We replaced passwords with something worse
534 comments
·August 7, 2025DecoPerson
mvieira38
>"I’d rather granny needs to visit the bank to get access to her account again, than someone phishes her and steals all her money."
More like abuelita gets robbed at gunpoint and made to unlock and clear out her bank account, then has no recourse at home because her device was taken. I live in a third world country and even 2FA simply isn't viable for me due to how frequent phone robberies are. I've had to do the process once and it was a nightmare, whereas with passwords I can just log into Bitwarden wherever and I'm golden
arccy
A key part of the recent push for passkeys has been cross device syncing with your Google / Apple / whatever password manager account, so you end up in the same situation: if you can log in to Bitwarden to access your passwords, you can log in to your password manager to access your passkeys.
bccdee
FYI, you can put a 2FA secret into Bitwarden and autofill the one-time passwords alongside the regular password. That would mitigate the impact of losing your phone.
lhamil64
I personally don't do this because I feel like it defeats the whole purpose of 2fa. If someone gets into your bitwarden account, now they have your passwords and can generate 2fa codes. Of course, if the alternative is just not doing 2fa then it's better than nothing but I'd still prefer an authenticator app or hardware key than putting them in bitwarden.
britzkopf
Great, this is a universal solution. Let's all make it an integral part of our digital security, and in 5 years or so hope that bitwarden doesn't leverage it!
chimeracoder
> More like abuelita gets robbed at gunpoint and made to unlock and clear out her bank account, then has no recourse at home because her device was taken.
You are describing the current status quo, without passkeys. This is already possible.
Well, except maybe for the "without recourse" part, because there are some legal and policy avenues available for dealing with this situation.
mvieira38
The without recourse is the part that matters... With passkeys or 2FA she's at risk of having to wait a day or more to go to the physical location (if there even is one, digital banks are huge in Latin America), with passwords she can just check her notebook the same night and start the recourse through official channels. I know she could just call the hotline, but if 24hr customer service guy can get you in your account same night then the bank is too insecure anyways
jondusaza
[dead]
t_mann
The problems of Passkeys are more nuanced than just losing access when a device is lost (which actually doesn't need to happen depending on your setup). The biggest problem are attestations, which let services block users who use tools that give them more freedom. Passkeys, or more generally challenge-response protocols, could easily have been an amazing replacement for passwords and a win-win for everyone. Unfortunately, the reality of how they've been designed is that they will mainly serve to further cement the primacy of BigTech and take away user freedom.
abustamam
I want to like passkeys but I haven't had any success getting them to work. Every time I click on "sign in using passkey" both my browser (Firefox or Chrome, on Android/Win/Mac) and Bitwarden are like "no passkeys found" and I'm never given an option to create one.
I feel like I'm doing something stupidly wrong or missing a prompt somewhere, or maybe UX is just shitty everywhere, but if I, a millennial who grew up programming and building computers, struggle with this, then I don't expect my mom, who resets her password pretty much every time she needs to sign into her bank, to get it to work.
FuriouslyAdrift
We've had massive problems with moving to passkeys (browser based) at our company and moved back to an app based Authenticator. Everyone is accepting of the autenticator app or uses a yubikey.
janfromdaito
What were those "massive problems"?
gcr
i'm also curious to hear what issues you faced!
tialaramex
Do you have some examples where people actually require attestation in 3rd party facing systems? Or is this purely "But in theory..." and you've dismissed all the very real problems with the alternatives because you're scared of a theoretical problem ?
I always reject attestation requests and I don't recall ever having been refused, so if this was a real problem it seems like I ought to have noticed by now.
tux3
Microsoft Entra ID goes out of its way to enforce attestation for FIDO 2 keys.
The protocol normally allows you to omit the attestation, but they worked around an extra call after a successful registration flow that sends you to an error page if your FIDO2 passkey isn't from one of these large approved vendors: https://learn.microsoft.com/en-us/entra/identity/authenticat...
I found out by trying to prototype my own FIDO2 passkey, and losing my mind trying to understand why successful flow that worked fine on other websites failed with Microsoft. It turns out, you are not allowed to do that.
t_mann
Passkeys are in their infancy. You don't go about rolling out such patterns when most users haven't even switched yet and big players like Apple are still resisting attestations (last time I checked). The problem is that the feature is there and can be (ab)-used in this way, so it should be rejected on principle, irrespective of whether it's a problem right now.
I understand the value of attestations in a corporate environment when you want to lock down your employees' devices. But that could simply have been handled through a separate standard for that use case.
account42
Systems are usually more open while they are trying to onboard users than they will be once the moat has been established.
