Tell HN: Internet companies sabotaging password managers
Setting aside the "2FA on same storage as passwords" argument, this flow is pretty secure. One password per service and TOTP codes work well, especially because the app locks itself within minutes, requires biometric unlocking and requires a password every X weeks.
But now, big tech apps prioritize (and often require) their non deterministic 2FA flows.
Google makes you login via any Google app you're logged in as (sometimes that is a desk clock). You need to hunt down the hidden option to use your 2FA app.
With Stripe, some operations require a passkey or "Email + 2FA Authenticator". Seems the email part is just to create friction.
There are many other cases where they treat regular 2FA the same as "password123". Is the goal here just to sell everyone on passkeys?
3 comments
[ 4.7 ms ] story [ 13.9 ms ] threadThey probably will lobby a lot around allegedly superior security of their solutions but this is only real security under a warped perspective neglecting important factos.
User owned password safes are still the better solution and services that do not allow for password authentication are to be treated with caution.