[Linux-aus] ART FOI review - myGov Code Generator app source code

[Neil du Preez]

> Unfortunately, at least as I understand it[1], passkeys are inextricably
> linked to the browser they were set up in and the key store applicable to
> the OS used.

I think you are right when not using a yubikey to store the passkey. Only some websites that support passkeys give you the option to use a yubikey, those that don't usually display a message saying passkeys are not supported on this device when using Linux in my experience. For backups I have multiple yubikeys since my.gov.au allows you to register 3 passkeys IIRC. I have used the passkey created on my yubikey (on Linux) on different OSes with different browsers.

For purists: according to google yubikey firmware is closed source. I haven't really looked into or tried something like nitrokey as an alternative.

> I do wonder how long the code generator will remain in use for, since mygov
> is trying hard to shift people onto passkeys or myID (the latter which
> suffers from exactly the same problems that beset the code generator).

IMO myID would be a better target for a project like this, especially considering how difficult it is to use ATO small business online services without it.

> My concern is losing the old, if I engage with the new. Knowing how the
> dongle pathway unfolds would be valuable.

Once you register a passkey the website encourages you to disable password authentication altogether to prevent brute force attacks. I have seen the same for a mobile service provider's website.