alternatives to passwords are just excuses to harvest info
It is quite normal to ask for an email address at registration even when using password based authentication.
*it has been become quite normalized
No email would be fine for most people, but then there would be the small number of folks who will cry all hell when they forget their passwords and/or secret questions and can’t get in…
It was more or less the default many moons ago, then just a username became more common, now it is back to email or some third party login
Not if it comes to hardware-based passkeys I would argue
true, but i would also argue that’s a much less utilised alternative. most people don’t even know what that is even though it’s a great redundancy.
On the other end, there is an excessive use of 2FA with systems for whom the concept of SSO seems to be a foreign thing. It’s also sort of funny that 2FA can just mean using a TOTP capable password manager, reverting it back to one factor.
It’s not actually reduced to one factor, just a single point of failure. If their password manager gets taken it’s a problem, however the generated TOTP is worthless in 1 min. So this will protect the login from cases where the password is known like a compromised website or a reused password.
If the site is compromised, then the hackers could have stolen the TOTP secrets as well as the passwords. How do you think the site verifies TOTP codes? If you reuse passwords while using a password manager, you are asking for it, though.
A full hack of every part of the service is not the only way a user’s password could get known to an attacker. Could be MiTM, could be typo-squatted, etc
If a site is that compromised no measure of auth is gonna help, so little use worrying about it.
But if a password manager is compromised then doesn’t the attacker also get the TOTP key which is what generates the codes in the first place?
It wouldn’t matter if it expires in one minute because they’ll have the token to generate the next code, as well as now knowing the password.
That makes it a single point of failure yes, and the rest of the comment you’re replying to goes into detail on what it does protect from even if both passwd and TOTP are in the password manager
Sorry i misunderstood what you were saying. I thought you were saying that if the password manager was compromised then the attackers would have only 1 minute to make use of the tokens before they change.
This. This so much. Password+Totp based login is just two passwords where one is more annoying to use.
Not if your TOTP codes are generated by another device, then the attacker needs your password, plus the device holding the key for TOTP. If you use it on your phone and authenticator is your phone then a theif has everything when they steal your phone.
Hardware key for TOTP is a better 2FA method as its totally separate from your PC or phone
As long as the default recommendation is to use authenticator apps on your main device I’ll see this as a “could be good if implemented correctly, which it isn’t, so it isn’t good”
If you can get at a password by hacking a website, I wouldn’t be holding out hope that they couldn’t then steal the TOTP secret.
Or worse:
Use email link -> use password instead
Enter password
Now enter the code that we sent you your email…
2 factor authentication, only when you feel like it.
God I hate those stupid magic links. They’re WAAAAYYY slower than just using my password manager.
AND they kinda contribute to locking you into Big Tech. I sometimes have problems with those stupid links because I don’t have a Gmail account. Somewhere along the stupid chain there’s probably some stupid check that delays or blackholes emails to non-big-tech domains.
Based.
Email is terrible. It’s an unreliable communication system. You cannot depend on sent emails arriving in the recipient’s mailbox—even the spam folder.
People indirectly assume that all emails at least get to their spam folder. They don’t. There are multiple levels of filters that prevent most emails from ever making it that far because most email traffic is bots blasting phishing links, scams, and spam. Nobody wants phishing and scam emails, but the blocks that prevent those are being used by big tech to justify discriminating against small mail servers.
I can’t remember the site, now, but I literally couldn’t log into one this week because the email never arrived.
I can’t remember the site, now, but I literally couldn’t log into one this week because the email never arrived.
Well, email allows you to solve that issue by self-hosting. But what you can’t solve is that if you do self-host, gmail will drop your emails to spam or just discard them completely, just because it feels like it, even if you do the whole dance with DMARC and have used the domain for a good few years. It’s frustrating as shit.
I had an email never arrive because I used Firefox for Linux. It worked on my phone in a different browser. God knows what went on there. I suppose their website never really registered I even made a request from my desktop even though it told me the email was on the way. Really strange.
A lot of motherfuckers typing in code with a keyboard need a beating with said keyboard.
If a programmer can’t get a login form right they need permabanned from ever shipping another release.
Password manager users living life on easy mode.
