1300
I love password based login
(lemmy.world)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 13 Mar 2026
1300 points (98.2% liked)
Programmer Humor
30398 readers
2810 users here now
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
Rules
- Keep content in english
- No advertisements
- Posts must be related to programming or programmer topics
founded 2 years ago
MODERATORS
This. This so much. Password+Totp based login is just two passwords where one is more annoying to use.
Not if your TOTP codes are generated by another device, then the attacker needs your password, plus the device holding the key for TOTP. If you use it on your phone and authenticator is your phone then a theif has everything when they steal your phone.
Hardware key for TOTP is a better 2FA method as its totally separate from your PC or phone
As long as the default recommendation is to use authenticator apps on your main device I'll see this as a "could be good if implemented correctly, which it isn't, so it isn't good"
If you can get at a password by hacking a website, I wouldn't be holding out hope that they couldn't then steal the TOTP secret.
I mean yes everything is hackable. Thankfully the hardware key supports FIDO where there is a public / private pair with private locked on the hardware. Not enough services support this though.
So threat is being targeted and having somebody steal the hardware key.