Very few things on the internet and computer actually need accounts. Everything requiring a login is a cancer.
Yes and no in most cases it is used to limit misuse somewhat but i absolutely agree that its taking over hand. God bless trashmails.
Password manager users living life on easy mode.
More people should use passkeys
Passkeys get undeserved hate
nah, too cumbersome and mistic
But you know what’s the safest way for us to keep your password safe? Not asking for one to begin with. By not creating a password with us you have no risk of it leaking, and we don’t have to deal with the responsibility of keeping it secure. The sign in link is going to your email, which presumably is protected with two-factor authentication, if you have it set up (which you should!).
https://www.404media.co/we-dont-want-your-password-3/
They had a follow up later too (paywall)
And then…
The password manager can’t fill the form. You’ve got to change your 10-word passphrase because it’s 3 months old. And you have to verify with a text.
Oh and then you have to type it in on your TV with a remote and on-screen keyboard.
Magic link is lazy 2fa.
Implement TOTP support, you lazy fucks.
What’s the 2nd factor? Email and what else?
Email is considered insecure as a 2nd factor. TOTP stands for Time-based One-Time Password. Usually you store a seed and that combined with the time generates a time based password. If someone intercepts it, it’s only valid for a certain time frame (I think about a minute or so), after which it’s invalid.
Magic link only is the wirst kind of login systems. However, I don’t know any big real companies that use this.
If you don’t like passwords, just use passkeys.Slack (except when with SSO). You have to go out of your way to find the settings page outside of the client to set a password.
Wasn’t passkeys basically “passwords, but Google has control of them”?
Not even close.
Passkey is a generic technology not specific to any vendor. While there are a few versions of it, the long story short is it uses an encryption key you have to authenticate you rather than a password. This makes phishing extremely difficult if not impossible.
There’s lots of passkey implementations. All the major browsers have one built in with their included password managers. Most good password managers like BitWarden or 1Password also support pass keys. And if you want to be extra secure, the passkey can be an actual hardware token like a YubiKey.
So yeah you see Google pushing passkeys a lot, and if you use Google password manager it will store your pass keys. But you also see Apple pushing it, and Microsoft also.
dont think so. what i gatherd passkeys is a public/private key scheme, much like pubkey auth in ssh logins.
Its still just a single factor if some body steals your private key.
Its never transmitted, can be stored in HSMs. Anything that’s handled wrong is unsafe
Steals it from your system I meant. Which has even happened to security pros.
Yes, buts it’s not something that can be easily guessed or found on a post it on the monitor
True dat. But if they compromise your computer the first thing the look for is key files.
Like my ssh keys are in a root permission file. Protected from general sight, but if somebody compromises my PC with a CVE on then goodbye keys.
At least with hardware key it is removable and requires a button press.
So accessing becomes physical access or quantum computer cracking
Booking.com (at least in Germany) only useagic links for some time now. I hate it.
On the other end, there is an excessive use of 2FA with systems for whom the concept of SSO seems to be a foreign thing. It’s also sort of funny that 2FA can just mean using a TOTP capable password manager, reverting it back to one factor.
It’s not actually reduced to one factor, just a single point of failure. If their password manager gets taken it’s a problem, however the generated TOTP is worthless in 1 min. So this will protect the login from cases where the password is known like a compromised website or a reused password.
If the site is compromised, then the hackers could have stolen the TOTP secrets as well as the passwords. How do you think the site verifies TOTP codes? If you reuse passwords while using a password manager, you are asking for it, though.
A full hack of every part of the service is not the only way a user’s password could get known to an attacker. Could be MiTM, could be typo-squatted, etc
If a site is that compromised no measure of auth is gonna help, so little use worrying about it.
But if a password manager is compromised then doesn’t the attacker also get the TOTP key which is what generates the codes in the first place?
It wouldn’t matter if it expires in one minute because they’ll have the token to generate the next code, as well as now knowing the password.
That makes it a single point of failure yes, and the rest of the comment you’re replying to goes into detail on what it does protect from even if both passwd and TOTP are in the password manager
Sorry i misunderstood what you were saying. I thought you were saying that if the password manager was compromised then the attackers would have only 1 minute to make use of the tokens before they change.
This. This so much. Password+Totp based login is just two passwords where one is more annoying to use.
Not if your TOTP codes are generated by another device, then the attacker needs your password, plus the device holding the key for TOTP. If you use it on your phone and authenticator is your phone then a theif has everything when they steal your phone.
Hardware key for TOTP is a better 2FA method as its totally separate from your PC or phone
If you can get at a password by hacking a website, I wouldn’t be holding out hope that they couldn’t then steal the TOTP secret.
As long as the default recommendation is to use authenticator apps on your main device I’ll see this as a “could be good if implemented correctly, which it isn’t, so it isn’t good”
This post has the same number of likes it would on reddit
Exactly
I love FIDO logins and next to fucking no one implements them :(
And when they do they only offer them as the second factor.
Yes, let me first input my password (from a password manager), the let me approve with a passkey that is meant to make my password not necessary.
But email based login: FUCK THAT SHIT.
What are they?
Public key cryptography tied to physical hardware, so if you lose your phone / usb key, you need to use your backup recovery code; a fairly short one time password that negates the security benefits of Fido in one easy step.
It can also use biometrics, but that requires every device you log in on to have biometric readers.
Or you could use multiple fido key’s as backups
A lot of motherfuckers typing in code with a keyboard need a beating with said keyboard.
If a programmer can’t get a login form right they need permabanned from ever shipping another release.
Registration and login should be password less anyway. There’s alredy tech for doing it with cellphone or external hardware key.
Storing your password hash is just stupid and insecure
But you can lose that hardware or it breaks very easily.
Until you lose your cellphone or hardware key, that is.
Also, I will not pay any money for a thing just to authenticate myself with.
Until you lose your cellphone or hardware key, that is.
Same thing if you lose your password database or your master password.
Also, I will not pay any money for a thing just to authenticate myself with.
You’ve alredy paid for your cellphone and it is alredy equipped with necessary circutry
Passkeys ❤️
Website wants you to make a passkey, go to login but the entry form only accepts the user name, then you have to click next to password which may or may not accept the passkey.
If they arent on a USB stick, protected against being copied, they are only a single factor that instill false safety.
Depends on the system. The thing where your password manager is managing your passkeys? That’s a single factor unless it’s doing something tricky that none of them do.
When it’s the tpm or a Bluetooth connection to your phone? That’s actually two factors, and great.Can it be copied from your phone? (e.g. by migrating your phone via a backup)
Then it can be compromitted and is essentially a single factor (because some website permit you to login via the key only).
Only if you’d need to completetly renew the key, then it’s truly secure.There are secure ways to transfer the key that preserve the properties that make it useful as two factors in one.
Basically, the device will only release the key in an encrypted fashion readable by another device able to make the same guarantees, after the user has used that device to authenticate to the first device using the key being transferred.
A backup works the same way.
Yubikey. Done.
The pin system implementation is terrible at least for Windows, because it forces you to make a pin but not all websites do that so it’s easy to make a pin for one website but not realize that if you forget the pin and misenter it 10 times it locks the key permanently and you have to reset it, but that deletes everything and so you can end up in a situation where the yubikey is on your site account login but you dont have it now and you can get locked out.
