Privacy

1546 readers

320 users here now

Protect your privacy in the digital world

Welcome! This is a community for all those who are interested in protecting their privacy.

Rules

PS: Don't be a smartass and try to game the system, we'll know if you're breaking the rules when we see it!

Be nice, civil and no bigotry/prejudice.
No tankies/alt-right fascists. The former can be tolerated but the latter are banned.
Stay on topic.
Don't promote big-tech software.
No reposting of news that was already posted. Even from different sources.
No crypto, blockchain, etc.
No Xitter links. (only allowed when can't fact check any other way, use xcancel)

Related communities:

founded 4 months ago

MODERATORS

[email protected]

Toward a Passwordless Future (www.privacyguides.org)

submitted 2 weeks ago by [email protected] to c/[email protected]

10 comments fedilink hide all child comments

all 12 comments

sorted by: hot top controversial new old

[–] [email protected] 22 points 2 weeks ago* (last edited 2 weeks ago) (3 children)

I strongly dislike 2FA and MFA solutions and really they seem to be to be a way for services to protect themselves than to protect me, since if I lose the device they're connected to then I get locked out myself. If they function poorly like Lemmy's early implementation of them, they can lock you out even if you have everything in order.

So when companies try and force 2FA or MFA solutions as mandatory in online applications where there's no additional recovery methods I'm not going to delude myself or go along with the notion they're doing it to protect me, and not themselves. Since those solutions make it likely to lose my account at no loss or harm to them.

Maybe this seems harsh but I've seen how big tech companies handle this aspect and talk about it and I know none of the other things they do come out of legitimate care for their users and I know this isn't ultimately any different.

[–] [email protected] 13 points 2 weeks ago (1 children)

I appreciate that 2FA can be annoying, but I've personally had my info leaked in various breaches, and (software) 2FA has been the thing that's saved my important accounts. They manage to get as far as the TOTP and stop, because it's an additional lock that's harder to bypass than a static password. It's easy to say it's just a pointless hurdle when you've been lucky enough to have avoided having your data leaked.

I know none of the other things they do come out of legitimate care for their users and I know this isn't ultimately any different

You are right that companies don't care about users like us, but many of these protocols came from cryptographers and software engineers who do care. The Diffie-Hellman-Merkle key exchange underpins most of public cryptography, and it wasn't created for big business. Regardless, big companies do care about big clients, who are often desirable targets for hackers.

So these locks and protocols exist because a relative few people genuinely care about security, and the big companies implement them as correctly as possible, because they care about not getting sued for negligence by a big client or losing their business.

You're right to be cynical about corporations, but that doesn't mean we can't get mutual benefit from their self-interest.

[–] [email protected] 4 points 2 weeks ago

I've also gotten unexpected TOTP email calls from multiple orgs, yeah.

[–] [email protected] 10 points 2 weeks ago

I strongly dislike 2FA and MFA solutions and really they seem to be to be a way for services to protect themselves than to protect me, since if I lose the device they’re connected to then I get locked out myself

I use ente auth for 2FA. Is it less secure than hardware authentication? Yes, but at least i can recover if i ever manage to lose everything in a freak accident. Besides, it's more secure than no 2FA :p

Software 2FA is a good middle ground (recoverable yet still secure)

[+] [email protected] 3 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

[removed by mod]

[–] [email protected] 11 points 2 weeks ago (1 children)

There are solutions and ultimately it’s up to you to ensure that you have access to your account not because services are mean and want to hurt you, but because you’re a big boy. They give you security tools and how you use them is up to you.

Are you really sitting here trying to argue that big tech companies like Google and Microsoft somehow has our best interests at heart on a dbzer0 community about privacy where it's abundantly clear to us that they don't? Especially in cases of forced 2FA/MFA adoption with texting.

You know the only worthwhile thing you said was about software based 2FA which @[email protected] already mentioned in a far more civilized manner that made me more willing to listen to him, while also not kissing up to big tech companies who really actually mandate it to make their lives easier and who couldn't care less if you lose access to your account.

The irony is that "to ensure that you have access to your account" isn't really accurate when it comes to the hardware solutions, it would be more accurate to say "to ensure if access is lost, it's lost forever", and I'm never going going to agree or be okay with that because ultimately the person gets screwed over with no loss to the company trying to mandate that. Which is what I was expressing and why I lack any desire or drive to use them, and also my knowledge of how big tech companies operate is ultimately one of the reasons I'm not willing to delude myself into thinking they have my back when they actually don't.

[–] [email protected] 11 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

I'm all for MFA, but ultimately, a GOOD password - or rather, a good password recipe - that resides in my brain must be included in the mix as far as I'm concerned. Because unlike other forms of authentication, that one can never be extracted, stolen or recovered without torturing me.

So you can have your passwordless future: I'll keep my passwords - in combination with other forms of authentication of course. Passwordless is lesser security for the lazy.

[–] [email protected] 8 points 2 weeks ago (2 children)

Same, but i find passkeys interesting so i keep watch on them.

[–] [email protected] 8 points 2 weeks ago (1 children)

Too bad passkeys overtook SQRL

[–] [email protected] 4 points 2 weeks ago

I have never heard of this, thank you for bringing this up - it's really interesting

[–] [email protected] 2 points 2 weeks ago

The whole idea of the site not having a "secret" to leak is awesome. I find passkeys interesting as long as they stay in my control and are easily backupable (like in KeepassXC). However, I am not sure whether the passkeys coming from different sources are distinguishable, which might lead to sites restricting you to Big Tech ones.