Microsoft Authenticator App

[rossipedia]

1Password for everything. And passkeys wherever they’re accepted now.

This is The Way™

 

[AlbertA]

The forum now supports passkeys for second factor authentication. Details are here: https://forum.fractalaudio.com/threads/forum-supports-passkey-authentication.201570/

I just switched to passkey thanks!

 

[iaresee]

I just switched to passkey thanks!

There’s a Xenforo feature pending to use them for primary login. Probably later this year.

 

[MSS]

Passkey works fine!

 

[StuntGuitar]

your security and privacy are very important to them.

 

[dr bonkers]

There is a special hell reserved for those that convince an organization to use both Okta and Zscaler.

Unless your business is paying my phone bill and for my device, I shouldn't need to use my personal device as the key to conducting your business.

If I'm already paying personally for a gigabit connection to make sure some questionably built web tools can be stable, then figure out a dongle or other physical system system as the remote gateway to your business systems.

 

[marsonic]

The point isn't to make you open multiple apps. The point is to make someone poking at the login fields on a web page require that they have access to your second device to log in. That's accomplished equally well if you use one app for both the password and the 2FA code or two apps.

The point is to require two things - typically something you know and something you have. The way you described, the two factors are your encrypted database (for your PW manager) and the master password. Considering that cloud compromises happen and it seems like "most" people use cloud synchronization for their encrypted database, I'm hesitant to call the encrypted database a factor.

I don't think you're wrong, and that would be more convenient if you can get away with it. But, it at least puts more onus on you to have multiple factors to unlock your PW manager.

 

[Dave Merrill]

The point is to require two things - typically something you know and something you have. The way you described, the two factors are your encrypted database (for your PW manager) and the master password. Considering that cloud compromises happen and it seems like "most" people use cloud synchronization for their encrypted database, I'm hesitant to call the encrypted database a factor.

I don't think you're wrong, and that would be more convenient if you can get away with it. But, it at least puts more onus on you to have multiple factors to unlock your PW manager.

Not saying you're wrong, but what two factors for instance, leaving out hardware keys?

 

[iaresee]

Not saying you're wrong, but what two factors for instance, leaving out hardware keys?

The password, which is static. And the rolling code. It requires two things to log in now. The second thing being possession of your phone (or the TOTP sync key used to set up rolling code…but that’s not retained on the server side).

 

[marsonic]

Not saying you're wrong, but what two factors for instance, leaving out hardware keys?

To unlock the password manager? The password you know and a TOTP app, for example.

The password, which is static. And the rolling code. It requires two things to log in now. The second thing being possession of your phone (or the TOTP sync key used to set up rolling code…but that’s not retained on the server side).

Yes, but if both things come out of your password manager and your password manager gets compromised, that's one source of both pieces of information and effectively only one factor of authentication, even if it's 2 pieces of data - just the login for the password manager.

 

[iaresee]

Yes, but if both things come out of your password manager and your password manager gets compromised, that's one source of both pieces of information and effectively only one factor of authentication, even if it's 2 pieces of data - just the login for the password manager.

It's only one factor if the password manager is compromised. From the website-you-are-logging-in-to perspective it's still a two factor authentication. Yes, you need to guard your password manager password. But that's a single password you need to remember so it can be challenging. And every other password you use can have incredibly high entropy as a result. The net security increase is high irregardless.

 

[marsonic]

It's only one factor if the password manager is compromised. From the website-you-are-logging-in-to perspective it's still a two factor authentication. Yes, you need to guard your password manager password. But that's a single password you need to remember so it can be challenging. And every other password you use can have incredibly high entropy as a result. The net security increase is high irregardless.

I do like the idea of using a strong password and a YubiKey (or similar) for the PW Manager and perhaps letting it do TOTP or Passkeys. That does seem like a very good compromise.

 

[dpeterson]

All the same, next will be 3FA, where does it stop?

 

[Vio]

All the same, next will be 3FA, where does it stop?

biometric?
DNA?
grave?!?

 

[shemihazazel]

All the same, next will be 3FA, where does it stop?

This has already happened at my work.

 

[Dave Merrill]

This has already happened at my work.

What 3 factors, out of curiosity?

 

[shemihazazel]

What 3 factors, out of curiosity?

Password/Auth app/USB dongle. All these years avoiding iLok and now I effectively have to use one to work.

 

[AlbertA]

Yes, but if both things come out of your password manager and your password manager gets compromised, that's one source of both pieces of information and effectively only one factor of authentication, even if it's 2 pieces of data - just the login for the password manager.

Yes, I mitigate that risk with 2FA enabled for 1Password - the TOTP code is managed by Google Authenticator in my iPhone which has to be opened with FaceId. That's the only TOTP code that Google Authenticator manages.

And I have a backup yubikey, protected with a password - in case I lose my phone or it becomes inoperable.

 

[iaresee]

I do like the idea of using a strong password and a YubiKey (or similar) for the PW Manager and perhaps letting it do TOTP or Passkeys. That does seem like a very good compromise.

I love Yubikeys everywhere but my phone. Maddening to use there.

Passkeys are going to be amazing.

I feel like we've been swirling around iterating on bad ideas here for a decade and Passkeys are finally a direction that's going to be great. You still have the problem of having control centralized in one place like a password manager or Keychain. But if you know that, you can take extraordinary precautions to protect that one, single thing instead of having to protect all the websites you log in to.

I haven't put my Yubikey on my 1P account yet, but I suppose I could. It's well-sealed up on my devices and attacking it web-side is nigh impossible because you need a secret key along with the password and that secret key isn't on the internet or any network for that matter.

 

[mr_fender]

There is a special hell reserved for those that convince an organization to use both Okta and Zscaler.

Unless your business is paying my phone bill and for my device, I shouldn't need to use my personal device as the key to conducting your business.

If I'm already paying personally for a gigabit connection to make sure some questionably built web tools can be stable, then figure out a dongle or other physical system system as the remote gateway to your business systems.

Lord, don't get me started on what a festering turd Zscaler is...