TOTP authentication with free software
TOTP authentication with free software
Posted Apr 15, 2023 14:18 UTC (Sat) by Rigrig (subscriber, #105346)In reply to: TOTP authentication with free software by mbunkus
Parent article: TOTP authentication with free software
(Which is good, because keeping hardware-token backups for every site is not something I look forward to…)
I sadly agree that all sites upgrading is not going to happen, but I'm at least hopeful that it will improve things on the sites that *do*: WebAuthn should "just work" for auto-fill extensions, instead of having to detect login fields hidden in some javascript-of-the day framework mess.
Posted Apr 15, 2023 20:52 UTC (Sat)
by mbunkus (subscriber, #87248)
[Link] (3 responses)
• WebAuthn is nice in principal, but has the serious drawback of being tied to a device. Multi-device WebAuthn (meaning you register one device & can authenticate on a different device) is in the works, or there are thoughts about it, but no real solution.
What my point is in all of that is how it'll mesh with the vast majority of the population which simply is neither very tech-savvy nor security-conscious and oftentimes lazy. When I argued that the day will "never come", this is what I had in mind I fear that WebAuthn will never really gain traction with the general public because it's simply way too much hassle to implement compared to TOTP 2FA (the general public often enough doesn't even want to use that).
And for Passkeys my fear is that the general public will simply chose the most convenient implementation, which means that the vast majority of them will have their passkeys stored with Apple or Google, depending on the eco system they're part of. Furthermore if Chrome is the sync mechanism of choice in the Google world I question how other apps will gain access to synced Passkeys — on mobile via the embedded Chrome thingy or Play services or such, and on desktop? I have doubts.
Now us more tech-savvy people will probably like WebAuthn for its properties, rejoice about Passkeys & set up our own storage and sync solution. For the whole world as such I'm not optimistic that this shift is a net positive.
Posted Apr 17, 2023 6:51 UTC (Mon)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
You don't have to. The cloud sync service can use opaque blobs encrypted by the key you enter locally. I believe that's how Apple's implementation works, it just rides on top of Keychain synchronization that is encrypted by your iCloud password in the cloud.
Posted Apr 17, 2023 7:19 UTC (Mon)
by zdzichu (subscriber, #17118)
[Link] (1 responses)
JK, there are limits to paranoia.
Posted Apr 17, 2023 16:53 UTC (Mon)
by Cyberax (✭ supporter ✭, #52523)
[Link]
TOTP authentication with free software
• That realization led to yet another development called Passkeys, which are authentication tokens that can be synced between devices (e.g. Google Chrome on your desktop & mobile devices will all use the same tokens). The huge drawback is that in order for it to work the actual authentication information isn't only stored on your devices but on with a third party (with Google Chrome: on Google's servers), meaning you have to trust those providers with your credentials.
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software