| ▲ | mvieira38 9 days ago |
| >"I’d rather granny needs to visit the bank to get access to her account again, than someone phishes her and steals all her money." More like abuelita gets robbed at gunpoint and made to unlock and clear out her bank account, then has no recourse at home because her device was taken. I live in a third world country and even 2FA simply isn't viable for me due to how frequent phone robberies are. I've had to do the process once and it was a nightmare, whereas with passwords I can just log into Bitwarden wherever and I'm golden |
|
| ▲ | arccy 9 days ago | parent | next [-] |
| A key part of the recent push for passkeys has been cross device syncing with your Google / Apple / whatever password manager account, so you end up in the same situation: if you can log in to Bitwarden to access your passwords, you can log in to your password manager to access your passkeys. |
| |
| ▲ | thewebguyd 9 days ago | parent | next [-] | | > A key part of the recent push for passkeys has been cross device syncing with your Google / Apple / whatever password manager account, so you end up in the same situation: if you can log in to Bitwarden to access your passwords, you can log in to your password manager to access your passkeys. Relying on Google/Apple is no better, with the stories of people losing access to their (Google in particular) account, and not being able to recover or let alone even reach a human at Google to begin with. Why not have a public service for this, instead of relying on big tech that can just revoke your account for any number of ToS "violations" without recourse? The solution for "normies" should not be rely on and trust Google with your entire digital identity. | | |
| ▲ | mvieira38 9 days ago | parent | next [-] | | Getting the State involved is just a different, much worse threat actor than Google, though. From this discussion it should be evident how much more sovereignity passwords give you, if you want the State involved it should regulate websites' policies on passwords, such as: no service shall be hostile to password managers (special character bans, short limits on length, no pasting), no service shall require regular password resetting (proven to worsen security). State involvement may be better used in policing, too. Public repositories of leaked passwords (without usernames, of course) would do wonders, for example | | |
| ▲ | abirch 9 days ago | parent [-] | | I use a layered approach for passwords. If I don't trust the site and they're not getting my financial information, I'm glad to use Password1234% Google frequently warns me that one of my passwords has compromised but I don't really care for those sites. |
| |
| ▲ | umbra07 9 days ago | parent | prev | next [-] | | So then the State can see what services I've signed up for, when and where? The State is always more difficult and dangerous to deal with than a private company. | | |
| ▲ | forgetfreeman 9 days ago | parent [-] | | "The State is always more difficult and dangerous to deal with than a private company." Ridiculous. | | |
| ▲ | umbra07 9 days ago | parent | next [-] | | Of course it is. Google can ban me (really just one specific digital instance of me) from their services. The government can throw me in jail, take all my property, fine me whatever amount they want, etc. | | |
| ▲ | forgetfreeman 7 days ago | parent [-] | | The State is significantly less interested in your activities than Google, regardless of whatever hypothetical you'd care to spin. |
| |
| ▲ | arccy 9 days ago | parent | prev [-] | | a state has a monopoly on force, you've obviously never lived under a regime which actively wants to harm you. | | |
|
| |
| ▲ | odo1242 9 days ago | parent | prev [-] | | You can use a third-party password manager to handle passkeys. I recommend Bitwarden personally. |
| |
| ▲ | rkagerer 9 days ago | parent | prev | next [-] | | > if you can log in to... Please stop right there. I want a password manager that I fully control, and lives on my own infrastructure (including sync between devices). Not reliance on someone else's cloud. | |
| ▲ | jvanderbot 9 days ago | parent | prev [-] | | Did people not realize they can save their 2fa token and just use that with a new authenticator? I haven't used a phone 2fa forever, but it was a much better system than this "email me a code" BS. | | |
| ▲ | 0xCMP 9 days ago | parent | next [-] | | I do something similar with KeePass because a lot of my 2FA is stored on my YubiKey. When I register with YubiKey I also register with a KeePass vault intended as a "break-incase-of-emergency". So rarely opened and with lots of security options set to max. | |
