Not all cops in all places are all bad all the time. They’re always part of a deeply broken system and all the other parts of the usual rant about cops, but that doesn’t mean they never do a good thing.

Most cynically: it’s basically a free bump to their performance numbers.
Most leftishly: a business called, which is closer to who they work for.
Most probably: theif was still there and someone was close enough that they’d be doing more than taking a meaningless report to file.

Removed by mod

Removed by mod

Removed by mod

Removed by mod

Removed by mod

Removed by mod

Removed by mod

It can totally be fine for your needs, and secure while it does so, and not be two factors.

It’s a question of what’s required for access. In this case, they would need your password and to have had some manner of device access at some point to steal the value used by 1password to verify you at one point had the secret key. Someone with a keylogger from a random untargeted malware infection could plausibly get sufficient information. It’s really good 1 factor.

To be two factor there would need to be a requirement for two factors to be demonstrated at auth time. For example, if 1password encrypted the passkeys in such a way that the passkey could not ever leave the device, like via certain types of hardware backed key storage, then unlocking the vault is proof of something you know, and the usage of the signature is proof you have the chip.
The trickery comes about in the techniques available to move the passkey between encrypted hardware devices without it ever being exposed or loosing the “device you control” assurances.

For the record, I use 1password. Just not for passkeys on desktop. I prefer the Bluetooth connection to my phone, since phones currently do a much better job providing uniform targets for what’s needed to provide the proper two factor for something like passkeys.

There are secure ways to transfer the key that preserve the properties that make it useful as two factors in one.

Basically, the device will only release the key in an encrypted fashion readable by another device able to make the same guarantees, after the user has used that device to authenticate to the first device using the key being transferred.
A backup works the same way.

You can do that without an extension. There’s a bunch of different protocols that let you, for example, use your phone as the authenticator.
You can log in with your phone on a computer you’ve never used before by scanning a QR code and credentials never leave your device.

My passkeys are tied to my phone, which I use via the browser and OS. I keep them in my password manager running on the phone. My password manager supports the open spec for securely migrating credentials between vendors.

It may be difficult to believe but they want you to use them because they’re legitimately significantly better.

Users are silly. They blame Microsoft for bad passwords. They blame Google for forgotten passwords. They blame Facebook when they click on a phishing link. They blame apple when apple “lets” someone who they gave their password to see their pictures. They blame apple when they don’t let the user in just because they forgot their password and every recovery mechanism.

Everyone involved has a significant issue with passwords because they cost them user satisfaction, credibility, or money directly. The reason cross vendor transfer has been slow is because everyone wants to be the leader, since if everyone follows your lead you get to make it work better with your stuff.

That ones because users like choice. They need to look up who you are to know how you’ve chosen to authenticate. At least, that’s how it started. Some could be doing it because the big kids are, but that’s why the big kids do.
And they support choice because businesses want to use their login infrastructure and refuse to share. So you enter “user@businessOrUniversity.com.edu” and it forwards you to your institutional login.

They inevitably didn’t write it for that reason. They wrote it to say the field is invalid until the user changes it to be valid after someone landed on the page holding the enter key down and instantly locked themselves out after submitting the form 50 times in 3 seconds.
Unless you know otherwise, it’s easy to think that “form interaction” is the same as “form changed”, and one of those is much easier to check.

I’m unsure what you mean about passkeys. I don’t think I’ve heard anyone mention significant concessions to os makers and I’m pretty tuned in on the topic.

Depends on the system. The thing where your password manager is managing your passkeys? That’s a single factor unless it’s doing something tricky that none of them do.
When it’s the tpm or a Bluetooth connection to your phone? That’s actually two factors, and great.

That’s not bullying, that’s enforcing social mores.

There’s no precedent at all. Precedent implies that it happened, which it didn’t.
Something being thought of and dismissed is just not evidence for that thing being done.

It’s not like it was even that original of an idea. There had been two plane hijackings by cubans in the past year. Proposing “what if a third went wrong” is hardly a masterclasses in outside the box thinking.

We’ve done other false flag operations. Other terrible things to domestic civilians.
Using that time we didn’t actually do anything as an example is just odd.

Personally, I think people like it just because it has a cooler name. “Mongoose” just doesn’t have the same ring.

And? What happened next? Did they do an operation Northwoods? Did we go to war with Cuba? Was Johnson more aggressive on Cuba than Kennedy, or was he actually more engaged on diplomatic fronts?

I’m not forgetting anything. It just doesn’t fit with any narrative that makes a lick of goddamned sense. Like, Kennedy rejected Northwoods because he was worried the troops might be needed in Europe, so starting a war in Cuba would be a bad move.
He was strongly in favor of every other operation they proposed as part of the larger plan.

Why would a massive conspiracy exist to kill Kennedy for rejecting a plan and then… Not do the plan?

I agree, and feel similarly about the inclusion of operation Northwoods.
It’s most prominently a horrifying plan that was rejected and remained classified, with the proposer being replaced shortly afterwards (it’s entirely possible that’s a coincidence).

Someone thinking of something horrible and then not doing it isn’t evidence that they would do something similar. There’s no particular reason to think they hid evidence because they admitted in the same deeply classified documents to doing far worse things.

I mean, I get that. As I said, it’s the surprise that confuses me. I understand “ugh, why are we putting profit in _____”. It’s that someone would go “whoah, hold on, people are running daycares for money?”