Bravo. Let us encourage tech companies to take the lead in eliminating bad forms of 2FA such as SMS. Let them drive adoption of passkeys, U2F, FIDO, hardware keys, and other open standards. Someday, banks will join the 21st century.
I’m probably missing something, but is there a reason why passkeys can’t entirely replace password+2FA and create a much simpler experience for everyone?
My number is tied to my government issued ID. If I lose the SIM card I can get another one simply by showing my ID. If my ID gets stolen I can get another one by visiting the Police and so on.
The point is - I have some kind of an enforceable legal right to that number, whereas I currently have no such right to any particular account (and such rights can't be practically enforced for physical objects such as devices)
Yes, that’s what I want. There’s a much lower risk, for me, or government tyranny than me losing my yubikey.
Note though that it varies depending on the thing protected. For GitHub, I’m cool with the risk that the government gets a subpoena to seize my phone or SIM card and log into GitHub.
For some other services like messaging, I’d rather have stronger controls.
The first option has the same problem I mentioned, while the second sounds much less practical than SMS.
Each backup might decrease the overall security, but while theoretically you can still remember TOTP tokens or write them down and put inside a safe (possible but impractical), with passkeys that's no longer possible.
21 comments
[ 3.0 ms ] story [ 57.2 ms ] threadNaturally is their fault for not getting them, and should be punished with the 5 to 10 € for going to the counter.
Additionally there are plenty among them that are technology illiterate.
These approaches only push them further away from society where only people that understand computers thrive.
The point is - I have some kind of an enforceable legal right to that number, whereas I currently have no such right to any particular account (and such rights can't be practically enforced for physical objects such as devices)
Note though that it varies depending on the thing protected. For GitHub, I’m cool with the risk that the government gets a subpoena to seize my phone or SIM card and log into GitHub.
For some other services like messaging, I’d rather have stronger controls.
You can even turn it into a QR code and tatoo it on your cat's butt.
Each backup might decrease the overall security, but while theoretically you can still remember TOTP tokens or write them down and put inside a safe (possible but impractical), with passkeys that's no longer possible.
> Then store your github TOTP token on multiple devices
> The first option has the same problem I mentioned
Math it again.
I don't want to depend on me not losing them (for example in a fire).