23Sha-ger Well what if someone hacks your account and starts posting as you. That’s not ideal is it. Anyway what’s the harm in having more security? Why would you ever argue for worse security. Especially since passkeys are not only more secure but also more convenient, so you’re also arguing for less convenience.
The post doesn't load for me so I'll have to give you the benefit on the doubt on the contents of the tweet
TOTP has horrible UX and I'm barely willing to keep using it for sites without FIDO2.
Same here
Too weak and can be phished anyway.
Correct, so can be passwords tho no matter the length.
TOTP doesn't add any significant value on top of using a password manager with random passwords.
Pretty sure that's not true. TOTP is changed every 30 seconds which makes it different from a mostly permanent password. Any 2FA would add security to an account. Well things like SMS 2FA maybe not much, but that too makes more difficult to crack an account.
FIDO2 adds lots of value and can entirely replace passwords.
True
TOTP really needs to die especially now that there are passkeys (multi-device FIDO credentials).
Agreed
Most people shouldn't ever have to learn that the horrible TOTP approach even exists. It's not good that it exists since sites are spending their time adding that instead of FIDO...
Maybe thats true but i'd say if the choice is between TOTP or no 2FA on a mainstream site, i'll take TOTP any day. If it were true that TOTP has no value beyond random passwords from a password manager Micay would not use it. But in his word he does. So there must be some value to it after all.
I'll change my original opinion regarding this forum as; there may not be a reason to add TOTP here, this project is known for the cutting edge, and best security after all, but still the argument that not everyone can afford a Yubikey or another FIDO2 certified key only recently became abundant and only because the passkey support rolling out. Still, not everyone today knows about passkeys even exist, not to mention knowing how to use them. Having your keys on a USB stick which you can bring with yourself everywhere, which is universal, and storing it on your device is still different. I'd say mainstream platforms still supporting TOTP 2FA today at least until passkeys become more popular than TOTP does no significant harm but certainly does not do as much harm as not having that option available to newbies.
But that's just my two cents in this matter.
Hmm is totp really that useless?
Even if its protected by the android keystore and you cant obtain the seeds easily without decrypting them? I thought it protects users from leaked passwords fairly well.
[deleted] lets say you go on a fake Facebook.com and type in your password and totp code. They are in now, and totp did nothing to protect you. Now let’s say you’re on a fake facebook.com and you use passkeys, well it won’t work. That’s actually protecting you from phishing.
Granted they would have to use that code within a short timespan, but this stuff is surely all automated by now.
DeletedUser26
I had the understanding that if you're using a password manager, then a fake site wouldn't matter. If the domain of the login credentials doesn't match the site you're on, you won't be able to input them.
Dumdum If the keys do not match the domain it wont work yes. But I think the argument of TOTP vs no 2FA does not fall on the phishing side as we know it can be phished the same. It falls on the "attacker already knows your password by whatever means" side. Users have terrible shitty passwords all the time, while they can still use TOTP.
Dumdum If the autofill in your password manager doesn’t work, most people’s instinct is to just manually copy/paste the password and totp code in. The autofill in your password manager is a convenience feature not a security feature.
DeletedUser26 If the autofill in your password manager doesn’t work, most people’s instinct is to just manually copy/paste the password and totp code in.
Then that's the fault of most people, and they should make at least some attempt to stop being so passive/carefree in their security.
The autofill in your password manager is a convenience feature not a security feature.
Except it can be a security feature for those who know to use it as one. Just because better security features exist does not mean it isn't/can't be one.
Dumdum see you’re making one of the worst mistakes in cybersecurity: relying on humans not to mess up. Why not take out the human error possibility entirely? That’s what passkeys do. You get all the convenience and much less possibility of human error.
Also idk about you, but my password manager fails to autofill sometimes even when I’m on the correct website.
ticklemyIP It falls on the "attacker already knows your password by whatever means" side. Users have terrible shitty passwords all the time, while they can still use TOTP.
I agree, which is why I find it to be simply staggering to say that TOTP provides no security benefits even in events such as leaked/hacked login information. In such events, even a randomised 100+ character password loses its strength of security and an extra barrier would obviously prove beneficial.
Dumdum Leaked password is pretty much the only time TOTP does anything useful true. I don’t think it’s useless but the inconvenience vs security benefit is way off balance. It does more to lock you out of your own account than to keep others out. God help you if your janky separate TOTP manager that everyone uses breaks or something, all your accounts are toast.
DeletedUser26 see you’re making one of the worst mistakes in cybersecurity: relying on humans not to mess up. Why not take out the human error possibility entirely?
Except I'm not. I've never suggested anything against passkeys. I agree that passkeys are superior and obviously preferred. Merely stating the truth that password managers can be used as a security measure (albeit not as good of a security measure) does nothing more than just that. I would appreciate if assumptions stop being made.
Dumdum you were suggesting that the autofill in password managers could be relied on for security, which is what I was arguing against. Password managers in general are an improvement in security of course, I’m only talking about the autofill feature.
DeletedUser26 you were suggesting that the autofill in password managers could be relied on for security
Once again, I never said/suggested that they could be relied on. Just that it was something you could do.
DeletedUser26 Soild point. However, wouldn't i be fucked to the same extent if i lost/broke my hardware key?
Its much easier to lose than my totp database.
[deleted] Well passkeys are best used with your password manager, synced across all your devices and backed up in the cloud. So you wouldn’t be fucked in that case. If you chose to only use them in your hardware key then that would be a risk but a self imposed one.
I'd also make the argument that hardware keys cant actually replace passwords because they can be taken from you by force unlike a password in your head.
DeletedUser26 Ah i get it. Thanks!
DeletedUser24 Brilliant quote.
ticklemyIP If it were true that TOTP has no value beyond random passwords from a password manager Micay would not use it.
The quote in the post by DeletedUser24 is being misinterpreted as saying that TOTP has no value, while the quote doesn't say that: "doesn't add any significant value" is not equal to "no value".
As to the topic of this thread: in my view, developers of GrapheneOS are already busy with developing their own secure and private OS. Flarum will likely add support for passkeys anyway, and why should GrapheneOS spend dozens of hours on a feature that might get implemented upstream next week?
fid02 Oh yeah maybe I should bug upstream about it then.
