21 comments

[ 3.0 ms ] story [ 57.2 ms ] thread
Bravo. Let us encourage tech companies to take the lead in eliminating bad forms of 2FA such as SMS. Let them drive adoption of passkeys, U2F, FIDO, hardware keys, and other open standards. Someday, banks will join the 21st century.
Good luck getting the elderly customers to adopt such practice.

Naturally is their fault for not getting them, and should be punished with the 5 to 10 € for going to the counter.

My gran is gonna be pissed she cannot fork linux kernel now
I’m probably missing something, but is there a reason why passkeys can’t entirely replace password+2FA and create a much simpler experience for everyone?
Plenty of people don't have smartphones, or don't understand how to use them beyond phone calls and SMS, even if they do.

Additionally there are plenty among them that are technology illiterate.

These approaches only push them further away from society where only people that understand computers thrive.

Right. Well, I don’t trust any of those people to remember a password and keep it secure either..
Hence being punished for their lack of knowledge, paying administrative fees at the bank counter.
What if I lose my devices?
This will mean no 2FA for me and many others. I'll never set up a method that depends on me not losing a particular device or an account.
Um, is SMS not tied to not losing a particular SIM card? I guess you can try to restore your number, do all operators provide this functionality?
My number is tied to my government issued ID. If I lose the SIM card I can get another one simply by showing my ID. If my ID gets stolen I can get another one by visiting the Police and so on.

The point is - I have some kind of an enforceable legal right to that number, whereas I currently have no such right to any particular account (and such rights can't be practically enforced for physical objects such as devices)

It sounds like what you really want is to outsource your security to the government. Maybe you should just say that's what you want.
I'm pretty sure you're doing this already. We have courts for a reason, technocracy is a step backwards.
Yes, that’s what I want. There’s a much lower risk, for me, or government tyranny than me losing my yubikey.

Note though that it varies depending on the thing protected. For GitHub, I’m cool with the risk that the government gets a subpoena to seize my phone or SIM card and log into GitHub.

For some other services like messaging, I’d rather have stronger controls.

If the government ordered it you or anyone else would be given access to your account, no matter how many factors you have.
Then store your github TOTP token on multiple devices, like I do.

You can even turn it into a QR code and tatoo it on your cat's butt.

The first option has the same problem I mentioned, while the second sounds much less practical than SMS.

Each backup might decrease the overall security, but while theoretically you can still remember TOTP tokens or write them down and put inside a safe (possible but impractical), with passkeys that's no longer possible.

> I'll never set up a method that depends on me not losing a particular device

> Then store your github TOTP token on multiple devices

> The first option has the same problem I mentioned

Math it again.

If I have 2 devices, your solution still makes me depend on not losing both of them and so on.

I don't want to depend on me not losing them (for example in a fire).

Good riddance. In my region I am unable to receive most of these messages (blocked), so I hate when webservices force phone verification onto me.
Anybody else opting out of passkeys and etc?