We have already been through this with many services suddenly demanding that you give them your phone number "for security".
the_mitsuhiko
> Do you have some examples where people actually require attestation in 3rd party facing systems?
Austria's governmental ID is linked to 5 approved tokens only.
lmm
They're not going to start requiring them until they've phased out non-passkey login. But at that point it will be too late.
lelandbatey
The Fido2 folks really really want things to be so secure and centralized, with so little user freedom, and they want to use attestation to do it.
Here's a Fido2 member (Okta) employee saying "If keepass allows users to back up passkeys to paper, I think we'll have to allow providers to block keepass via attestation." https://github.com/keepassxreboot/keepassxc/issues/10407#iss...
All because passkeys backup is deemed "too unsafe and users should never be allowed that feature, so if you implement it we'll kick you out of the treehouse."
The authoritarian nature of passkeys is already on full display. I hope they never get adopted and die.
nyeah
Seems very argumentative for somebody who's just saying there's no issue.
dathinab
yeah, IMHO the design was messed up by a few very influential companies "over fitting" it for their company specific needs
but I don't think attestation per-se is bad, if you are a employee from a company and they provide you the hardware and have special certification requirements for the hardware then attestation is totally fine
at the same time normal "private" users should never exposed to it, and for most situations where companies do expose users to it (directly or indirectly) it's often not much better then snake oil if you apply a proper thread analysis (like allowing banking apps to claim a single app can provide both the login and second factor required by law for financial transactions, except if you do a thread analysis you notice the main thread of the app is a malicious privilege escalation, which tend to bypass the integrity checks anyway)
But a lot of the design around attestation look to me like someone nudged it into a direction where "a nice enterprise features" turns into a "system to suppress and hinder new competition". It also IMHO should never have been in the category of "supported by passkey" but idk. "supported by enterprise passkey only" instead.
Through lets also be realistic the degree to which you can use IT standards to push consumer protection is limited, especially given that standard are made by companies which foremost act in their financial interest, hence why a working consumer protection legislation and enforcement is so important.
But anyway it's not just the specific way attestation is done, it's also that their general design have dynamics push to a consolidation on a view providers, and it's design also has elements which strongly push for "social login"/"SSO" instead of a login per service/app/etc. i.e. also pushes for consolidation on the side of login.
And if you look at some of the largest contributors you find
- those which benefit a ton from a consolidation of login into a few SSO providers
- those which benefit from a different from a login consolidation (consolidation of password managers) and have made questionably blog entries to e.g. push people to not just store password but also 2FA in the same password manager even through that does remove on of the major benefits of 2FA (making the password manager not a single point of failure)
- those which benefit a ton if it's harder for new hardware security key companies, especially such wich have an alternative approach to doing HSKs
and somehow we ended up with a standard which "happened" to provide exactly that
eh, now I sound like a conspiracy theorist, I probably should clarify that I don't think there had to be some nefarious influence, just this different companies having their own use case and over fitting the design on their use case would also happen to archive the same and is viable to have happened by accident
johncolanduoni
Why would BigTech care about the dozens of users using an open source password manager? What’s their gain from preventing these people from logging in? They love money and don’t care about user freedom, sure. But they’ve shown no evidence of hating user freedom on principle.
Every time I’ve seen them actually attack user freedom, there was an embarrassingly obvious business angle. Like Chrome’s browser attestation that was definitely not to prevent Adblock, no sir.
xg15
Because they'd actively have to make their proprietary passkey systems interoperable with password managers. This is fail-closed, not fail-open: If they truly didn't care, they'd also be no incentive for them to implement support.
But I fear it's worse. Based on how past open standards played out, I find it believable they do care - that there won't be an open ecosystem of password managers.
> But they’ve shown no evidence of hating user freedom on principle.
Yes, they did, just see Microsoft's crusade against Linux and the origin of the "embrace-extend-extinguish" term.
63stack
>Why would BigTech care about the dozens of users using an open source password manager?
Because big tech loves control. Just because you can't see the angle yet, it doesn't mean there isn't one now, or won't be one later. It has been shown time and time again that they will take all the freedom away from you that they can.
bryanrasmussen
>Why would BigTech care about the dozens of users using an open source password manager?
I agree, why would BigTech care about those dozens of users. Screw those guys, they can use our password manager or they can get lost, we don't need them!
withinboredom
> Why would BigTech care about the dozens of users using an open source password manager?
