this post was submitted on 21 Dec 2024
94 points (98.0% liked)

technology

23382 readers
171 users here now

On the road to fully automated luxury gay space communism.

Spreading Linux propaganda since 2020

Rules:

founded 4 years ago
MODERATORS
 

Installed Steam on a new computer. Signed in. It sent a passcode to my GMail. I signed into GMail. It wanted me to 2FA because I hadn't signed into Google on that device. It sent a notification to my phone, which I never received. I had it resend the notification twice, still nothing. Tried again with my phone's offline passcodes. Neither worked. Tried the QR code/Bluetooth connection, and that finally did it.

At least I got through in the end, but fuck, it's annoying.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 4 points 20 hours ago* (last edited 20 hours ago) (1 children)

I guess our tech overlords have determined that "Passkeys" are going to be the replacement and fix for this kind of multi-factor authentication hell. Should be nice once everything actually adopts and implements it well. Still need like an email-based password reset or something like that.

[–] [email protected] 3 points 19 hours ago* (last edited 19 hours ago) (1 children)

I really like GRC's Secure Quick Reliable Login (SQRL). It's older than most examples but basically just the open version of the prompt on your phone. Authentication requests are made for a specific domain and sent back to that domain only. So much more phishing resistance than has been typical, similar to passkeys. It's as seamless as scanning any QR code with a phone, or it integrates with a browser or local password manager/daemon. The prompts on the phone show you the unobfuscated domain name of what generated the QR code/auth request and if it's never been used before like a phishing site, it'll only offer user registration (usually with one-click).

The backups of your credentials are just QR codes and can be printed on standard printer paper.

It is used internally at a midsize organization for their internal systems authentication. Way less hassle than the Microsoft authenticator, no added hardware like a passkey.

[–] [email protected] 1 points 1 hour ago

Passkeys aren't added hardware. They're just private keys.