I personally am fine with this.
Yep, should be standard everywhere
… for accounts you actually give a shit about
And not via SMS
emphasis on the
… for accounts you actually give a shit about
deleted by creator
Just FYI, your account shows up as a bot. You should change it in your account settings.
deleted by creator
If your account is frozen they should still be on the device. That would be a good time to change all your passkeys over to a yubikey, or to add one as a secondary token.
The keys being locked in a Secure Enclave is generally considered a feature, not a bug. That passkeys sync at all is somewhat concerning. I wouldn’t expect them to be exportable any time soon.
deleted by creator
Apple actually describes the process for sync in some detail: https://support.apple.com/guide/security/secure-keychain-syncing-sec0a319b35f/web
Apple also describes the keychain recovery process in depth (I think this is when you’ve lost all devices?): https://support.apple.com/guide/security/escrow-security-for-icloud-keychain-sec3e341e75d/1/web/1
The Secure Enclave can apparently return the private key. For most keys it is encrypted with a key pair that is permanently stored in the Secure Enclave. For synchronized keys it is apparently encrypted with a key that is also stored in iCloud in such a way that Apple themselves cannot get to it.
It does sound like they could potentially enable exporting the passkeys, I think it’s unlikely they would because they provide a method to move them to other devices already and it does introduce more avenues for misuse. I don’t think it’s a huge requirement anyway, most hardware tokens provide no way to export at all by design. Apps that use them for 2FA should provide for enrolling multiple tokens.
deleted by creator
While you are adding this anyway consider using an open source app instead of google auth like aegis. There are many others but I wish I knew about them sooner.
I personally love keeweb. Passwords and 2fa all in one place.
I mean you could argue that defeats the purpose of having 2fa, but it’s convenient
It weakens it a bit, but in my opinion it still has strength where it counts. If an attacker gets access to your password outside your password manager (man-in-the-middle, keylogger, phishing), then you’re still protected. Maybe it’s hubris in my own ability to keep my password manager safe, but I’ve never been worried about storing MFA in my password manager.
deleted by creator
Bitwarden is also good.
Bitwarden crew checking in. The best thing about bitwarden is the 10$/year to have a pro account. It gives you, amongst other things the ability to store up to 1tb of attachments and reports on various risk assessments.
You can even host your own instance.
I recommend it.
You probably shouldn’t be storing your passwords and 2FA in the same place.
Just moved my github MFA to aegis.
deleted by creator
Too many people were making poor choices. When there’s an incident of an account that should have been secured but wasn’t getting compromised, that’s bad for the platform, ecosystem, and community. This is just another level beyond not allowing you to set a password of “password”
Yep. If people care about supply chain attacks or so, just add features that allow only commits from accounts with 2FA to certain repositories.
At least you should be able to use your local password manager as well if you don’t care about keeping your 2fa on separate hardware. KeePass 2, KeePassXC, Bitwarden, …
Github supports totp and Bitwarden, at least, can store that.
Bitwarden has 2FA (for paid tier, like $10/year). I don’t consider it “real” 2FA, but it’s more secure than just a password, and super quick to copy code using browser addon. Useful for certain sites, that don’t stay logged in, require every time, etc.
Though people that have authority over important projects should have proper security, considering how large the internet is, with how many individual parts, the chance of someone being in charge of a large and important project - may it be a browser, compiler/interpreter, utility, library etc. is not even close to zero.
So if a (co-)maintainer of a project included as standard utility in Linux Servers, let’s say bash for example, is somehow breached, the attacker could push and force merge a malicious obfuscated commit, maybe even with normal content included. As it’s from a reputable source, it’s not going to be checked as thoroughly as commits from other people. One hour later, every Arch system, desktop and server, has a trojan. Four hours later also all Gentoo systems (got to compile it first). 2yearsweeks later regularly updated debian servers now contain malware. A chain of events, fragile to being detected by people monitoring their own activity, other maintainers activity and people reading the source - eg. for security reasons -, but yet, not that unlikely considering the amount of packages present even in a standard install, and needed as dependencies for typical server packages.Organizations can already require 2FA for members of the org. We already had the tools.
Just use a YubiKey and keep it plugged in
Probably just someone at Microsoft trying to get promoted.
Good, people are fucking stupid and if it effects others it’s often better to choose the security for them!
Yup. I’m actually a bit baffled by how much negativity/misinformation there’s around 2FA even in a place like this, which should naturally have a more technically inclined userbase.
Well negativity is there because every app wants it.
I don’t care if account x is compronised, as it has absolutly no value
2fa should be mandatory everywhere
Hard disagree. I do not want to have 2FA for every shittly little thing I do not care about.
Yeah. GitHub makes sense because most users are writing code that can be executed by others. That makes GitHub accounts security critical.
But a Lemmy account? Naw, you lose almost nothing if that gets compromised. A little bit of history and subscriptions, mostly.
I’m in a discord that for some reason “requires” 2FA. Based on searching, I think they give everyone some kinda admin role or something? It doesn’t actually require 2FA, but it shows a very annoying warning that covers up a bunch of the channel selection screen. But despite that, I don’t really wanna deal with the hassle of 2FA on a chat app that’s basically consequence free for me if it gets exploited.
Specifically app-based 2FA, ideally Google Authenticator based. There are tons of great authenticator apps available that are all compatible, so it should absolutely be preferred over SMS or email.
Passkeys supported?
What’s the difference between a passkey and a security key?
Edit: ohh, it’s passwordless. I won’t do this for my Google account. Github: maybe. but not Google
2FA is the biggest bane to my productivity in the last 15 years, no part of my work life should require me to pull out my magic distraction device.
Use a password manager that lets you autofill 2fa, like Bitwarden.
1password does this, too and it’s magical. I’ve had my SMS go to my browser via Google Messages for a while, but it’s so much easier to just auto-fill it instead of copy/paste
Also, 1password logs you out when you stare at it wrong, so I’m not worried about someone who would somehow get local access abusing it.
That’s bad advice
Is it less secure than it could be? Yes.
Is it better than no 2FA? Also yes.
In the end if it doesn’t work for your security model, than more power to you. But if it helps to increase the security of the average Joe, it’s good advice.
I don’t like how a lot of things require their own custom app, especially when there’s no automatic notification. I need to try and remember what the app is called, open it, navigate through, then approve it
Get a hardware 2FA key instead of using your phone for TOTP
Yubikey
You can use KeePassXC to generate the TOTP codes on your PC. With the browser plugin, you can generate the code and fill the textbox with one click when the password database is unlocked.
Sites that don’t use standard TOTP for 2FA are a pain in the ass though.
Authy has a desktop app and syncing across devices
This! Authy is very very nice. Syncing accounts is a life saver, both as backup, and not having to pick up the phone all the time.
Cut and pasting with a click instead of reading and typing, is so much faster.
Easily search the very long list of entries.
Not open source tho, but free as in beer.
If Aegis had the sync option, i would have used that. But it did not last time i checked.
deleted by creator
It’s not the problem it’s trying to solve
