2FA support would be better
Comment on The Fediverse Isn’t the Future. It’s the Present We’ve Been Denied.
CubitOom@infosec.pub 1 day agoWhat would you propose replace passwords to not be susceptible to those things?
I personally like how secure and non intrusive passwords are, especially when using a self hosted password manager synced with git.
WhyJiffie@sh.itjust.works 1 day ago
Anafabula@discuss.tchncs.de 1 day ago
Lemmy does support 2fa
WhyJiffie@sh.itjust.works 1 day ago
oh. Nevermind then. I think this should be enough. maybe OpenID Connect support would be nice
xylogx@lemmy.world 1 day ago
It is hard to do well which is why I worry. Google probably has the best overall account security, you could fo worse than modeling after them.
The short answer to your question is Passkeys. But you need a whole system of account recovery around them.
CubitOom@infosec.pub 1 day ago
Oh, you can easily bypass passkeys with automation. Don’t even need an image recognition model, just a QR-code scanner like
zbarimg.But i never tried googles passkey feature since it never seemed as secure as a 48 char computer generated password. So I’m not sure exactly how it works.
xylogx@lemmy.world 1 day ago
Go tead the FIDO threat model if you want to understand how it protects against specific attacks. It is pretty secure.
4am@lemm.ee 1 day ago
That’s a pretty wild claim. It almost sounds like you don’t know what a passkey is. Explain.
CubitOom@infosec.pub 1 day ago
Oh I don’t know what it is, sorry I thought I made that clear. But a quick search by on the internet said it was basically 2fa with a qr code and since the issue was how it would protect Lemmy from. Bots I just thought it wouldn’t be hard for a not to read a qr code.
4am@lemm.ee 1 day ago
Passkeys are much better. Unlike what FAANG companies want you to believe, they do not have to be tied to a device. Use a password manager that supports them (BitWarden) and pretty much never get hacked again because of a password. Website doesn’t need to store anything that an attacker can use. No downside.
Mendicant_Bias@feddit.uk 1 day ago
Any recommended reading for pass keys to get me up to speed? I use Bitwarden and have been happy enough with just passwords via that for a long time now. Only time I’ve seen pass keys mentioned really was Google trying to push it on me but I don’t use their password manager.
4am@lemm.ee 16 hours ago
A passkey is a public/private key pair used instead of a password. You store the private key, and the website stores the public key. Data encrypted with the public key can only be decrypted by the private key, and vice-versa.
This means you can share the public key freely with the website, and even if they get hacked and the public keys are stolen, they’re useless.
When you log in, they send you a challenge encrypted with the public key, and since you hold the private key, you can decrypt it, create a response to it, re-encrypt it with the private key, and send the response to the website; which then decrypts it with the public key to verify it.
The initial spec was that each device would have its own passkey and store it in a TPM (that thing Microsoft requires your computer to have for Windows 11), which is a secure memory storage location that only the kernel can access.
However BitWarden is also able to store them and make them portable. (I think the standard was loosened to allow for this? But don’t quote me on that.) So, now you can have one passkey for the site and it works anywhere you can use BitWarden’a browser extension.
TLDR: more secure than a password, nothing to forget, stops passwords being stolen.