Take your passkey and shove it where the sun don't shine (lemmy.world)

submitted 2 weeks ago by cm0002@lemmy.world to c/memes@lemmy.world

26 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[-] deegeese@sopuli.xyz 0 points 2 weeks ago

It’s shitty user experience when forced to dig out my phone to authenticate myself to a site I barely give half a shit about.

Like I wouldn’t even have an account if it wasn’t forced, and now you assholes want my phone too?

[-] hemko@lemmy.dbzer0.com 0 points 2 weeks ago

I think you're describing SMS passcode, totp or other such factors.

Passcode doesn't require phone necessarily, but you can use it too

[-] Kusimulkku@lemm.ee 0 points 2 weeks ago* (last edited 2 weeks ago)

A lot of the stuff that has implemented passkeys so far are on mobile. And I mean the apps serving them out, not things you authenticate to.

[-] 4am@lemm.ee 0 points 2 weeks ago

BitWarden has a desktop extension and it also handles 2FA. No reason to be using a password, which is way less secure and can be extracted from a website DB via a hack.

[-] Kusimulkku@lemm.ee 0 points 2 weeks ago

Doesn't the 2FA protect users still, if they only got the password?

[-] perfectly_boiled_pizza@lemmy.world 1 points 2 weeks ago* (last edited 1 week ago)

In practice, yes. IF IMPLEMENTED PROPERLY it would be extremely unlikely for an attacker to get in.

For example with a proper implementation of TOTP it would require an attacker to guess the correct number between 0 and 999999 in less than half a minute. Most services make you wait a little bit (often less than humans notice) between attempts and don't allow infinite attempts, so an attacker would have to be unimaginably lucky.

There are sadly lots of huge companies that DON'T IMPLEMENT 2FA PROPERLY. Sony Entertainment (account for PlayStation) for example. So a unique and long password is still important.