What's next after v3?
-
-
@crazycells you can use a passkey as a second factor, unless passkeys aren't authn
-
@julian I think it is working as password and two-factor replacement...
I save passkeys in my 1password application, I click "sign-in with passkey" on the screen, and then click 1password and log-in to my account without inputting email, password and 2FA (normally I would input all three)...
-
@julian said in What's next after v3?:
@crazycells you can use a passkey as a second factor, unless passkeys aren't authn
they are - the new thing is making them less hardware-dependant (integration with OS/third party keyrings allowing for moving them between devices).
The idea however is that now that the major UX issues are being solved, they can actually become password replacement and not just a second factor (again - this was actually possible and occasionally implemented with security keys, it's just that now that the buy-in and carrying the device isn't problematic when it's your phone, pc or even password manager across devices, more companies started pushing for this).
I personally don't think the UX is quite there yet (as a physical security key user, Windows UX has gotten worse with an additional pop-up, and in Firefox I now have to get through 3 pop-ups before I can log in because Bitwarden is getting in on the game too), but I guess it's good enough to get it out there now and the kinks can be worked out along the way.
-
@oplik0 call me jaded, but I can't wait for the day I try to log in with a passkey, and am then challenged with an email one time code, followed by a captcha.
I think our accounting software has two ways to log in, via password or via SMS. If you click SMS, it'll send you a code, and once entered it will prompt you for a password... If you try to log in via password it'll send you an SMS code for security
-
@julian said in What's next after v3?:
@oplik0 call me jaded, but I can't wait for the day I try to log in with a passkey, and am then challenged with an email one time code, followed by a captcha.
I hate the email one time code login method. Email UX was never made for this and it shows:
- waiting up to minutes for login, with no progress updates
- can just get hit with spam filters, sometimes making it take a lot longer (or making the UX even worse in other ways; e.g. my uni email has a separate spam filter service that I need to log into to get the message delievered)
- unless you delete it manually, your login notification litters your inbox or archive
- and from developer side - you fully depend on the customer's email provider working properly at time of login (tbf that's usually true of registration anyway, but I think that's more acceptable as it's a far less common action).
- you also can't really do more strict verification for potential email compromise, since again - unlike password resets, logins happen often.
-
@oplik0 said in What's next after v3?:
I hate the email one time code login method
ditto... I cannot access my TD (Toronto-Dominion) Bank account from the web browser quite some time because it keeps sending a login code to the email address and it usually arrives ~20 minutes late.... At least their app works better...
-
@crazycells wait until TD decides to start sending SMS codes to your phone number.
I use a VoIP number, I'll let you guess how that's going.
Also... You're Canadian?
-
@julian said in What's next after v3?:
@crazycells wait until TD decides to start sending SMS codes to your phone number.
I use a VoIP number, I'll let you guess how that's going.
Also... You're Canadian?
lol I can feel your pain. There are TD Bank branches in NY. However due to their lack of convenience, I had to close my checking account with them, but I still have a credit card.
On a side note, I always use my real phone number with financial institutions, but use Google Voice number for anything else. Aren't VOIP numbers easier to hack?
