Everyone universally hates passkeys because they never work right.
It’s a shitty user experience though, as loads of websites turn into “username+password+yubikey+pin+key button press”
I’m considering a passkey deployment. What sort of issues did you encounter?
An authenticator device is agnostic, transportable and can be backed up (or a secondary added)... sometimes. Implementations can suck (looking at you, my bank that only allows one key)
I hate all of the half-cooked non-TOTP MFA methods that I'm forced to use. Just let me use my freaking authenticator app. If you believe that your users prefer (or maybe it's just you?) more databroker-friendly methods, then fine, but please at least provide TOTP as an option.
Why is a video game embarrassing fintech?
There was (maybe still is) lots of money to be made by hacking accounts and selling them.
WoW was fintech!
WOW was teaching kids how free market capitalism works early on.
For my German banks, this is true. Stupid custom apps and proprietary reader hardware that read coloured moving QR codes everywhere.
It makes sense to ask you for evicence: You'd just have to name a bank that provides SMS 2FA.
https://www.cisa.gov/sites/default/files/publications/fact-s...
The only downside of TOTP to FIDO and friends (from a security perspective) is phishing resistance
Don't use TOTPs if you have an option to use Passkeys/WebAuthN
Short video example: https://taptrap.click/
"If the user had enrolled a Security Device for PyPI second factor authentication, the attacker would not have been able to use the second factor, as the WebAuthn protocol requires the user to physically interact with a hardware security key, or use a browser-based implementation, which would not be possible if the user was not on the legitimate PyPI.org website (Relying Party Identifier)."
https://blog.pypi.org/posts/2025-07-31-incident-report-phish...
Grandma goes to fakesite.com not realising it isn't her real site. It asks her for the TOTP code, she provides her TOTP code and it works. She is reassured - if this wasn't her real site why would the code work?
Now, in theory a neutral security assessor can see that's not reassuring, but that's not how humans work, the fact there was a challenge-response feels like security even though for all they know if was accepting any inputs.
Phishing sites generally have a milder version of this effect. I have vanity mail, so I own the "mail provider" handling my email and yet of course I get those phishing mails saying as the "Administrators" of my vanity domain they need me to type in my password. But they don't know my password of course, so filling in their form with crap "works" the same as anything else, fuckyouscammers, sure that's a reasonable password.
These schemes can't work if you don't rely on stupid shared human secrets ("Passwords") everywhere, but we did and it seems many people are really enthusiastic to keep doing that, so I doubt we'll escape from this self-imposed status. I wanted to make a web site that mimics the famous reusable Onion article but I've never gotten around to it. "No way to prevent this"
This is all in the standard, most places have implemented one of the options. I've implemented all of the options at least once. It's configurable based on how lax/secure you want to be.
Most places I've dealt with allow the previous and next code to also be used, so instead of a 30s window you actually have a 1.5m window.
1. Just a 4 digit numeric PIN like `1981`
2. A 20 character upper/lower/numeric/special-character password like `qmd1tkf7mwa.PQB0qrz$`
--
The PIN has lower entropy and is therefore a lot easier to brute force.
I haven't calculated this stuff myself -- I just used Wolfram Alpha -- but it looks like the PIN would take <1 second to brute force, while the 20 character password would take 7.6 * 10^25 years. [1] [2]
--
[1] https://www.wolframalpha.com/input?i=password+strength+qmd1t...
[2] https://www.wolframalpha.com/input?i=password+strength+1981
Of course, it's also a way to force users to tag their contact's photos and train Facebook's face detector by holding your account hostage until you comply, similar to those CAPTCHA street view challenges.
Besides, it only works if the attacker is a stranger, if it's an acquaintance (or a very dedicated stalker) then it doesn't work so well anymore.
When you already have so many logins that you start using a password manager, your passwords are already high entropy enough that they don't get brute forced and a leak doesn't compromise your other accounts. TOTP adds challenge response to this, so it is actually a bit better than a password since an interception cannot be reused, but they are both still shared secret and in both cases need to be stored in some other device (password manager vs TOTP code manager). For most logins that don't require real security I just use my password manager for both so it is just a disjoint shared secret approach. Nevertheless, TOTP "increases security" for websites (but not my security specifically) because the shared secret is generated by the website owner so is definitely unique and not reused unlike many other user's passwords.
I expect the majority of people are storing their TOTP secrets on the device they are logging in from (their mobile device) and so have single points of vulnerability. So multifactor auth is typically just a disjoint shared secret with a partial challenge. The extra security is just created because the website forces true random shared secret. We could have all this with a single factor.
I stopped logging in into GitHub since they enforced 2FA on my account. Luckily no current customer of mine is using GitHub. They are on Bitbucket and it does not require 2FA yet.
A number of services that I use ask me to enable 2FA. I skip the offer everytime.
The worst 2FAs are SMS based: not because of the (in)security of SMSes but because I don't receive SMSes when I'm outside of my country.
What?! I've never had that issue.
And nobody sent SMS to me, everybody used WhatsApp or similar services.
There's an implication here that users would pick a random hand. I'm sure a set containing all flushes, straights, full houses and four of a kind would account for most of the used passwords.
averageRoyalty•6mo ago
sunrunner•6mo ago
I'll take "Lies that your parents told you about how the world works" for 500, Alex.
Serious question though, I thought the whole signature thing was more of a legally binding thing for the signer asserting themselves as X, sort of like checking the "I'm over 18" box. Sort of a "Well we asked you the question, it's not our fault if you lied" type thing.
j-bos•6mo ago
lelanthran•6mo ago
Handed the clerk my card during payment, she looked at it and said it is not signed so she is not allowed to accept it. I took it back, she gave me a pen, I signed it and gave it back to her.
She ran the transaction, got an approved slip, gave me the slip to sign, I signed it and gave it back.
She compared the signature on the slip to the signature on the back of the car, and Lo And Behold, They Matched!
HPsquared•6mo ago
sunrunner•6mo ago
progbits•6mo ago
boogieknite•6mo ago
i went to Germany as an exchange student, scribbled out my random scribble for my travellers check, and they denied me because my signature wasn't close enough to their record. heard a similar story from a friend who visited Japan
davchana•6mo ago
evantbyrne•6mo ago
arccy•6mo ago
tialaramex•6mo ago
There's a big difference between "This thumbprint in blood was on the recovered murder weapon and it's a perfect match" and "This smudge of half a finger on a paper bag found near the scene was arguably a match" but the jury isn't necessarily told about this and where on that scale the evidence they've been told about would lie.
evantbyrne•6mo ago