• Lmaydev@programming.dev
    link
    fedilink
    English
    arrow-up
    146
    arrow-down
    4
    ·
    10 months ago

    There was a chap on here the other day who said they hate 2fa and don’t need it because they use passwords that are 50 characters and generated by the password manager.

    This is a perfect example of why you should always activate it when possible.

    • Specal@lemmy.world
      link
      fedilink
      English
      arrow-up
      47
      arrow-down
      7
      ·
      10 months ago

      Alot of people don’t like Microsoft, but they’re pushing for zero password authentication for a reason. Passwords are getting really insecure really fast.

      • andrew@lemmy.stuart.fun
        link
        fedilink
        English
        arrow-up
        33
        arrow-down
        1
        ·
        edit-2
        10 months ago

        This vulnerability has nothing to do with password strength or security and everything to do with password reset security, i.e. email and improper handling of parameters to that reset API call.

        Passkeys are interesting and potentially quite strong but they’re going to have to fall back to the same old reset mechanism if you e.g. drop your passkey device (phone) into a lake.

        • hydration9806@lemmy.ml
          link
          fedilink
          English
          arrow-up
          5
          arrow-down
          4
          ·
          10 months ago

          Or just make it clear your account is gone if you lose your passkey, so have a second key for backup or learn a hard lesson.

        • Specal@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          10 months ago

          I just use their Authenticator app out of convenience, I get a notification when I login through it and it asks me to input the correct number given by the app, a 2 digit number.

      • CubitOom@infosec.pub
        link
        fedilink
        English
        arrow-up
        2
        ·
        10 months ago

        How does Microsoft’s implementation work?

        Is it possible to log into windows without a Microsoft account using that method?

    • whyNotSquirrel@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      15
      ·
      10 months ago

      I see a lot of people around me resetting passwords of services they rarely use because they forgot what password they used and don’t have a password manager (or not synced one). And I don’t understand why all services don’t propose to generate a one time link to log in instead of changing passwords (a few services do propose it already)

      Passwords are useless for all users using the same password for every account they have, and i’m sure it’s a majority of users.

      • Lmaydev@programming.dev
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        1
        ·
        10 months ago

        Google is moving that way with passkeys. I think it’ll catch on with many people.

        Just cut the passwords out and go straight to unlocking with a device.

        That said not sure what happens if you lose your device.

    • pizzawithdirt@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      10 months ago

      I don’t have 2FA for my GitLab account since it’s only accesible via my GitHub account which has 2FA. Is this good or should I add 2FA to GitLab also?

        • BirdsWithBeefyArms@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          10 months ago

          This isn’t necessarily true. If you are using an identity provider, you can still perform a password reset on GitLab and set a password there, bypassing your 2FA on GitHub. You usually shouldnt rely on IdP 2FA unless the destination system enforces IdP signin every time. There is a group setting in GitLab that does that, but it will only apply for that group.

    • CubitOom@infosec.pub
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      2
      ·
      10 months ago

      One of the biggest issues with 2fa is that normally it’s either an easily spoofable phone/email or an app locked to a device.

      This is why I use a password manager (pass) that is synced across all of my devices (via a private self hosted git for version control) that I can send 2fa QR codes to cameraless devices via screenshots using zbarimg and have every device capable of 2fa verification with the pass-otp extension.

      I know this setup is a bit complicated as just dealing with git or importing a gpg key would give most people I know sense of existential dread. I am curious to see what others use for similar functionality.