Very few things on the internet and computer actually need accounts. Everything requiring a login is a cancer.
Yes and no in most cases it is used to limit misuse somewhat but i absolutely agree that its taking over hand. God bless trashmails.
The best I’ve seen was yesterday where a website had the log-in button greyed out after the password manager filled my creds in.
So I had to manually click both the email and password field. Just click them. Then it enabled the log-in button.
So someone took their time to write a piece of JS that said “If the user hasn’t focused both fields at least once, no login”. Literally why? Extra code that does nothing useful.
I was hoping passkeys would be the solution to this madness, but it seems to me the entire spec gives too much power to the OS Makers and too little to the users because “mUh AtTtEsTatIoN” so now I don’t know anymore
They inevitably didn’t write it for that reason. They wrote it to say the field is invalid until the user changes it to be valid after someone landed on the page holding the enter key down and instantly locked themselves out after submitting the form 50 times in 3 seconds.
Unless you know otherwise, it’s easy to think that “form interaction” is the same as “form changed”, and one of those is much easier to check.I’m unsure what you mean about passkeys. I don’t think I’ve heard anyone mention significant concessions to os makers and I’m pretty tuned in on the topic.
My utitlies website doesn’t let you login if the password field is autofilled by the browser. Whatever Angular-based form validation they are using doesn’t play nice with Firefox’s saved password feature. You have to manually type something in the password field, so I always add and remove a space from the password.
I sent an email to their support, hoping they would fix it, but they just responded saying that they can’t reproduce it.
Well, I can reproduce it. I even told you how. That sounds like a skill issue.
lol nice, this is one tech thing I have not complained about even though I hit it a few times a year
I’ve definitely run into that. Even more frustrating is when there was one particular site that forced me to actually delete the last character of my password and then retype it. Just focusing in the field wasn’t enough, I had to actually send it a keystroke. And Ctrl-V to paste the password in manually didn’t count. I suppose typing a random character at the end and then deleting it would have worked too.
I used to have this problem with the payroll website ADP! So cursed
I’ve seen this a stupid number of times. I wish I could remember which websites…
When ctrl+v is disabled to “prevent brute force bots” or something ridiculous
that’s when I grab my trusty Don’t Fuck With Paste extension
Oh, it gets worse. I’ve had some where I have to enter a character into the boxes before it would figure its shit out…
deleted by creator
So someone took their time to write a piece of JS that said “If the user hasn’t focused both fields at least once, no login”. Literally why? Extra code that does nothing useful.
If anything, 30 seconds in Greasemonkey should fix that one (either blocking the function that is doing it, or manually firing click events on the fields).
It’s not perfect but will break many bot logins and people trying different logins from data leaks.
deleted by creator
It’s over the phone, but the “We’ll send you a text to confirm your identity if you provide a phone number.” Has got to be one of the stupidest wastes of time.
I slightly appreciate it, explicitly when it’s a service that excludes voip numbers.
It feels like the factors of authentication discussion misses one important aspect: can the factor be replayed. Passwords can be replayed indefinitely, while the email links you get or the OTP token only work for a short period of time.
I remember it from the bad days when I used LastPass. Suddenly I got a notification that the place had been compromised and I had to suddenly change hundreds of passwords. 90% of them were for sites that didn’t even exist any longer, but sifting through the long, long list to go change passwords was more work than I wanted to do.
Don’t have to do that if I need to use a one-time token via Aegis or email! I do agree, though, that for low risk sites, username/password is totally fine.
It’s a neat option, but should not be forced.
Ah but you see it’s one factor of authentication that also conveniently loops in whichever email provider is spying on you
Of course. How would Microslop or Google LLMs snoop on your data then? You guys really make no effort… /s
Ding! Ding!
This is the real answer: mail providers get to track you, your service get constant confirmation that your email is live (so they can send more ads from themselves plus their 400 closest affiliates). It’s a win-win situation for everyone /s.
“The
beatingsenshitification will continue, until moral is improved.”
I love FIDO logins and next to fucking no one implements them :(
What are they?
Public key cryptography tied to physical hardware, so if you lose your phone / usb key, you need to use your backup recovery code; a fairly short one time password that negates the security benefits of Fido in one easy step.
