Lemmy supports 2FA lol.
(At least on the web UI it does)
Comment on The Fediverse Isn’t the Future. It’s the Present We’ve Been Denied.
xylogx@lemmy.world 4 weeks ago
I love Lemmy and Voyager and the Fediverse. That said, if it were to become mainstream I forsee some problems. The fact that the login relies on only passwords is pretty terrible. Also, this makes the service vulnerable to bots, sock puppet accounts, brigading, etc.
IDKWhatUsernametoPutHereLolol@lemmy.dbzer0.com 4 weeks ago
CubitOom@infosec.pub 4 weeks ago
What would you propose replace passwords to not be susceptible to those things?
I personally like how secure and non intrusive passwords are, especially when using a self hosted password manager synced with git.
4am@lemm.ee 4 weeks ago
Passkeys are much better. Unlike what FAANG companies want you to believe, they do not have to be tied to a device. Use a password manager that supports them (BitWarden) and pretty much never get hacked again because of a password. Website doesn’t need to store anything that an attacker can use. No downside.
Mendicant_Bias@feddit.uk 4 weeks ago
Any recommended reading for pass keys to get me up to speed? I use Bitwarden and have been happy enough with just passwords via that for a long time now. Only time I’ve seen pass keys mentioned really was Google trying to push it on me but I don’t use their password manager.
4am@lemm.ee 4 weeks ago
A passkey is a public/private key pair used instead of a password. You store the private key, and the website stores the public key. Data encrypted with the public key can only be decrypted by the private key, and vice-versa.
This means you can share the public key freely with the website, and even if they get hacked and the public keys are stolen, they’re useless.
When you log in, they send you a challenge encrypted with the public key, and since you hold the private key, you can decrypt it, create a response to it, re-encrypt it with the private key, and send the response to the website; which then decrypts it with the public key to verify it.
The initial spec was that each device would have its own passkey and store it in a TPM (that thing Microsoft requires your computer to have for Windows 11), which is a secure memory storage location that only the kernel can access.
However BitWarden is also able to store them and make them portable. (I think the standard was loosened to allow for this? But don’t quote me on that.) So, now you can have one passkey for the site and it works anywhere you can use BitWarden’a browser extension.
TLDR: more secure than a password, nothing to forget, stops passwords being stolen.
pulsewidth@lemmy.world 4 weeks ago
I’d much rather use a password and a two-factor auth via TOTP code. It’s fast, portable, I can store them on a variety of open source apps, and it’s very hard to hack. I don’t need to use a specific provider, or browser. Flexible and free.
Passkeys in their current implementation are comparatively a mess. Here’s an article that runs through many reasons why:
arstechnica.com/…/passkey-technology-is-elegant-b…
WhyJiffie@sh.itjust.works 4 weeks ago
2FA support would be better
Anafabula@discuss.tchncs.de 4 weeks ago
Lemmy does support 2fa
WhyJiffie@sh.itjust.works 4 weeks ago
oh. Nevermind then. I think this should be enough. maybe OpenID Connect support would be nice
xylogx@lemmy.world 4 weeks ago
It is hard to do well which is why I worry. Google probably has the best overall account security, you could fo worse than modeling after them.
The short answer to your question is Passkeys. But you need a whole system of account recovery around them.
CubitOom@infosec.pub 4 weeks ago
Oh, you can easily bypass passkeys with automation. Don’t even need an image recognition model, just a QR-code scanner like
zbarimg.But i never tried googles passkey feature since it never seemed as secure as a 48 char computer generated password. So I’m not sure exactly how it works.
xylogx@lemmy.world 4 weeks ago
Go tead the FIDO threat model if you want to understand how it protects against specific attacks. It is pretty secure.
fidoalliance.org/…/fido-security-ref-v2.0-id-2018…
4am@lemm.ee 4 weeks ago
That’s a pretty wild claim. It almost sounds like you don’t know what a passkey is. Explain.