You understand that technical people often are the least likely to trust new technology and are often stuck in the mud when it comes to technology? Doubly so if you are anti-corporation. It seems anything that isn’t the Unix way of doing things can be questioned.
There is a good meme about people who love technology vs people who actually work with the stuff. The former using IoT devices to turn their lights on while the latter uses a light switch and has a gun in case the printer starts making weird noises.
2FA is just dead simple. I contact you, you contact me, handshake achieved. If you call me out of the blue I raise the alarm. If you get a login attempt with a failed handshake you raise the alarm.
Putting it all behind a pop up screen just isn’t trustworthy to the human brain.
TOTP 2FA is less secure than passkeys. 2FA TOTP keys can be phished. Passkey authentication cannot be phished. This is a security improvement which can make people completely immune to phishing attacks. That’s huge. And it doesn’t have any privacy risks, no loss of anonymity. It’s an open standard.
This is, objectively, a rare example of new technology which will make the world better and safer for us.
2FA is not SMS. SMS is the least secure, shittiest, and simplest form of 2FA, designed as the bare minimum for the average chucklefuck. Everywhere implemented it hastily because the average idiot still uses the same password for everything. It should be illegal as the only form of 2FA, but our governments are run by criminally corrupt dinosaurs.
Fun story! Back in 2017 I tried to remove SMS 2FA entirely, and switch to a data only mobile service. I use 2FA everywhere it’s available, but was able replace SMS with TOTP everywhere except banks, even on big tech platforms where you could only activate TOTP after adding a mobile number and enabling SMS 2FA (you could then remove the mobile number). I ultimately had to keep the voice service because banks required SMS 2FA, with no alternatives beyond their own custom 2FA apps, that can only be registered by SMS. Almost a decade later I have more SMS 2FA than ever before.
The moral of the story is we live in a clown world capitalist dictatorship.
The amount of people in this thread that don’t understand passkeys surprises me. This is Lemmy. Aren’t we the technical Linux nerds of the Internet?
You understand that technical people often are the least likely to trust new technology and are often stuck in the mud when it comes to technology? Doubly so if you are anti-corporation. It seems anything that isn’t the Unix way of doing things can be questioned.
There is a good meme about people who love technology vs people who actually work with the stuff. The former using IoT devices to turn their lights on while the latter uses a light switch and has a gun in case the printer starts making weird noises.
Good point, and I love that meme.
2FA is just dead simple. I contact you, you contact me, handshake achieved. If you call me out of the blue I raise the alarm. If you get a login attempt with a failed handshake you raise the alarm.
Putting it all behind a pop up screen just isn’t trustworthy to the human brain.
SMS 2FA is notoriously compromised by various means.
TOTP 2FA is less secure than passkeys. 2FA TOTP keys can be phished. Passkey authentication cannot be phished. This is a security improvement which can make people completely immune to phishing attacks. That’s huge. And it doesn’t have any privacy risks, no loss of anonymity. It’s an open standard.
This is, objectively, a rare example of new technology which will make the world better and safer for us.
Yes, this point exactly, thank you for explaining this.
Passkey is multifactor: something the user has (key), something the user is (biometric) or knowns (password) to unlock the key. Yes, dead simple.
2FA is great, right up until you’re also the victim of a sim swap attack.
Text has always been insecure. An authenticator app is better.
2FA is not SMS. SMS is the least secure, shittiest, and simplest form of 2FA, designed as the bare minimum for the average chucklefuck. Everywhere implemented it hastily because the average idiot still uses the same password for everything. It should be illegal as the only form of 2FA, but our governments are run by criminally corrupt dinosaurs.
Fun story! Back in 2017 I tried to remove SMS 2FA entirely, and switch to a data only mobile service. I use 2FA everywhere it’s available, but was able replace SMS with TOTP everywhere except banks, even on big tech platforms where you could only activate TOTP after adding a mobile number and enabling SMS 2FA (you could then remove the mobile number). I ultimately had to keep the voice service because banks required SMS 2FA, with no alternatives beyond their own custom 2FA apps, that can only be registered by SMS. Almost a decade later I have more SMS 2FA than ever before.
The moral of the story is we live in a clown world capitalist dictatorship.
The synchronization part is the annoying part. And when you have multiple accounts on one site you can end up with multiple passkeys for it.