[deleted] lets say you go on a fake Facebook.com and type in your password and totp code. They are in now, and totp did nothing to protect you. Now let’s say you’re on a fake facebook.com and you use passkeys, well it won’t work. That’s actually protecting you from phishing.
Granted they would have to use that code within a short timespan, but this stuff is surely all automated by now.
DeletedUser26
I had the understanding that if you're using a password manager, then a fake site wouldn't matter. If the domain of the login credentials doesn't match the site you're on, you won't be able to input them.
Dumdum If the keys do not match the domain it wont work yes. But I think the argument of TOTP vs no 2FA does not fall on the phishing side as we know it can be phished the same. It falls on the "attacker already knows your password by whatever means" side. Users have terrible shitty passwords all the time, while they can still use TOTP.
Dumdum If the autofill in your password manager doesn’t work, most people’s instinct is to just manually copy/paste the password and totp code in. The autofill in your password manager is a convenience feature not a security feature.
DeletedUser26 If the autofill in your password manager doesn’t work, most people’s instinct is to just manually copy/paste the password and totp code in.
Then that's the fault of most people, and they should make at least some attempt to stop being so passive/carefree in their security.
The autofill in your password manager is a convenience feature not a security feature.
Except it can be a security feature for those who know to use it as one. Just because better security features exist does not mean it isn't/can't be one.
Dumdum see you’re making one of the worst mistakes in cybersecurity: relying on humans not to mess up. Why not take out the human error possibility entirely? That’s what passkeys do. You get all the convenience and much less possibility of human error.
Also idk about you, but my password manager fails to autofill sometimes even when I’m on the correct website.
ticklemyIP It falls on the "attacker already knows your password by whatever means" side. Users have terrible shitty passwords all the time, while they can still use TOTP.
I agree, which is why I find it to be simply staggering to say that TOTP provides no security benefits even in events such as leaked/hacked login information. In such events, even a randomised 100+ character password loses its strength of security and an extra barrier would obviously prove beneficial.
Dumdum Leaked password is pretty much the only time TOTP does anything useful true. I don’t think it’s useless but the inconvenience vs security benefit is way off balance. It does more to lock you out of your own account than to keep others out. God help you if your janky separate TOTP manager that everyone uses breaks or something, all your accounts are toast.
DeletedUser26 see you’re making one of the worst mistakes in cybersecurity: relying on humans not to mess up. Why not take out the human error possibility entirely?
Except I'm not. I've never suggested anything against passkeys. I agree that passkeys are superior and obviously preferred. Merely stating the truth that password managers can be used as a security measure (albeit not as good of a security measure) does nothing more than just that. I would appreciate if assumptions stop being made.
Dumdum you were suggesting that the autofill in password managers could be relied on for security, which is what I was arguing against. Password managers in general are an improvement in security of course, I’m only talking about the autofill feature.
DeletedUser26 you were suggesting that the autofill in password managers could be relied on for security
Once again, I never said/suggested that they could be relied on. Just that it was something you could do.
DeletedUser26 Soild point. However, wouldn't i be fucked to the same extent if i lost/broke my hardware key?
Its much easier to lose than my totp database.
[deleted] Well passkeys are best used with your password manager, synced across all your devices and backed up in the cloud. So you wouldn’t be fucked in that case. If you chose to only use them in your hardware key then that would be a risk but a self imposed one.
I'd also make the argument that hardware keys cant actually replace passwords because they can be taken from you by force unlike a password in your head.
DeletedUser26 Ah i get it. Thanks!
DeletedUser24 Brilliant quote.
ticklemyIP If it were true that TOTP has no value beyond random passwords from a password manager Micay would not use it.
The quote in the post by DeletedUser24 is being misinterpreted as saying that TOTP has no value, while the quote doesn't say that: "doesn't add any significant value" is not equal to "no value".
As to the topic of this thread: in my view, developers of GrapheneOS are already busy with developing their own secure and private OS. Flarum will likely add support for passkeys anyway, and why should GrapheneOS spend dozens of hours on a feature that might get implemented upstream next week?
fid02 Oh yeah maybe I should bug upstream about it then.
An extension for passkey login exists, but we are very unlikely to use it:
https://flarum.org/extension/hikarilan/flarum-passkey-login
We have a rule to only use extensions from Friends of Flarum, as they are the only ones that are maintained long-term and have a reputation for high quality. Introducing a passkey extension that stops being maintained or breaks would be pretty catastrophic and would force our team to have to deal with it instead, which is not where we want to be.
matchboxbananasynergy That makes sense, I hope they add it officially at some point.
