God I hate those stupid magic links. They’re WAAAAYYY slower than just using my password manager.
AND they kinda contribute to locking you into Big Tech. I sometimes have problems with those stupid links because I don’t have a Gmail account. Somewhere along the stupid chain there’s probably some stupid check that delays or blackholes emails to non-big-tech domains.
Based.
Email is terrible. It’s an unreliable communication system. You cannot depend on sent emails arriving in the recipient’s mailbox—even the spam folder.
People indirectly assume that all emails at least get to their spam folder. They don’t. There are multiple levels of filters that prevent most emails from ever making it that far because most email traffic is bots blasting phishing links, scams, and spam. Nobody wants phishing and scam emails, but the blocks that prevent those are being used by big tech to justify discriminating against small mail servers.
I can’t remember the site, now, but I literally couldn’t log into one this week because the email never arrived.
I can’t remember the site, now, but I literally couldn’t log into one this week because the email never arrived.
Well, email allows you to solve that issue by self-hosting. But what you can’t solve is that if you do self-host, gmail will drop your emails to spam or just discard them completely, just because it feels like it, even if you do the whole dance with DMARC and have used the domain for a good few years. It’s frustrating as shit.
I had an email never arrive because I used Firefox for Linux. It worked on my phone in a different browser. God knows what went on there. I suppose their website never really registered I even made a request from my desktop even though it told me the email was on the way. Really strange.
Or worse:
Use email link -> use password instead
Enter password
Now enter the code that we sent you your email…
2 factor authentication, only when you feel like it.
It feels like the factors of authentication discussion misses one important aspect: can the factor be replayed. Passwords can be replayed indefinitely, while the email links you get or the OTP token only work for a short period of time.
I remember it from the bad days when I used LastPass. Suddenly I got a notification that the place had been compromised and I had to suddenly change hundreds of passwords. 90% of them were for sites that didn’t even exist any longer, but sifting through the long, long list to go change passwords was more work than I wanted to do.
Don’t have to do that if I need to use a one-time token via Aegis or email! I do agree, though, that for low risk sites, username/password is totally fine.
It’s a neat option, but should not be forced.
Passwords are quite insecure and people write them down on shit and forget them, I vastly prefer it too, but they’re going to die out, probably rather soon, so be prepared.
Password manager users living life on easy mode.
The amount of security threat encouragement in these comments is impressive.
Hearing this in Spongebob’s voice is amazing!
Or the obscure ways for 2FA/MFA. Passkeys are mostly cloud based. Yeah fuck no! The weakest Passkey is weaker than my usual random generated password, if the site don’t do any shady business and require a weak password. Hardware keys are luckily not pushed for usage. I don’t like them either. You require at least 2, for backup reasons. They also cost quite some money and they have zero auth. Just connect to usb and tap it. Also retrieving the backup and get a replacement for a defective one, takes some time.
Good old TOTP as 2FA is perfect, paired with a strong, random password. With my TOTP, I have an encrypted backup in my cloud, on my NAS, older backups in secure places and backup codes in several places. The TOTP App I use is open source and I have a mirror of the source code.
This should be enough security, if sites don’t screw up all the time. You can bypass 2FA all the time. Even the credit card company screwed up big time. Usually you get 2 separate letters, one with your pin and one with your card. Both came on the same day. Also I actually didn’t needed the pin in the first place. I was able to add the card to the app and see the pin there, without actually verifying anything, except the credit card number.
Maybe when passkeys are supported in my password manager, I will try it but so far it isn’t and switching is not an option, as it doesn’t support the features I need. There is an open issue for an alternative password manager, with that feature request and it has some people wanting it, but its still not added. But passkeys doesn’t fix the issue for me using stronger keys, it fixes the site owners to allow stronger keys but they are still not required to use it. Some devs are just weird. I’ve read one PR for an FOSS project I use, where someone wanted to implement a universal oath or such stuff, that would support all types of external authentifications. Nope, the dev refused the PR and they wanted to stay at the 2 proprietary implementations, for 2 services, even though this universal implementation would work with these 2 too. I can’t tell exactly what it was. I was experimenting with an auth service for my self hosted stuff, to not deal with several accounts and rights systems. This service was the first one which I wanted to switch and they didn’t wanted to support it, leaving me with the standard login.
What password manager doesn’t support passkeys these days?
Vanilla KeePass. The Dev isn’t interested to providing a communication outside of its program, but he clarified, that plugins have all the right access, to do that but as it seemed to the dev, there is no dev interested to making such a plugin. KeePassXC does support it but they are still missing entry templates. This is the only missing feature that is holding me back to switch.