It can also use biometrics, but that requires every device you log in on to have biometric readers.
Or you could use multiple fido key’s as backups
And when they do they only offer them as the second factor.
Yes, let me first input my password (from a password manager), the let me approve with a passkey that is meant to make my password not necessary.
But email based login: FUCK THAT SHIT.
Magic link only is the wirst kind of login systems. However, I don’t know any big real companies that use this.
If you don’t like passwords, just use passkeys.Booking.com (at least in Germany) only useagic links for some time now. I hate it.
Slack (except when with SSO). You have to go out of your way to find the settings page outside of the client to set a password.
Wasn’t passkeys basically “passwords, but Google has control of them”?
Not even close.
Passkey is a generic technology not specific to any vendor. While there are a few versions of it, the long story short is it uses an encryption key you have to authenticate you rather than a password. This makes phishing extremely difficult if not impossible.
There’s lots of passkey implementations. All the major browsers have one built in with their included password managers. Most good password managers like BitWarden or 1Password also support pass keys. And if you want to be extra secure, the passkey can be an actual hardware token like a YubiKey.
So yeah you see Google pushing passkeys a lot, and if you use Google password manager it will store your pass keys. But you also see Apple pushing it, and Microsoft also.
dont think so. what i gatherd passkeys is a public/private key scheme, much like pubkey auth in ssh logins.
Its still just a single factor if some body steals your private key.
Yes, buts it’s not something that can be easily guessed or found on a post it on the monitor
True dat. But if they compromise your computer the first thing the look for is key files.
Like my ssh keys are in a root permission file. Protected from general sight, but if somebody compromises my PC with a CVE on then goodbye keys.
At least with hardware key it is removable and requires a button press.
So accessing becomes physical access or quantum computer cracking
Its never transmitted, can be stored in HSMs. Anything that’s handled wrong is unsafe
Steals it from your system I meant. Which has even happened to security pros.
There are a few reasons for this.
- Conversion rates are higher and the majority tend to prefer these over passwords
- When you have to reset a password, you typically have to send an email anyway.
- It’s technically safer because they are short lived tokens and if someone’s password gets compromised, their token cannot.
It’s not a perfect system by any means, but it’s better than the shit implementation of passkeys and it’s generally better than passwords for most users.
I prefer passwords over links and codes, but I get it.
- Conversion rates are higher and the majority tend to prefer these over passwords
can’t attest to this. I’ve seen so many users fail to understand they must click the link in their email to complete registration. some yet, still refuse and complain that “it could be spoofed”.
- When you have to reset a password, you typically have to send an email anyway.
not if you remember your password…
- It’s technically safer because they are short lived tokens and if someone’s password gets compromised, their token cannot.
except for the password on your email. this is just security through obscurity or security theater. just because you sent it as an email doesn’t make it more secure. it just makes it more complex.
Passkeys ❤️
If they arent on a USB stick, protected against being copied, they are only a single factor that instill false safety.
Depends on the system. The thing where your password manager is managing your passkeys? That’s a single factor unless it’s doing something tricky that none of them do.
When it’s the tpm or a Bluetooth connection to your phone? That’s actually two factors, and great.I’m curious what you think tricky is?
For instance, 1Password requires your secret key for initial login/setup on a device along with the username and password. After initial login/setup the secret key is no longer required, but you still need the password to access.
I’d call that a fair trade off. Someone would need to know my password and have unfettered access to my previously set up device to login, or they would need to know the secret key.
The secret key is not stored by 1Password (the company). If you store it in 1Password and the last device is lost/broken/stolen then your account is essentially dead. You have no way to get back in.
Can it be copied from your phone? (e.g. by migrating your phone via a backup)
Then it can be compromitted and is essentially a single factor (because some website permit you to login via the key only).
Only if you’d need to completetly renew the key, then it’s truly secure.There are secure ways to transfer the key that preserve the properties that make it useful as two factors in one.
Basically, the device will only release the key in an encrypted fashion readable by another device able to make the same guarantees, after the user has used that device to authenticate to the first device using the key being transferred.
A backup works the same way.
Website wants you to make a passkey, go to login but the entry form only accepts the user name, then you have to click next to password which may or may not accept the passkey.
