this post was submitted on 08 Mar 2025
746 points (100.0% liked)

Technology

67536 readers
6260 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
746
The Fediverse Isn’t the Future. It’s the Present We’ve Been Denied. (www.joanwestenberg.com)
submitted 2 weeks ago by [email protected] to c/[email protected]
65 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 58 points 2 weeks ago (2 children)

I love Lemmy and Voyager and the Fediverse. That said, if it were to become mainstream I forsee some problems. The fact that the login relies on only passwords is pretty terrible. Also, this makes the service vulnerable to bots, sock puppet accounts, brigading, etc.

[–] [email protected] 20 points 2 weeks ago (3 children)

What would you propose replace passwords to not be susceptible to those things?

I personally like how secure and non intrusive passwords are, especially when using a self hosted password manager synced with git.

[–] [email protected] 25 points 2 weeks ago (1 children)

Passkeys are much better. Unlike what FAANG companies want you to believe, they do not have to be tied to a device. Use a password manager that supports them (BitWarden) and pretty much never get hacked again because of a password. Website doesn’t need to store anything that an attacker can use. No downside.

[–] [email protected] 1 points 2 weeks ago

I'd much rather use a password and a two-factor auth via TOTP code. It's fast, portable, I can store them on a variety of open source apps, and it's very hard to hack. I don't need to use a specific provider, or browser. Flexible and free.

Passkeys in their current implementation are comparatively a mess. Here's an article that runs through many reasons why:

https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/

[–] [email protected] 15 points 2 weeks ago (1 children)

2FA support would be better

[–] [email protected] 32 points 2 weeks ago (1 children)

Lemmy does support 2fa

[–] [email protected] 13 points 2 weeks ago

oh. Nevermind then. I think this should be enough. maybe OpenID Connect support would be nice

[–] [email protected] 9 points 2 weeks ago (1 children)

It is hard to do well which is why I worry. Google probably has the best overall account security, you could fo worse than modeling after them.

The short answer to your question is Passkeys. But you need a whole system of account recovery around them.

[–] [email protected] 1 points 2 weeks ago (2 children)

Oh, you can easily bypass passkeys with automation. Don't even need an image recognition model, just a QR-code scanner like zbarimg.

But i never tried googles passkey feature since it never seemed as secure as a 48 char computer generated password. So I'm not sure exactly how it works.

[–] [email protected] 12 points 2 weeks ago* (last edited 2 weeks ago)

Go read the FIDO threat model if you want to understand how it protects against specific attacks. It is pretty secure.

https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-security-ref-v2.0-id-20180227.html

[–] [email protected] 7 points 2 weeks ago (1 children)

That’s a pretty wild claim. It almost sounds like you don’t know what a passkey is. Explain.

[–] [email protected] 1 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

Oh I don't know what it is, sorry I thought I made that clear. But a quick search on the internet said it was basically 2fa with a qr code and since the issue was how it would protect Lemmy from bots I just thought it wouldn't be hard for a bot to read a qr code.

[–] [email protected] 7 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

Bruh that's gotta be one of the worst trains of thought I've seen recently ngl. I don't even know how passkeys work and I know that. Based on your understanding, you could log into someone's account just by reading a QR code. Which of these is more likely:

  • The entire cybersecurity community mysteriously and completely forgot that machines can read QR codes (which is, by the way, literally the entire purpose of a QR code)

  • You don't understand how passkeys work

How arrogant do you have to be?

[–] [email protected] 1 points 2 weeks ago* (last edited 2 weeks ago)

Well again, the claim was that somehow passkeys would stop Lemmy from being flooded by bots.

So in that situation, we aren't talking about hacking. We are simply talking about if a login could be triggered programmatically. So if Lemmy required passkeys to be used instead of passwords. And if the passkeys required scanning a QR code to sign in. I imagine It would provide minimal disruption to an automated login.

Now if the passkeys somehow enforced a real human to do something that only a human could do, then yes it would stop an automated registration/login. However if it's possible to automate then it wouldn't stop bots.

[–] [email protected] 13 points 2 weeks ago

Lemmy supports 2FA lol.

(At least on the web UI it does)