I'm angry about this. Large megacorps with the budget of medium-sized countries allocate the minimum amount of budget to maintain their auth systems and still allow the use of phishable auth methods. If npm disabled passwords and forced people to use passkeys, this huge problem just disappears tomorrow.

But instead, we're left with this mess where ordinary developers are forced to deal with the consequences of getting phished.

▲

hdjrudni 3 days ago | parent [-]

Passkeys can be a pain in the ass too. Evidentially I set up my Yubikey with Github as some point, which is fine if I'm at my desktop where my key is plugged in, but if I want to sign in on mobile.... now what? I just couldn't log in on mobile for months until I realized I think there's a button on there somewhere that's like "use different 2fa" but then what was even the point of having a key registered if it can be bypassed.

	▲	sneak 3 days ago \| parent \| next [-]
		You can use software u2f (iCloud supports this), you don’t need Yubikeys. Also, Yubikeys work on phones just fine, via both NFC and USB.
	▲	dchest 3 days ago \| parent \| prev \| next [-]
		While you can setup passkeys with YubiKey, the most common intended use case is key pairs that are synchable via your Apple/Google/password manager account. So, once you add a passkey, you'll be able to sign in on mobile with it automatically.
	▲	nialv7 3 days ago \| parent \| prev \| next [-]
		you can use yubikeys for both passkey and password+2fa. this way you aren't bypassing anything. and btw, you can get USB-C yubikeys so you can plug it into your phone. if even that's not an option, you can get a USB-C to USB-A adapter.
	▲	yawaramin 3 days ago \| parent \| prev [-]
		> but if I want to sign in on mobile.... now what? Just set up a new passkey on the mobile device.