| ▲ | arccy 9 days ago |
| A key part of the recent push for passkeys has been cross device syncing with your Google / Apple / whatever password manager account, so you end up in the same situation: if you can log in to Bitwarden to access your passwords, you can log in to your password manager to access your passkeys. |
|
| ▲ | thewebguyd 9 days ago | parent | next [-] |
| > A key part of the recent push for passkeys has been cross device syncing with your Google / Apple / whatever password manager account, so you end up in the same situation: if you can log in to Bitwarden to access your passwords, you can log in to your password manager to access your passkeys. Relying on Google/Apple is no better, with the stories of people losing access to their (Google in particular) account, and not being able to recover or let alone even reach a human at Google to begin with. Why not have a public service for this, instead of relying on big tech that can just revoke your account for any number of ToS "violations" without recourse? The solution for "normies" should not be rely on and trust Google with your entire digital identity. |
| |
| ▲ | mvieira38 9 days ago | parent | next [-] | | Getting the State involved is just a different, much worse threat actor than Google, though. From this discussion it should be evident how much more sovereignity passwords give you, if you want the State involved it should regulate websites' policies on passwords, such as: no service shall be hostile to password managers (special character bans, short limits on length, no pasting), no service shall require regular password resetting (proven to worsen security). State involvement may be better used in policing, too. Public repositories of leaked passwords (without usernames, of course) would do wonders, for example | | |
| ▲ | abirch 9 days ago | parent [-] | | I use a layered approach for passwords. If I don't trust the site and they're not getting my financial information, I'm glad to use Password1234% Google frequently warns me that one of my passwords has compromised but I don't really care for those sites. |
| |
| ▲ | umbra07 9 days ago | parent | prev | next [-] | | So then the State can see what services I've signed up for, when and where? The State is always more difficult and dangerous to deal with than a private company. | | |
| ▲ | forgetfreeman 9 days ago | parent [-] | | "The State is always more difficult and dangerous to deal with than a private company." Ridiculous. | | |
| ▲ | umbra07 9 days ago | parent | next [-] | | Of course it is. Google can ban me (really just one specific digital instance of me) from their services. The government can throw me in jail, take all my property, fine me whatever amount they want, etc. | | |
| ▲ | forgetfreeman 7 days ago | parent [-] | | The State is significantly less interested in your activities than Google, regardless of whatever hypothetical you'd care to spin. |
| |
| ▲ | arccy 9 days ago | parent | prev [-] | | a state has a monopoly on force, you've obviously never lived under a regime which actively wants to harm you. | | |
|
| |
| ▲ | odo1242 9 days ago | parent | prev [-] | | You can use a third-party password manager to handle passkeys. I recommend Bitwarden personally. |
|
|
| ▲ | rkagerer 9 days ago | parent | prev | next [-] |
| > if you can log in to... Please stop right there. I want a password manager that I fully control, and lives on my own infrastructure (including sync between devices). Not reliance on someone else's cloud. |
|
| ▲ | jvanderbot 9 days ago | parent | prev [-] |
| Did people not realize they can save their 2fa token and just use that with a new authenticator? I haven't used a phone 2fa forever, but it was a much better system than this "email me a code" BS. |
| |
| ▲ | 0xCMP 9 days ago | parent | next [-] | | I do something similar with KeePass because a lot of my 2FA is stored on my YubiKey. When I register with YubiKey I also register with a KeePass vault intended as a "break-incase-of-emergency". So rarely opened and with lots of security options set to max. | |
| ▲ | rPlayer6554 9 days ago | parent | prev | next [-] | | For a long time 2fa apps (other than Bitwarden and maybe some others) would lock you into the app and not let you export it. Websites don’t usually expose the text version of the code, just the QR. | | |
| ▲ | electroly 9 days ago | parent | next [-] | | I recently switched from Authy to 1Password for 2FA, requiring me to set up every single website's 2FA from scratch, and I found that every website I use provides the text version of the code. It's hidden behind a "having a problem scanning the code?" link. I didn't need to take a single screenshot of a QR code; I was able to save the text version for them all. Next time I switch, it'll be easy. | |
| ▲ | jandrese 9 days ago | parent | prev | next [-] | | I've never found a TOTP site that didn't also have a "click to show the code" option. It's usually in small print at the bottom, but it's there. | |
| ▲ | seplox 9 days ago | parent | prev | next [-] | | It's easy to screenshot or physically print a QR code during setup. | |
| ▲ | 20after4 9 days ago | parent | prev | next [-] | | There are desktop totp apps that will decode the QR code from a screenshot in the clipboard. | |
| ▲ | bvrmn 9 days ago | parent | prev | next [-] | | QR has trivial format and code is easily extractable. | | | |
| ▲ | jvanderbot 9 days ago | parent | prev [-] | | Almost all (not you, steam) allow saying "I cannot take a picture" or "Enter manually" But you're right, it's not perfect but has gotten better. Just in time to be of no use thanks to email BS. |
| |
| ▲ | phkahler 9 days ago | parent | prev [-] | | >> Did people not realize they can save their 2fa token and just use that with a new authenticator? What's 2fa token? Is that an AI thing? AI uses tokens. Or a crypto thing? Do you need one of them "nonfungible" tokens? And what's an authenticator? I have MS authenticator for work, but it uses 2 digit numbers, are those tokens? | | |
| ▲ | bobbylarrybobby 9 days ago | parent | next [-] | | Not sure if I'm missing a joke, but the 2fa token is a secret that you stick in your password manager and sync (or otherwise send) to other devices so that your 2fa is not bound to a particular device. My password manager lets me view the 2fa secret as if it were just another password. | | |
| ▲ | phkahler 8 days ago | parent [-] | | Yes, I was joking. I'm not up on all the options and I'm an engineer who read HN. What chance does Joe public have of making sense of all these things? |
| |
| ▲ | nilamo 9 days ago | parent | prev [-] | | 2fa is two factor authentication. User+password is the first factor, and is a "something you know" check. The second factor is a "something you have" check. Like sending you an SMS code. They exist so if someone watches over your shoulder while typing your password, they don't gain access to anything. |
|
|
