• 0 Posts
  • 7 Comments
Joined 2 months ago
cake
Cake day: November 7th, 2024

help-circle
  • chickentendrils@lemmy.mltotechnology@hexbear.netI hate 2FA Hell
    link
    fedilink
    English
    arrow-up
    11
    ·
    edit-2
    12 hours ago

    If you have any tech literate friends, you can all install Syncthing and quickly each create a personal push-only share. Then everyone you know is helping each other backup their password manager databases or anything else locally encrypted with a strong password that’s small enough to be acceptable. Micro SD cards are 1.5 and even 2TiB now, and work with my 4 year old Xiaomi phone.

    I’m thinking of the WeChat recovery option that just makes a couple people you had in your friends list or were your main contacts open a menu in settings and confirm you contacted them (I think IRL), in order to verify the recovery request.


  • chickentendrils@lemmy.mltotechnology@hexbear.netI hate 2FA Hell
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    11 hours ago

    I really like GRC’s Secure Quick Reliable Login (SQRL). It’s older than most examples but basically just the open version of the prompt on your phone. Authentication requests are made for a specific domain and sent back to that domain only. So much more phishing resistance than has been typical, similar to passkeys. It’s as seamless as scanning any QR code with a phone, or it integrates with a browser or local password manager/daemon. The prompts on the phone show you the unobfuscated domain name of what generated the QR code/auth request and if it’s never been used before like a phishing site, it’ll only offer user registration (usually with one-click).

    The backups of your credentials are just QR codes and can be printed on standard printer paper.

    It is used internally at a midsize organization for their internal systems authentication. Way less hassle than the Microsoft authenticator, no added hardware like a passkey.


  • chickentendrils@lemmy.mltotechnology@hexbear.netI hate 2FA Hell
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    12 hours ago

    Yeah for Steam you have to use 3rd party tools or pull a file off your mobile device/emulator and extract the TOTP secret (and use plugins for password managers to render the alphanumeric code with the characters they want, it’s just a non-standard TOTP representation and sucks so much).

    The maker of that “Authy” shit that’s just TOTP generator/backup once again locked behind your fuckin phone number deserves a special place in hell. It’s Twilio, a virtual phone/SMS API provider… and owner of Sendgrid. Same deal as with Steam where they’ll add the TOTP secret to the Authy app and you have to extract it manually to use in a different app/password manager. At least the codes are part of the IETF standard. Just generated with an uncommon <30s step interval for rolling over and I believe are 7 digits instead of 6. KeepassXC natively had configuration for it at least.



  • chickentendrils@lemmy.mltoAsklemmy@lemmy.mlWhat's wrong with bluesky?
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    20 days ago

    I assume Mastodon is equally capable of recommending things, but if it’s a common problem that people aren’t patient enough with then it could be fatal. It’s still an open question whether federation as its been used thus far is really there yet. I’m not entirely convinced, I’m glad it’s being tried. I’ll take a stab at it, I’ve worked on P2P distributed key-value storage for years. No huge ambitions though, I don’t really care about this use case. My conception of federation is closer to newsgroups, ideally it’s a global namespace for a topic but the feed is controllable by, effectively, a federated moderator web-of-trust that users can selectively opt into and demote mods as a personal preference. Maybe someone else can do it because I’m so disinterested.