwarden (BW) doesn't show as a passkey option. My estimate is the BW app may need to register a specific Android intent for their passkey to show.

Come join us and build something using Passwordless.dev to learn passkeys and make users more secure? Our hacktoberfest is open with over $1500 in prizes! #passkeys #hacktoberfest #bitwarden

@flxmgdnz @zenorocha @hanko_io Second passkeys, but I would vouch for Passwordless.dev 🫶

@zenorocha Passkey auth helps you get rid of passwords in your database. The fastest way would be to use @hanko_io’s passkey provider for Next-Auth.

We’re currently reevaluating all of our security tech stack. Question - What are your favorite security tools/vendors?

@akella Fun! Yeah this would be for fun, so we can adjust time as needed. What’s your email? I’ll send some more thoughts and details.

@andersaberg sure! im up for something fun! depends on deadlines/amount of course too =)

@akella Hey Yuri, hope all is well. I’m working on some creative data visualizations for fun, was wondering if you’d want to collaborate on the visualization part! Let me know, I always enjoy seeing your work.

@AgnesWold Tack för svar, även om tolkningen av studien är lite klurig för en lekman. Känner du till några studier av fysikaliska/syntetiska solskydd? Specifikt Titaniumdioxid verkar ju diskuterat som cancerogent vid inandning, dock inte hittat studier. Kanske en fråga för er podd?

@andersaberg pubmed.ncbi.nlm.nih.gov/29620003/

@AgnesWold Hej Agnes! Vi hade en diskussion i helgen och behöver lite vetenskaplig input. Hur är det egentligen med faran med sol vs. solkräm? Efter lite läsande på internet framstår ju solkräm som superfarligt, oavsett kemiska/fysikaliska. Vad säger vetenskapen?