It would be nice if the forums supported passkeys and creating an account without giving an email or password. It would be a huge privacy and security improvement.
Support Passkeys on the Forum
Lets have TOTP first.
- Edited
Waste of time, TOTP doesn't add anything for security if you have unique password for every apps/websites.
It should no longer be deployed today.
Manna Says who? TOTP 2fa is better than no 2fa even with 64 bit unique passwords.
- Edited
Says who?
GrapheneOS founder says it :
TOTP has horrible UX and I'm barely willing to keep using it for sites without FIDO2. Too weak and can be phished anyway. TOTP doesn't add any significant value on top of using a password manager with random passwords. FIDO2 adds lots of value and can entirely replace passwords.
TOTP really needs to die especially now that there are passkeys (multi-device FIDO credentials). Most people shouldn't ever have to learn that the horrible TOTP approach even exists. It's not good that it exists since sites are spending their time adding that instead of FIDO...
Mod note: removed link to Twitter account with protected posts. Most forum users won't be able to read the quoted tweets since they're not following the account.
On this forum? It's a public discussion bulletin board system style site.
You can't even PM other users.
I literally have a top 500 password here and I don't even care of the account to be "hacked".
Unless you are a mod there is nothing to hide, it's not like a social media profile.
- Edited
23Sha-ger Well what if someone hacks your account and starts posting as you. That’s not ideal is it. Anyway what’s the harm in having more security? Why would you ever argue for worse security. Especially since passkeys are not only more secure but also more convenient, so you’re also arguing for less convenience.
The post doesn't load for me so I'll have to give you the benefit on the doubt on the contents of the tweet
TOTP has horrible UX and I'm barely willing to keep using it for sites without FIDO2.
Same here
Too weak and can be phished anyway.
Correct, so can be passwords tho no matter the length.
TOTP doesn't add any significant value on top of using a password manager with random passwords.
Pretty sure that's not true. TOTP is changed every 30 seconds which makes it different from a mostly permanent password. Any 2FA would add security to an account. Well things like SMS 2FA maybe not much, but that too makes more difficult to crack an account.
FIDO2 adds lots of value and can entirely replace passwords.
True
TOTP really needs to die especially now that there are passkeys (multi-device FIDO credentials).
Agreed
Most people shouldn't ever have to learn that the horrible TOTP approach even exists. It's not good that it exists since sites are spending their time adding that instead of FIDO...
Maybe thats true but i'd say if the choice is between TOTP or no 2FA on a mainstream site, i'll take TOTP any day. If it were true that TOTP has no value beyond random passwords from a password manager Micay would not use it. But in his word he does. So there must be some value to it after all.
I'll change my original opinion regarding this forum as; there may not be a reason to add TOTP here, this project is known for the cutting edge, and best security after all, but still the argument that not everyone can afford a Yubikey or another FIDO2 certified key only recently became abundant and only because the passkey support rolling out. Still, not everyone today knows about passkeys even exist, not to mention knowing how to use them. Having your keys on a USB stick which you can bring with yourself everywhere, which is universal, and storing it on your device is still different. I'd say mainstream platforms still supporting TOTP 2FA today at least until passkeys become more popular than TOTP does no significant harm but certainly does not do as much harm as not having that option available to newbies.
But that's just my two cents in this matter.
[deleted]
Hmm is totp really that useless?
Even if its protected by the android keystore and you cant obtain the seeds easily without decrypting them? I thought it protects users from leaked passwords fairly well.
- Edited
[deleted] lets say you go on a fake Facebook.com and type in your password and totp code. They are in now, and totp did nothing to protect you. Now let’s say you’re on a fake facebook.com and you use passkeys, well it won’t work. That’s actually protecting you from phishing.
Granted they would have to use that code within a short timespan, but this stuff is surely all automated by now.
Dumdum If the keys do not match the domain it wont work yes. But I think the argument of TOTP vs no 2FA does not fall on the phishing side as we know it can be phished the same. It falls on the "attacker already knows your password by whatever means" side. Users have terrible shitty passwords all the time, while they can still use TOTP.
fria If the autofill in your password manager doesn’t work, most people’s instinct is to just manually copy/paste the password and totp code in.
Then that's the fault of most people, and they should make at least some attempt to stop being so passive/carefree in their security.
The autofill in your password manager is a convenience feature not a security feature.
Except it can be a security feature for those who know to use it as one. Just because better security features exist does not mean it isn't/can't be one.
- Edited
Dumdum see you’re making one of the worst mistakes in cybersecurity: relying on humans not to mess up. Why not take out the human error possibility entirely? That’s what passkeys do. You get all the convenience and much less possibility of human error.
Also idk about you, but my password manager fails to autofill sometimes even when I’m on the correct website.
ticklemyIP It falls on the "attacker already knows your password by whatever means" side. Users have terrible shitty passwords all the time, while they can still use TOTP.
I agree, which is why I find it to be simply staggering to say that TOTP provides no security benefits even in events such as leaked/hacked login information. In such events, even a randomised 100+ character password loses its strength of security and an extra barrier would obviously prove beneficial.
- Edited
Dumdum Leaked password is pretty much the only time TOTP does anything useful true. I don’t think it’s useless but the inconvenience vs security benefit is way off balance. It does more to lock you out of your own account than to keep others out. God help you if your janky separate TOTP manager that everyone uses breaks or something, all your accounts are toast.
fria see you’re making one of the worst mistakes in cybersecurity: relying on humans not to mess up. Why not take out the human error possibility entirely?
Except I'm not. I've never suggested anything against passkeys. I agree that passkeys are superior and obviously preferred. Merely stating the truth that password managers can be used as a security measure (albeit not as good of a security measure) does nothing more than just that. I would appreciate if assumptions stop being made.