Tell HN: Internet companies sabotaging password managers

3 points by figassis ↗ HN
Not too long ago, everyone started putting users through authentication hell in favor of requiring 2FA. I settled on 1Password.

Setting aside the "2FA on same storage as passwords" argument, this flow is pretty secure. One password per service and TOTP codes work well, especially because the app locks itself within minutes, requires biometric unlocking and requires a password every X weeks.

But now, big tech apps prioritize (and often require) their non deterministic 2FA flows.

Google makes you login via any Google app you're logged in as (sometimes that is a desk clock). You need to hunt down the hidden option to use your 2FA app.

With Stripe, some operations require a passkey or "Email + 2FA Authenticator". Seems the email part is just to create friction.

There are many other cases where they treat regular 2FA the same as "password123". Is the goal here just to sell everyone on passkeys?

3 comments

[ 4.7 ms ] story [ 13.9 ms ] thread
(comment deleted)
I avoid passkeys like the plague. There's no good outcome to that in the long run. It's a reasonable solution in a vacuum where nothing changes and people aren't human, but it's disastrous as soon as anything accidental or unforeseen is introduced.
Perhaps strategy because they want people to use their ecosystem. Which I would wholeheartedly not recommend because you become instantly dependent. Tech companies aren't banks and should not be trusted with access information aside from that to their own services.

They probably will lobby a lot around allegedly superior security of their solutions but this is only real security under a warped perspective neglecting important factos.

User owned password safes are still the better solution and services that do not allow for password authentication are to be treated with caution.