2FA is just dead simple. I contact you, you contact me, handshake achieved. If you call me out of the blue I raise the alarm. If you get a login attempt with a failed handshake you raise the alarm.
Putting it all behind a pop up screen just isn’t trustworthy to the human brain.
TOTP 2FA is less secure than passkeys. 2FA TOTP keys can be phished. Passkey authentication cannot be phished. This is a security improvement which can make people completely immune to phishing attacks. That’s huge. And it doesn’t have any privacy risks, no loss of anonymity. It’s an open standard.
This is, objectively, a rare example of new technology which will make the world better and safer for us.
But I also worry about new areas of weakness with passkeys - anyone accessing the device with the passkey on it, or hacked that device, gets access automatically to the accounts. Also if logins are too fluid I worry that anything out of the ordinary during sign ins won’t be noticed.
2FA is not SMS. SMS is the least secure, shittiest, and simplest form of 2FA, designed as the bare minimum for the average chucklefuck. Everywhere implemented it hastily because the average idiot still uses the same password for everything. It should be illegal as the only form of 2FA, but our governments are run by criminally corrupt dinosaurs.
Fun story! Back in 2017 I tried to remove SMS 2FA entirely, and switch to a data only mobile service. I use 2FA everywhere it’s available, but was able replace SMS with TOTP everywhere except banks, even on big tech platforms where you could only activate TOTP after adding a mobile number and enabling SMS 2FA (you could then remove the mobile number). I ultimately had to keep the voice service because banks required SMS 2FA, with no alternatives beyond their own custom 2FA apps, that can only be registered by SMS. Almost a decade later I have more SMS 2FA than ever before.
The moral of the story is we live in a clown world capitalist dictatorship.
2FA is just dead simple. I contact you, you contact me, handshake achieved. If you call me out of the blue I raise the alarm. If you get a login attempt with a failed handshake you raise the alarm.
Putting it all behind a pop up screen just isn’t trustworthy to the human brain.
SMS 2FA is notoriously compromised by various means.
TOTP 2FA is less secure than passkeys. 2FA TOTP keys can be phished. Passkey authentication cannot be phished. This is a security improvement which can make people completely immune to phishing attacks. That’s huge. And it doesn’t have any privacy risks, no loss of anonymity. It’s an open standard.
This is, objectively, a rare example of new technology which will make the world better and safer for us.
But I also worry about new areas of weakness with passkeys - anyone accessing the device with the passkey on it, or hacked that device, gets access automatically to the accounts. Also if logins are too fluid I worry that anything out of the ordinary during sign ins won’t be noticed.
Yes, this point exactly, thank you for explaining this.
Passkey is multifactor: something the user has (key), something the user is (biometric) or knowns (password) to unlock the key. Yes, dead simple.
2FA is great, right up until you’re also the victim of a sim swap attack.
2FA is not SMS. SMS is the least secure, shittiest, and simplest form of 2FA, designed as the bare minimum for the average chucklefuck. Everywhere implemented it hastily because the average idiot still uses the same password for everything. It should be illegal as the only form of 2FA, but our governments are run by criminally corrupt dinosaurs.
Fun story! Back in 2017 I tried to remove SMS 2FA entirely, and switch to a data only mobile service. I use 2FA everywhere it’s available, but was able replace SMS with TOTP everywhere except banks, even on big tech platforms where you could only activate TOTP after adding a mobile number and enabling SMS 2FA (you could then remove the mobile number). I ultimately had to keep the voice service because banks required SMS 2FA, with no alternatives beyond their own custom 2FA apps, that can only be registered by SMS. Almost a decade later I have more SMS 2FA than ever before.
The moral of the story is we live in a clown world capitalist dictatorship.
Text has always been insecure. An authenticator app is better.