ZeldaFreak

I quote myself from a different comment:

I just needed to think of the scene from the Simpsons, where Mr. Burns and Smithers go all through the security checks and in the end, there is a flimsy open backdoor, where a stray dog entered the room. All security in the front doesn’t matter, if the backdoor is not secure at all and until the backdoor is that unsecure, I’m not willing to add money and time, to make the front door more secure.

The phone argument lacks a bit. Accessing the TOTP App and the password manager do require a separate authentification, to get encrypted. Sure if they snatch my phone away, when its fully unlocked, including my password manager, they have access for a limited time. They need to be fast enough, until I can remotly lock it or until it automatically locks itself. Android phones can now detect when they are stolen. Either by the movement or when it goes offline. The latter I tested and it’s not instant, but you still don’t have long.

I don’t think about potential backdoors. If there is no known backdoor, then I deem it save. Sure they also could me to unlock the phone. This would be xkcd 538. And this applies to any security.

Adding more security and inconvenience doesn’t make sense to me, so long the backend is shit. So far a few big companies did screw up hard in their backend and dozens of smaller sites do some bad stuff, that it doesn’t really matter how strong your login is. Here I reference back to my quote.

In a closed system, like a company, this added security makes sense, as they usually control the backend as well. If my CEO would send me a text request to reset his logins, I would call him or walk to his office, and ask him directly. Sure with AI, they could impersonate his voice but I don’t think they can impersonate his way to speak.

I didn’t invested too much time into hardware keys but requiring additional software on other PCs, still is a no-go for me. With my current setup, I only need my smartphone and I always carry it around.

For business use, this is a whole different topic. With a proper setup, all machines would require the software and you shouldn’t access these accounts outside from company devices. Its also an expense which the company must carry and its easier for them to handle backups. Also in that Setup, you can have SSO/LDAP, where you can physically proof that you are you and requesting resetting the MFA. With an online service, they usually require a weak proof, like just the access to an email account.

I just needed to think of the scene from the Simpsons, where Mr. Burns and Smithers go all through the security checks and in the end, there is a flimsy open backdoor, where a stray dog entered the room. All security in the front doesn’t matter, if the backdoor is not secure at all and until the backdoor is that unsecure, I’m not willing to add money and time, to make the front door more secure.

Vanilla KeePass. The Dev isn’t interested to providing a communication outside of its program, but he clarified, that plugins have all the right access, to do that but as it seemed to the dev, there is no dev interested to making such a plugin. KeePassXC does support it but they are still missing entry templates. This is the only missing feature that is holding me back to switch.

Or the obscure ways for 2FA/MFA. Passkeys are mostly cloud based. Yeah fuck no! The weakest Passkey is weaker than my usual random generated password, if the site don’t do any shady business and require a weak password. Hardware keys are luckily not pushed for usage. I don’t like them either. You require at least 2, for backup reasons. They also cost quite some money and they have zero auth. Just connect to usb and tap it. Also retrieving the backup and get a replacement for a defective one, takes some time.

Good old TOTP as 2FA is perfect, paired with a strong, random password. With my TOTP, I have an encrypted backup in my cloud, on my NAS, older backups in secure places and backup codes in several places. The TOTP App I use is open source and I have a mirror of the source code.

This should be enough security, if sites don’t screw up all the time. You can bypass 2FA all the time. Even the credit card company screwed up big time. Usually you get 2 separate letters, one with your pin and one with your card. Both came on the same day. Also I actually didn’t needed the pin in the first place. I was able to add the card to the app and see the pin there, without actually verifying anything, except the credit card number.

Maybe when passkeys are supported in my password manager, I will try it but so far it isn’t and switching is not an option, as it doesn’t support the features I need. There is an open issue for an alternative password manager, with that feature request and it has some people wanting it, but its still not added. But passkeys doesn’t fix the issue for me using stronger keys, it fixes the site owners to allow stronger keys but they are still not required to use it. Some devs are just weird. I’ve read one PR for an FOSS project I use, where someone wanted to implement a universal oath or such stuff, that would support all types of external authentifications. Nope, the dev refused the PR and they wanted to stay at the 2 proprietary implementations, for 2 services, even though this universal implementation would work with these 2 too. I can’t tell exactly what it was. I was experimenting with an auth service for my self hosted stuff, to not deal with several accounts and rights systems. This service was the first one which I wanted to switch and they didn’t wanted to support it, leaving me with the standard login.