What the hell are passkeys? I think outside deep tech forums, nobody knows what they are.
You can force auth on hardware passkeys for every activation. A sort of local password. Much more secure, also if somebody is in possession of your passkey and you didn’t just loose it somewhere you would be fucked anyways.
I have three, one for home, one for backup, and one for travel. I can See why ppl. Are annoyed by that, but speaking of costs, you can get these starting from ~20 Dollars. Additionally, passkeys could and should replace passwords and not EB generally used as 2FA.
Also many password managers (incl. FOSS) do support Passkeys, but having them in your password manager makes them arguably useless. Same if you use 2FA on your phone and a password manager and your phone gets compromised somehow.
I quote myself from a different comment:
I just needed to think of the scene from the Simpsons, where Mr. Burns and Smithers go all through the security checks and in the end, there is a flimsy open backdoor, where a stray dog entered the room. All security in the front doesn’t matter, if the backdoor is not secure at all and until the backdoor is that unsecure, I’m not willing to add money and time, to make the front door more secure.
The phone argument lacks a bit. Accessing the TOTP App and the password manager do require a separate authentification, to get encrypted. Sure if they snatch my phone away, when its fully unlocked, including my password manager, they have access for a limited time. They need to be fast enough, until I can remotly lock it or until it automatically locks itself. Android phones can now detect when they are stolen. Either by the movement or when it goes offline. The latter I tested and it’s not instant, but you still don’t have long.
I don’t think about potential backdoors. If there is no known backdoor, then I deem it save. Sure they also could me to unlock the phone. This would be xkcd 538. And this applies to any security.
Adding more security and inconvenience doesn’t make sense to me, so long the backend is shit. So far a few big companies did screw up hard in their backend and dozens of smaller sites do some bad stuff, that it doesn’t really matter how strong your login is. Here I reference back to my quote.
In a closed system, like a company, this added security makes sense, as they usually control the backend as well. If my CEO would send me a text request to reset his logins, I would call him or walk to his office, and ask him directly. Sure with AI, they could impersonate his voice but I don’t think they can impersonate his way to speak.
Well Passkeys are a good step to enhance security and remove potential backdoors from companies for one. As you have your private key that cannot be easily imitated and is checked by the company that you use.
And generally speaking, your phone can be attacked via software without even having physical access. So if your phone is infected they gain access (at some point during usage) to both your password manager and your 2FA. It is just never a good idea to have multiple thongs in one place.
On a side note, with physical access to one of your devices for a longer time, most things can be accessed by a malicious actor.
Of course everything can be hacked. When I think something is compromised, then I need to change everything. So far I didn’t heard of any remote zero click compromise. With the fancy hacking tools of some companies, its not publicly known how they gained access. I suspect either physical access or some malware. But we are speaking on a high level of hacking, that most people don’t need to be scared off. At that level, there are other things to worry about.
When we just look at the dangers an average person might encounter, this level of security is fine. I do had accounts compromised and I can exactly tell what my mistake was. One was sharing my password with someone else and not knowing how secure his devices where and not having 2FA. The second one was that I used the same password everywhere. At this point I was switching to generated passwords and still didn’t had every account changed (the unimportant ones).
Of course Passkeys are by nature a more secure implementation, as you are unable to save plaintext passwords but there is one thing that this can’t solve and that’s being that they remove and reset your auth, without verifying your identity. Hackers still can steal session tokens and sites don’t need to require additional authentification, when altering your authentification.
Every hardware based key I ever used also required PIN, but as far as expense and backups, yes, for personal use the cost generally may not be justified. I got all my personal ones as a bundle that was on sale. For work I would argue that some businesses can easily justify the cost to create a rotating stock of hardware keys to deal with lost keys. Generally in that environment you have centralized PKI, where you can revoke the certificate on the lost key and then issue a new certificate on a new hardware key. This doesn’t help for all sign in methods tied to hardware keys, but can be very practical when implemented right.
I also agree on TOTP as the ultimate generic 2FA method, with several worsening options until the despised email or sms 2FA. I will also add that you can setup TOTP on modern hardware keys, where you must insert and complete PIN entry. The inconvenience is that you must have all your keys and password manager available at setup time for places that don’t support multiple TOTP codes.
More people should use passkeys
Passkeys get undeserved hate
nah, too cumbersome and mistic
But you know what’s the safest way for us to keep your password safe? Not asking for one to begin with. By not creating a password with us you have no risk of it leaking, and we don’t have to deal with the responsibility of keeping it secure. The sign in link is going to your email, which presumably is protected with two-factor authentication, if you have it set up (which you should!).
https://www.404media.co/we-dont-want-your-password-3/
They had a follow up later too (paywall)
And then…
The password manager can’t fill the form. You’ve got to change your 10-word passphrase because it’s 3 months old. And you have to verify with a text.
