Comment on The Fediverse Isn’t the Future. It’s the Present We’ve Been Denied.
xylogx@lemmy.world 1 day agoIt is hard to do well which is why I worry. Google probably has the best overall account security, you could fo worse than modeling after them.
The short answer to your question is Passkeys. But you need a whole system of account recovery around them.
CubitOom@infosec.pub 1 day ago
Oh, you can easily bypass passkeys with automation. Don’t even need an image recognition model, just a QR-code scanner like
zbarimg.But i never tried googles passkey feature since it never seemed as secure as a 48 char computer generated password. So I’m not sure exactly how it works.
xylogx@lemmy.world 1 day ago
Go tead the FIDO threat model if you want to understand how it protects against specific attacks. It is pretty secure.
fidoalliance.org/…/fido-security-ref-v2.0-id-2018…
4am@lemm.ee 1 day ago
That’s a pretty wild claim. It almost sounds like you don’t know what a passkey is. Explain.
CubitOom@infosec.pub 1 day ago
Oh I don’t know what it is, sorry I thought I made that clear. But a quick search by on the internet said it was basically 2fa with a qr code and since the issue was how it would protect Lemmy from. Bots I just thought it wouldn’t be hard for a not to read a qr code.
Feathercrown@lemmy.world 1 day ago
Bruh that’s gotta be one of the worst trains of thought I’ve seen recently ngl