upvote

points

by JasonADrury14 hours ago |
comments
upvoteby gregoriol14 hours ago|
next
[-]
2FA is more secure than 1FA even if that one has a high security level
reply
upvoteby nixpulvis13 hours ago|
parent|
next
[-]
To be clear. Proper 2FA, via something like a smartcard or any truly external device is still much more secure. You could have one of those factors be a passkey, that's fine, and may be a good idea.

But there are UX issues with passkeys as well, that aren't all well addressed. My biggest gripe is that there is often no way to migrate from one passkey provider to another, though apparently there may be a standard for this in the works?

reply
upvoteby Genbox13 hours ago|
parent|
prev|
next
[-]
Are you saying that two weak factors are more secure than one strong factor?
reply
upvoteby UltraSane4 hours ago|
parent|
next
[-]
If they are on totally isolated hardware then maybe
reply
upvoteby lazide13 hours ago|
parent|
prev|
[-]
Not who you are replying too. But a yubikey is not a weak factor.

In fact, it’s not even meaningfully more secure than passkey (as passkey is designed) - passkey is, however, more convenient.

So it’s more ‘one weak factor + (really times) one medium/strong factor’ vs ‘one medium/strong factor’.

Which yes, the first one is better in every way from a security perspective. At least in isolation.

The tricky part is that passkeys for most users are way more convenient, meaning they’ll actually get used more, which means if adopted they’ll likely result in more actual security on average.

Yubikeys work well if you’re paying attention, have a security mindset, don’t lose them, etc. which good luck for your average user.

reply
upvoteby PunchyHamster14 hours ago|
parent|
prev|
next
[-]
if 2fa is "use the second factor that's on same device as first factor" (like when using phone apps in many cases, password + 2fa from email/sms/authenticator app on same device), I disagree.
reply
upvoteby dwedge11 hours ago|
parent|
[-]
If I get your password, and you use 2fa that's stored on your phone, does that improve your security position or not
reply
upvoteby JasonADrury13 hours ago|
parent|
prev|
[-]
Nonsense, depends entirely on the value of the authentication factor.
reply
upvoteby YmiYugy12 hours ago|
prev|
[-]
How is it not 2FA? It's MacBook + Fingerprint.
reply
upvoteby JasonADrury12 hours ago|
parent|
[-]
It's not 2fa if you assume some catastrophic exploit chain that allows an attacker to dump your macbooks secure element.

I don't think that's a reasonable assumption for most people, and you're screwed in that situation even if you use yubikeys.

reply