Oh and then you have to type it in on your TV with a remote and on-screen keyboard.
Also you better hope you used the password manager for this obscure app you don’t remember signing up with.
It used a different URL for sign in so isn’t picked up by the password manager.
The password is too strong doesn’t accept Ukraine letters.
Dose your granny have the a password manager. She should but would she understand how it works.
That’s the one good thing about just-eat leaving Denmark, no more having to deal with that BS.
Magic link is lazy 2fa.
Implement TOTP support, you lazy fucks.
What’s the 2nd factor? Email and what else?
Email is considered insecure as a 2nd factor. TOTP stands for Time-based One-Time Password. Usually you store a seed and that combined with the time generates a time based password. If someone intercepts it, it’s only valid for a certain time frame (I think about a minute or so), after which it’s invalid.
Just to add, SMS is also incredibly insecure as a 2FA
Yes but email is only a second factor when used in addition to a first factor (e.g. password). If it’s just magic link without password, then email is the only factor
Magic link only is the wirst kind of login systems. However, I don’t know any big real companies that use this.
If you don’t like passwords, just use passkeys.Slack (except when with SSO). You have to go out of your way to find the settings page outside of the client to set a password.
Booking.com (at least in Germany) only useagic links for some time now. I hate it.
Wasn’t passkeys basically “passwords, but Google has control of them”?
Not even close.
Passkey is a generic technology not specific to any vendor. While there are a few versions of it, the long story short is it uses an encryption key you have to authenticate you rather than a password. This makes phishing extremely difficult if not impossible.
There’s lots of passkey implementations. All the major browsers have one built in with their included password managers. Most good password managers like BitWarden or 1Password also support pass keys. And if you want to be extra secure, the passkey can be an actual hardware token like a YubiKey.
So yeah you see Google pushing passkeys a lot, and if you use Google password manager it will store your pass keys. But you also see Apple pushing it, and Microsoft also.
dont think so. what i gatherd passkeys is a public/private key scheme, much like pubkey auth in ssh logins.
Its still just a single factor if some body steals your private key.
Yes, buts it’s not something that can be easily guessed or found on a post it on the monitor
True dat. But if they compromise your computer the first thing the look for is key files.
Like my ssh keys are in a root permission file. Protected from general sight, but if somebody compromises my PC with a CVE on then goodbye keys.
At least with hardware key it is removable and requires a button press.
So accessing becomes physical access or quantum computer cracking
Its never transmitted, can be stored in HSMs. Anything that’s handled wrong is unsafe
Steals it from your system I meant. Which has even happened to security pros.
On the other end, there is an excessive use of 2FA with systems for whom the concept of SSO seems to be a foreign thing. It’s also sort of funny that 2FA can just mean using a TOTP capable password manager, reverting it back to one factor.
This. This so much. Password+Totp based login is just two passwords where one is more annoying to use.
Not if your TOTP codes are generated by another device, then the attacker needs your password, plus the device holding the key for TOTP. If you use it on your phone and authenticator is your phone then a theif has everything when they steal your phone.
Hardware key for TOTP is a better 2FA method as its totally separate from your PC or phone
As long as the default recommendation is to use authenticator apps on your main device I’ll see this as a “could be good if implemented correctly, which it isn’t, so it isn’t good”
If you can get at a password by hacking a website, I wouldn’t be holding out hope that they couldn’t then steal the TOTP secret.
It’s not actually reduced to one factor, just a single point of failure. If their password manager gets taken it’s a problem, however the generated TOTP is worthless in 1 min. So this will protect the login from cases where the password is known like a compromised website or a reused password.
If the site is compromised, then the hackers could have stolen the TOTP secrets as well as the passwords. How do you think the site verifies TOTP codes? If you reuse passwords while using a password manager, you are asking for it, though.
A full hack of every part of the service is not the only way a user’s password could get known to an attacker. Could be MiTM, could be typo-squatted, etc
If a site is that compromised no measure of auth is gonna help, so little use worrying about it.
But if a password manager is compromised then doesn’t the attacker also get the TOTP key which is what generates the codes in the first place?
It wouldn’t matter if it expires in one minute because they’ll have the token to generate the next code, as well as now knowing the password.
That makes it a single point of failure yes, and the rest of the comment you’re replying to goes into detail on what it does protect from even if both passwd and TOTP are in the password manager
Sorry i misunderstood what you were saying. I thought you were saying that if the password manager was compromised then the attackers would have only 1 minute to make use of the tokens before they change.