| ▲ | rPlayer6554 9 days ago | parent | prev | next [-] | | For a long time 2fa apps (other than Bitwarden and maybe some others) would lock you into the app and not let you export it. Websites don’t usually expose the text version of the code, just the QR. | | |
| ▲ | electroly 9 days ago | parent | next [-] | | I recently switched from Authy to 1Password for 2FA, requiring me to set up every single website's 2FA from scratch, and I found that every website I use provides the text version of the code. It's hidden behind a "having a problem scanning the code?" link. I didn't need to take a single screenshot of a QR code; I was able to save the text version for them all. Next time I switch, it'll be easy. | |
| ▲ | jandrese 9 days ago | parent | prev | next [-] | | I've never found a TOTP site that didn't also have a "click to show the code" option. It's usually in small print at the bottom, but it's there. | |
| ▲ | seplox 9 days ago | parent | prev | next [-] | | It's easy to screenshot or physically print a QR code during setup. | |
| ▲ | 20after4 9 days ago | parent | prev | next [-] | | There are desktop totp apps that will decode the QR code from a screenshot in the clipboard. | |
| ▲ | bvrmn 9 days ago | parent | prev | next [-] | | QR has trivial format and code is easily extractable. | | | |
| ▲ | jvanderbot 9 days ago | parent | prev [-] | | Almost all (not you, steam) allow saying "I cannot take a picture" or "Enter manually" But you're right, it's not perfect but has gotten better. Just in time to be of no use thanks to email BS. |
| |
| ▲ | phkahler 9 days ago | parent | prev [-] | | >> Did people not realize they can save their 2fa token and just use that with a new authenticator? What's 2fa token? Is that an AI thing? AI uses tokens. Or a crypto thing? Do you need one of them "nonfungible" tokens? And what's an authenticator? I have MS authenticator for work, but it uses 2 digit numbers, are those tokens? | | |
| ▲ | bobbylarrybobby 9 days ago | parent | next [-] | | Not sure if I'm missing a joke, but the 2fa token is a secret that you stick in your password manager and sync (or otherwise send) to other devices so that your 2fa is not bound to a particular device. My password manager lets me view the 2fa secret as if it were just another password. | | |
| ▲ | phkahler 8 days ago | parent [-] | | Yes, I was joking. I'm not up on all the options and I'm an engineer who read HN. What chance does Joe public have of making sense of all these things? |
| |
| ▲ | nilamo 9 days ago | parent | prev [-] | | 2fa is two factor authentication. User+password is the first factor, and is a "something you know" check. The second factor is a "something you have" check. Like sending you an SMS code. They exist so if someone watches over your shoulder while typing your password, they don't gain access to anything. |
|
|
|
|
| ▲ | throw10920 8 days ago | parent | prev | next [-] |
| I feel like this is a really strong justification for duress passwords. Register a duress password with your phone or bank account, and if you ever enter it, that system will take whatever actions you want - call the police with your location, display a fake balance of a few hundred dollars, switch to a fake email account, hide your crypto wallet app, whatever. |
|
| ▲ | bccdee 9 days ago | parent | prev | next [-] |
| FYI, you can put a 2FA secret into Bitwarden and autofill the one-time passwords alongside the regular password. That would mitigate the impact of losing your phone. |
| |
| ▲ | lhamil64 9 days ago | parent | next [-] | | I personally don't do this because I feel like it defeats the whole purpose of 2fa. If someone gets into your bitwarden account, now they have your passwords and can generate 2fa codes. Of course, if the alternative is just not doing 2fa then it's better than nothing but I'd still prefer an authenticator app or hardware key than putting them in bitwarden. | | |
| ▲ | bccdee 9 days ago | parent | next [-] | | That's why my bitwarden account is protected with 2FA! If an adversary has gotten into my bitwarden secrets, my second factor is already compromised. And if I lose my phone, I only need to do the recovery flow with the printed codes for one account, rather than for all of my accounts. | |
| ▲ | mvieira38 9 days ago | parent | prev [-] | | Getting into your bitwarden account should be at least as hard as getting into your authenticator app or stealing your hardware key, though, if you're using it as intended, so I think it's ok for 2FA | | |
| ▲ | ihattendorf 9 days ago | parent [-] | | 2FA keys are easily stolen from a desktop with a password manager running in the background when running a malicious executable, vs. 2FA keys on a 2FA app on a phone and running a malicious app. | | |
