BitWarden has a desktop extension and it also handles 2FA. No reason to be using a password, which is way less secure and can be extracted from a website DB via a hack.
In practice, yes. IF IMPLEMENTED PROPERLY it would be extremely unlikely for an attacker to get in.
For example with a proper implementation of TOTP it would require an attacker to guess the correct number between 1 and a million in less than a minute. Most services make you wait a little bit (often less than humans notice) between attempts and don’t allow infinite attempts, so an attacker would have to be unimaginably lucky.
There are sadly lots of huge companies that DON’T IMPLEMENT 2FA PROPERLY. Sony Entertainment (account for PlayStation) for example. So a unique and long password is still important.
It does, but not everyone sets up their 2fa, or uses the least secure forms. Then passwords get hacked, and those lists get shared so when the next hack comes along, they have that many more tools to try and break the encryption (assuming there is any) on a bigger site, compromising even more people.
It’s a whole systemic shit bag. Passkeys were meant to solve a lot of these problems, and they would, but Big Tech is botching the execution in favor of yet another thing locking you into their ecosystem.
It’s shitty user experience when forced to dig out my phone to authenticate myself to a site I barely give half a shit about.
Like I wouldn’t even have an account if it wasn’t forced, and now you assholes want my phone too?
I think you’re describing SMS passcode, totp or other such factors.
Passcode doesn’t require phone necessarily, but you can use it too
A lot of the stuff that has implemented passkeys so far are on mobile. And I mean the apps serving them out, not things you authenticate to.
BitWarden has a desktop extension and it also handles 2FA. No reason to be using a password, which is way less secure and can be extracted from a website DB via a hack.
Doesn’t the 2FA protect users still, if they only got the password?
In practice, yes. IF IMPLEMENTED PROPERLY it would be extremely unlikely for an attacker to get in.
For example with a proper implementation of TOTP it would require an attacker to guess the correct number between 1 and a million in less than a minute. Most services make you wait a little bit (often less than humans notice) between attempts and don’t allow infinite attempts, so an attacker would have to be unimaginably lucky.
There are sadly lots of huge companies that DON’T IMPLEMENT 2FA PROPERLY. Sony Entertainment (account for PlayStation) for example. So a unique and long password is still important.
TOTP can be phished remotely, passkeys / hardware security keys can’t (need to get malware into the users’ computer instead)
It does, but not everyone sets up their 2fa, or uses the least secure forms. Then passwords get hacked, and those lists get shared so when the next hack comes along, they have that many more tools to try and break the encryption (assuming there is any) on a bigger site, compromising even more people.
It’s a whole systemic shit bag. Passkeys were meant to solve a lot of these problems, and they would, but Big Tech is botching the execution in favor of yet another thing locking you into their ecosystem.
In store my passkeys in my password manager, which has a desktop app to access passkeys. What are you using that you have to always use your phone?
Google Chrome on PC can let you verify from the phone to unlock passkeys
Yes, extra security for your personal information is so irritating.
Security for who exactly?
If I don’t even want an account, it’s the “security” of the sites ad targeting data that IDGAF.