2FA is just dead simple. I contact you, you contact me, handshake achieved. If you call me out of the blue I raise the alarm. If you get a login attempt with a failed handshake you raise the alarm.
Putting it all behind a pop up screen just isn’t trustworthy to the human brain.
TOTP 2FA is less secure than passkeys. 2FA TOTP keys can be phished. Passkey authentication cannot be phished. This is a security improvement which can make people completely immune to phishing attacks. That’s huge. And it doesn’t have any privacy risks, no loss of anonymity. It’s an open standard.
This is, objectively, a rare example of new technology which will make the world better and safer for us.
But I also worry about new areas of weakness with passkeys - anyone accessing the device with the passkey on it, or hacked that device, gets access automatically to the accounts. Also if logins are too fluid I worry that anything out of the ordinary during sign ins won’t be noticed.
yeah that’s totally true, but usually modern devices ensure that the passkeys are protected with a PIN or some biometric security, so I think it’s at least as strong as having a password manager on your device that can be unlocked with a PIN.
not really sure what you mean about “out of the ordinary” logins - it sounds like you’re thinking about phishing risks? but remember - passkeys cannot be phished. they verify the identity of both sides of the authentication token exchange - the server verifies you, and you verify the server. If you only use passkey authentication, you are safe from being phished. the most secure system would be one entirely without passwords/oath totp
I guess I mean if people are too used to critical services opening up without any friction, a pause to complete some sign in step, they’ll stop taking a moment to look for any warning signs, so they might miss the fact that they’re at a spoofed url, for example. Yes you’re right that the passkey wouldn’t be working at this fake site, but it could still take them out and harvest some data, interactions or credentials.
everyone is sick and tired of tech promising to make the world better, only to make everything worse. i totally get the mistrust, the feeling that this is probanly just another trick from big corporations to steal even more of your privacy. i know much better than most people what it’s like. i know you’ve got no real reason to believe me, i’m just a random silly gay furry boy, but, trust me, in this case, we should be adopting this tech. if you’ve got family members or friends who are more vulnerable to phishing scams - often scammers target the elderly - i’d really encourage you to encourage them to set up passkeys. as always, i strongly recommend bitwarden - it can manage passkeys and sync them between devices and it’s totally secure and open source.
First, I love your self description. But second, I’m not trying to say I’m not on board. I should have been more clear, I was simply trying to answer why more people are not on board.
2FA is not SMS. SMS is the least secure, shittiest, and simplest form of 2FA, designed as the bare minimum for the average chucklefuck. Everywhere implemented it hastily because the average idiot still uses the same password for everything. It should be illegal as the only form of 2FA, but our governments are run by criminally corrupt dinosaurs.
Fun story! Back in 2017 I tried to remove SMS 2FA entirely, and switch to a data only mobile service. I use 2FA everywhere it’s available, but was able replace SMS with TOTP everywhere except banks, even on big tech platforms where you could only activate TOTP after adding a mobile number and enabling SMS 2FA (you could then remove the mobile number). I ultimately had to keep the voice service because banks required SMS 2FA, with no alternatives beyond their own custom 2FA apps, that can only be registered by SMS. Almost a decade later I have more SMS 2FA than ever before.
The moral of the story is we live in a clown world capitalist dictatorship.
2FA is just dead simple. I contact you, you contact me, handshake achieved. If you call me out of the blue I raise the alarm. If you get a login attempt with a failed handshake you raise the alarm.
Putting it all behind a pop up screen just isn’t trustworthy to the human brain.
SMS 2FA is notoriously compromised by various means.
I’m not debating that.
TOTP 2FA is less secure than passkeys. 2FA TOTP keys can be phished. Passkey authentication cannot be phished. This is a security improvement which can make people completely immune to phishing attacks. That’s huge. And it doesn’t have any privacy risks, no loss of anonymity. It’s an open standard.
This is, objectively, a rare example of new technology which will make the world better and safer for us.
But I also worry about new areas of weakness with passkeys - anyone accessing the device with the passkey on it, or hacked that device, gets access automatically to the accounts. Also if logins are too fluid I worry that anything out of the ordinary during sign ins won’t be noticed.
yeah that’s totally true, but usually modern devices ensure that the passkeys are protected with a PIN or some biometric security, so I think it’s at least as strong as having a password manager on your device that can be unlocked with a PIN.
not really sure what you mean about “out of the ordinary” logins - it sounds like you’re thinking about phishing risks? but remember - passkeys cannot be phished. they verify the identity of both sides of the authentication token exchange - the server verifies you, and you verify the server. If you only use passkey authentication, you are safe from being phished. the most secure system would be one entirely without passwords/oath totp
I guess I mean if people are too used to critical services opening up without any friction, a pause to complete some sign in step, they’ll stop taking a moment to look for any warning signs, so they might miss the fact that they’re at a spoofed url, for example. Yes you’re right that the passkey wouldn’t be working at this fake site, but it could still take them out and harvest some data, interactions or credentials.
Yes, this point exactly, thank you for explaining this.
I get that, the problem is human psychology.
everyone is sick and tired of tech promising to make the world better, only to make everything worse. i totally get the mistrust, the feeling that this is probanly just another trick from big corporations to steal even more of your privacy. i know much better than most people what it’s like. i know you’ve got no real reason to believe me, i’m just a random silly gay furry boy, but, trust me, in this case, we should be adopting this tech. if you’ve got family members or friends who are more vulnerable to phishing scams - often scammers target the elderly - i’d really encourage you to encourage them to set up passkeys. as always, i strongly recommend bitwarden - it can manage passkeys and sync them between devices and it’s totally secure and open source.
much love & solidarity!
First, I love your self description. But second, I’m not trying to say I’m not on board. I should have been more clear, I was simply trying to answer why more people are not on board.
Passkey is multifactor: something the user has (key), something the user is (biometric) or knowns (password) to unlock the key. Yes, dead simple.
Yup, I’m not talking about the actual tech. Rather the human perception of it.
2FA is great, right up until you’re also the victim of a sim swap attack.
2FA is not SMS. SMS is the least secure, shittiest, and simplest form of 2FA, designed as the bare minimum for the average chucklefuck. Everywhere implemented it hastily because the average idiot still uses the same password for everything. It should be illegal as the only form of 2FA, but our governments are run by criminally corrupt dinosaurs.
Fun story! Back in 2017 I tried to remove SMS 2FA entirely, and switch to a data only mobile service. I use 2FA everywhere it’s available, but was able replace SMS with TOTP everywhere except banks, even on big tech platforms where you could only activate TOTP after adding a mobile number and enabling SMS 2FA (you could then remove the mobile number). I ultimately had to keep the voice service because banks required SMS 2FA, with no alternatives beyond their own custom 2FA apps, that can only be registered by SMS. Almost a decade later I have more SMS 2FA than ever before.
The moral of the story is we live in a clown world capitalist dictatorship.
Text has always been insecure. An authenticator app is better.