| ▲ | bccdee 7 days ago | parent [-] | | I don't know if this is true. A password manager should encrypt its data at rest, and exfiltrating a key from another process's memory space is non-trivial. At the very least, you'd need a privilege escalation trick. |
|
|
| |
| ▲ | britzkopf 9 days ago | parent | prev | next [-] | | Great, this is a universal solution. Let's all make it an integral part of our digital security, and in 5 years or so hope that bitwarden doesn't leverage it! | | |
| ▲ | ssk42 9 days ago | parent [-] | | the good news is that you can self-host bitwarden pretty easily and so it doesn't have to be a hassle/risk | | |
| ▲ | dare944 9 days ago | parent [-] | | Grandma is self-hosting what??? | | |
| ▲ | nightski 9 days ago | parent | next [-] | | I am going to be honest, Grandma is already compromised. | |
| ▲ | jamespo 9 days ago | parent | prev [-] | | that's where you come in sonny | | |
| ▲ | dsr_ 9 days ago | parent [-] | | This. Grandma, and Uncle Rob, and your cousins, and anyone else you have a long standing relationship with, can use your VaultWarden instance if you let them. But! You now get to maintain uptime (Rob travels and is frequently awake at 3am your time) and make sure that the backups are working... and remember that their access to their bank accounts is now in your hands, so be responsible. Have a second site and teach your niece how to sysadmin. |
|
|
|
| |
| ▲ | jvanderbot 9 days ago | parent | prev [-] | | FYI you can go `oathtool --totp -b "that secret code"` and never need a third party vendor again |
|
|
| ▲ | chimeracoder 9 days ago | parent | prev | next [-] |
| > More like abuelita gets robbed at gunpoint and made to unlock and clear out her bank account, then has no recourse at home because her device was taken. You are describing the current status quo, without passkeys. This is already possible. Well, except maybe for the "without recourse" part, because there are some legal and policy avenues available for dealing with this situation. |
| |
| ▲ | mvieira38 9 days ago | parent [-] | | The without recourse is the part that matters... With passkeys or 2FA she's at risk of having to wait a day or more to go to the physical location (if there even is one, digital banks are huge in Latin America), with passwords she can just check her notebook the same night and start the recourse through official channels. I know she could just call the hotline, but if 24hr customer service guy can get you in your account same night then the bank is too insecure anyways | | |
| ▲ | chimeracoder 9 days ago | parent [-] | | > The without recourse is the part that matters... Yes, and I'm saying that part isn't accurate either for the story you're portraying with passkeys or for the status quo. That's not how account recovery flows work. | | |
| ▲ | mvieira38 9 days ago | parent [-] | | With passwords, no account was even lost in the scenario for a recovery flow to start. An account recovery flow is only necessary because of the superfluous extra security, which will almost inevitably introduce more attack vectors than before (such as a social engineering attack through customer service) if the banks want to service customers like grandmas. | | |
| ▲ | chimeracoder 9 days ago | parent [-] | | > With passwords, no account was even lost in the scenario for a recovery flow to start Given how common mandatory SMS 2FA is for banks, if thieves stole your unlocked phone, they have stolen your account too. | | |
| ▲ | 3036e4 9 days ago | parent [-] | | Isn't the SMS just 1 factor, and for 2FA they will also need the other F (e.g. password)? Relying on only SMS sounds like 1FA? |
|
|
|
|
|
|
| ▲ | LorenPechtel 9 days ago | parent | prev | next [-] |
| Exactly. The only financial stuff on my phone is Google Wallet and I don't even live in a high threat area. The devices that can accept payment from Google Wallet are always in observed locations, it would be very hard for a mugger to use it maliciously. All the easy money transfer options are an attack surface I see no need to expose. |
|
| ▲ | codethief 9 days ago | parent | prev [-] |
| > whereas with passwords I can just log into Bitwarden wherever and I'm golden Good luck. For some arcane reason, Bitwarden turned on email-based 2FA for my account last night and all of a sudden I'm locked out of my account for half a day. …mostly because I have greylisting enabled on my mail server, so emails don't arrive right away, but as it so happens I also had all my hardware stolen from me last weekend. Bootstrap is a real bitch. |
