this post was submitted on 28 Jan 2024
356 points (99.2% liked)

Technology

59091 readers
3141 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 16 points 9 months ago (2 children)

I see a lot of people around me resetting passwords of services they rarely use because they forgot what password they used and don't have a password manager (or not synced one). And I don't understand why all services don't propose to generate a one time link to log in instead of changing passwords (a few services do propose it already)

Passwords are useless for all users using the same password for every account they have, and i'm sure it's a majority of users.

[–] [email protected] 9 points 9 months ago (1 children)

Google is moving that way with passkeys. I think it'll catch on with many people.

Just cut the passwords out and go straight to unlocking with a device.

That said not sure what happens if you lose your device.

[–] [email protected] 11 points 9 months ago* (last edited 9 months ago) (2 children)

don’t even have to lose the device

phone is the most common, plenty of ways in from mitm attacks (insecure wifi for example) to social eng the account phone provider

guess you could go the dongle route but if it was super common thieves would just target them

[–] [email protected] 14 points 9 months ago (1 children)

I think the question is less about getting hacked and more about getting permanently locked out of your account.

[–] [email protected] 6 points 9 months ago

sure but it shouldn’t be, any good process will have some recovery method

course that can be a vulnerability as well

thank god recovery questions are dead

[–] [email protected] 7 points 9 months ago (1 children)

The idea with passkeys though is that it’s like a dongle, not just your phone number. It’s not an SMS code or link, it uses the cryptography hardware of your phone to authenticate. But the question of “what happens if I lose my phone” still persists.

https://fidoalliance.org/passkeys/

https://developer.apple.com/passkeys/

https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/amp/

[–] [email protected] 4 points 9 months ago (1 children)

I mean it’s just 2fa without the password so same issues with what I described

https://www.csoonline.com/article/570795/how-to-hack-2fa.html

just the first result on google

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago)

"5 ways to hack 2FA" is pretty click-baity though. All of those attacks are either not exclusively related to 2FA or could target another component. If you can just bypass security altogether, instead of questioning 2FA, you should consider ditching that service/site.

All except point 1, that is. But everyone should know by now that 2FA by SMS is insecure.

[–] [email protected] 3 points 9 months ago

How do you secure email accounts then? And wouldn't that make those just even more attractive targets?