What's next after v3?
-
@crazycells said in What's next after v3?:
@julian you would know that better, but I always thought that this will be the main way to enter a website, rather than a 2FA.
At least, this is what Apple, Google and Microsoft are trying to achieve: https://www.theverge.com/2023/5/3/23709318/google-accounts-passkey-support-password-2fa-fido-security-phishing
Here is a demo website, and I see "Sign in with a passkey" button. I believe this is what a lot of websites will use it for: https://www.passkeys.io/
Just to remind the passkey...
https://www.engadget.com/passkeys-passwords-authentication-security-133024414.html
-
@crazycells so many cool things to do; so little time
-
π§΅Just thinking about Meta going Fediverse with Threads soon, and how sweet it would be if I could be sure that nodebb will do the same. They just opened up the Panama Canal if youβre willing to connect, pretty please.
-
@Scott-Baker said in What's next after v3?:
π§΅Just thinking about Meta going Fediverse with Threads soon, and how sweet it would be if I could be sure that nodebb will do the same.
There is a lot of interest in this, for sure.
Not wanting to be Mr Pessimist, (and I would be delighted to be proved wrong) - But I think its a huge project actually.
I did run a Mastodon server for a while, and it required a lot of resources as it scales.Maybe a limited defined scope for the next step in Fediverse progress would make a more reachable goal?
I have a couple of ideas, but I don't know how far along the Nodebb Devs are on any plans on this, or if its still at the suggestion level? -
-
About the ActivityPub integration, would it be a built in to default NodeBB installs or something that you do via plugins. If it's built in, will be there options to optionally turn it off?
-
@julian said in What's next after v3?:
I've said it there and I'll say it here. NodeBB will follow the ActivityPub spec and, if possible, will be tested against both Flarum and Discourse integrations because doing so makes federated forums a force to be reckoned with.
This is good. More and more development efforts too are focusing so little on the Mastodon API and instead focusing on the actual standards - S2S & C2S as they should.
Building Federation for the Fediverse is of paramount consideration, while making sure one federates with a single Fediverse platform whose significance is waning as the bellweather for social communications. Even entire Mastodon communities have left that platform and migrated en masse to other, more capable platforms - some outright forks like Glitch-Soc or Hometown, and many more to other more promising Fediverse platforms that have enjoyed greater adoption due to their more accommodating utility for their userbases.
In the End, it's not really about communities built on an instance and provided to the user base - it's about users across the entire #Fediverse building communities that span the myriad platforms and instances; especially as smolweb / smallweb and single user platforms continue to build critical mass in terms of installed instances.
#Friendica, being one of the great-grandaddy's of, and staples in, the Fediverse, is a great platform chosen by many projects to effectively represent the branding, marketing, and social communications needs - blogs, announcements, changelogs, newsletters, and public dialog... Things a limited microblogging software cannot deliver.
-
passkeys are becoming popular...
-
@crazycells you can use a passkey as a second factor, unless passkeys aren't authn
-
@julian I think it is working as password and two-factor replacement...
I save passkeys in my 1password application, I click "sign-in with passkey" on the screen, and then click 1password and log-in to my account without inputting email, password and 2FA (normally I would input all three)...
-
@julian said in What's next after v3?:
@crazycells you can use a passkey as a second factor, unless passkeys aren't authn
they are - the new thing is making them less hardware-dependant (integration with OS/third party keyrings allowing for moving them between devices).
The idea however is that now that the major UX issues are being solved, they can actually become password replacement and not just a second factor (again - this was actually possible and occasionally implemented with security keys, it's just that now that the buy-in and carrying the device isn't problematic when it's your phone, pc or even password manager across devices, more companies started pushing for this).
I personally don't think the UX is quite there yet (as a physical security key user, Windows UX has gotten worse with an additional pop-up, and in Firefox I now have to get through 3 pop-ups before I can log in because Bitwarden is getting in on the game too), but I guess it's good enough to get it out there now and the kinks can be worked out along the way.
-
@oplik0 call me jaded, but I can't wait for the day I try to log in with a passkey, and am then challenged with an email one time code, followed by a captcha.
I think our accounting software has two ways to log in, via password or via SMS. If you click SMS, it'll send you a code, and once entered it will prompt you for a password... If you try to log in via password it'll send you an SMS code for security
-
@julian said in What's next after v3?:
@oplik0 call me jaded, but I can't wait for the day I try to log in with a passkey, and am then challenged with an email one time code, followed by a captcha.
I hate the email one time code login method. Email UX was never made for this and it shows:
- waiting up to minutes for login, with no progress updates
- can just get hit with spam filters, sometimes making it take a lot longer (or making the UX even worse in other ways; e.g. my uni email has a separate spam filter service that I need to log into to get the message delievered)
- unless you delete it manually, your login notification litters your inbox or archive
- and from developer side - you fully depend on the customer's email provider working properly at time of login (tbf that's usually true of registration anyway, but I think that's more acceptable as it's a far less common action).
- you also can't really do more strict verification for potential email compromise, since again - unlike password resets, logins happen often.
-
@oplik0 said in What's next after v3?:
I hate the email one time code login method
ditto... I cannot access my TD (Toronto-Dominion) Bank account from the web browser quite some time because it keeps sending a login code to the email address and it usually arrives ~20 minutes late.... At least their app works better...
-
@crazycells wait until TD decides to start sending SMS codes to your phone number.
I use a VoIP number, I'll let you guess how that's going.
Also... You're Canadian?
-
@julian said in What's next after v3?:
@crazycells wait until TD decides to start sending SMS codes to your phone number.
I use a VoIP number, I'll let you guess how that's going.
Also... You're Canadian?
lol I can feel your pain. There are TD Bank branches in NY. However due to their lack of convenience, I had to close my checking account with them, but I still have a credit card.
On a side note, I always use my real phone number with financial institutions, but use Google Voice number for anything else. Aren't VOIP numbers easier to hack?