You can force auth on hardware passkeys for every activation. A sort of local password. Much more secure, also if somebody is in possession of your passkey and you didn’t just loose it somewhere you would be fucked anyways.
I have three, one for home, one for backup, and one for travel. I can See why ppl. Are annoyed by that, but speaking of costs, you can get these starting from ~20 Dollars. Additionally, passkeys could and should replace passwords and not EB generally used as 2FA.
Also many password managers (incl. FOSS) do support Passkeys, but having them in your password manager makes them arguably useless. Same if you use 2FA on your phone and a password manager and your phone gets compromised somehow.
I just needed to think of the scene from the Simpsons, where Mr. Burns and Smithers go all through the security checks and in the end, there is a flimsy open backdoor, where a stray dog entered the room. All security in the front doesn’t matter, if the backdoor is not secure at all and until the backdoor is that unsecure, I’m not willing to add money and time, to make the front door more secure.
The phone argument lacks a bit. Accessing the TOTP App and the password manager do require a separate authentification, to get encrypted. Sure if they snatch my phone away, when its fully unlocked, including my password manager, they have access for a limited time. They need to be fast enough, until I can remotly lock it or until it automatically locks itself. Android phones can now detect when they are stolen. Either by the movement or when it goes offline. The latter I tested and it’s not instant, but you still don’t have long.
I don’t think about potential backdoors. If there is no known backdoor, then I deem it save. Sure they also could me to unlock the phone. This would be xkcd 538. And this applies to any security.
Adding more security and inconvenience doesn’t make sense to me, so long the backend is shit. So far a few big companies did screw up hard in their backend and dozens of smaller sites do some bad stuff, that it doesn’t really matter how strong your login is. Here I reference back to my quote.
In a closed system, like a company, this added security makes sense, as they usually control the backend as well. If my CEO would send me a text request to reset his logins, I would call him or walk to his office, and ask him directly. Sure with AI, they could impersonate his voice but I don’t think they can impersonate his way to speak.
You can force auth on hardware passkeys for every activation. A sort of local password. Much more secure, also if somebody is in possession of your passkey and you didn’t just loose it somewhere you would be fucked anyways.
I have three, one for home, one for backup, and one for travel. I can See why ppl. Are annoyed by that, but speaking of costs, you can get these starting from ~20 Dollars. Additionally, passkeys could and should replace passwords and not EB generally used as 2FA.
Also many password managers (incl. FOSS) do support Passkeys, but having them in your password manager makes them arguably useless. Same if you use 2FA on your phone and a password manager and your phone gets compromised somehow.
I quote myself from a different comment:
The phone argument lacks a bit. Accessing the TOTP App and the password manager do require a separate authentification, to get encrypted. Sure if they snatch my phone away, when its fully unlocked, including my password manager, they have access for a limited time. They need to be fast enough, until I can remotly lock it or until it automatically locks itself. Android phones can now detect when they are stolen. Either by the movement or when it goes offline. The latter I tested and it’s not instant, but you still don’t have long.
I don’t think about potential backdoors. If there is no known backdoor, then I deem it save. Sure they also could me to unlock the phone. This would be xkcd 538. And this applies to any security.
Adding more security and inconvenience doesn’t make sense to me, so long the backend is shit. So far a few big companies did screw up hard in their backend and dozens of smaller sites do some bad stuff, that it doesn’t really matter how strong your login is. Here I reference back to my quote.
In a closed system, like a company, this added security makes sense, as they usually control the backend as well. If my CEO would send me a text request to reset his logins, I would call him or walk to his office, and ask him directly. Sure with AI, they could impersonate his voice but I don’t think they can impersonate his way to speak.