Bots using a custom password manager to share logins.
lijok
Your style of thinking is exactly why linux never became a leader in desktop os's. Why we're still dealing with the most ridiculous tech debt and complexity in OSS tooling to date. You're obsessed with fake problems that have no bearing on real people. When grandma does indeed loose all her money because some prick phished her password away, I would love to watch you explain how that's actually better than BigTech taking away user freedoms.
achierius
You're the one dismissing real problems like "lose all passkeys when you lose your phone".
smallerfish
> Passkeys is the way to go. Password manager support for passkeys is getting really good.
I set up a passkey for github at some point, and apparently saved it in Chrome. When I try to "use passkey for auth" with github, I get a popup from Chrome asking me to enter my google password manager's pin. I don't know what that pin is. I have no way of resetting that pin - there's nothing about the pin in my google profile, password manager page, security settings, etc.
uyzstvqs
Passkeys are the pinnacle of bad UX. It just works, until the user tries to switch devices, accounts or platforms. The slogan of passkeys should be something like "I don't have a password, it usually just works, but now I changed X and it doesn't work anymore". Even worse is hardware-based 2FA built into smartphones (also FIDO), as you lose your phone in a lake and now you can't access anything anymore.
The way to go is an encrypted password manager + strong unique random passwords + TOTP 2FA. It's human-readable. Yes, that makes it susceptible to phishing, but it also provides very critical UX that makes it universal and simple.
johncolanduoni
Apple’s works fine, including when I’m logging on to my windows machine. Opening the camera app is a little annoying, but I don’t have to do it frequently. 1Password works well too and it runs on everything. There’s open source options, but I can’t attest to their UX.
PartiallyTyped
I use protonpass and it’s great, carried across all my devices and browsers.
PaulKeeble
I really dislike how passkeys have generally been used. Once KeepassXC got proper support of them and in the browser plugin its been a bit more sensible. KeepassXC means I can transfer them between devices and its protected the same way my passwords are so no additional pins and logins I don't want, it solves a lot of the issues I have around them. Now its just a long random password.
I wouldn't have minded if we moved to a scheme like SSH logins with public and private keys I own either, that I can store securely but load as I please and again would work well with a local password manager.
jp191919
KeepassXC's passkey integration has been excellent for me. No vendor lock-in is important to me.
arccy
passkeys are public / private keys. it's just a new pair for every log in.
dathinab
the "the app tries to trick me into using the service of the company behind it so that they can consolidate the market" problem
it's not quite new, as a dump example depending where in android contacts you click on a address it might always force open google maps (2/3 cases) or (1/3 cases) propelry goes through the intend system and gives users a choice
stuff like that has been constantly getting worse with google products, but it's not like Microsoft or apple are foreign to it
Hnrobert42
That is unfortunate, but that sounds more like a chrome problem than a passkey problem. You would have the same issue if chrome saved your password.
kmac_
Passkey is a great example of how five kitchen chefs can't make scrambled eggs. Horrible user experience, terrible marketing, no mental model like "your phone is THE key," no tangible or even symbolic presentation of the key.
spixy
Google password manager's pin?
On my Windows laptop that is Windows Hello PIN, not sure about other OSs. And it can be disabled.
zozbot234
> I'd rather granny needs to visit the bank to get access to her account again, than someone phishes her and steals all her money.
The problem is that I can physically show up at my local bank branch or at my job's IT helpdesk to get my account back, but I can't show up at the Googleplex or at Facebook's or Xitter's HQ and do the same. Device bound passkeys are very error prone for the latter scenario, since users will fail to account for that case.
hombre_fatal
To add, services account for that failure by introducing something worse: a customer service backdoor where you can get into an account with very weak or nonexistent authentication.
With Amazon's live chat, someone was able to get into my account by providing an address in the same city as the destination of my latest Amazon order.
You see this with 2FA since "sorry lol you've lost your account forever" isn't an option, and it's trivial for users to lose their 2FA key unlike, say, access to their email.
tzs
Services that use passwords for login need to do that too, because people lose passwords.
Even services that use login via emailed link need to do it because people do lose email access. Far too many people use the email provided by their ISP as their only email service, which can be very bad if they move to someplace that ISP does not serve or simply want to switch to another ISP in their current area.
philistine
The solution is what's already happening, but throughly enforced: allow designated users to restore your access to your account.
boredhedgehog
> Passkeys is the way to go.
I wish there was a stronger differentiation between syncable and device-bound passkeys. It seems like we're now using the same word for two approaches which are very different when it comes to security and user-friendliness.
And yes, giving granny unsyncable passkeys is a really bad idea, for so many reasons.
mths
> I wish there was a stronger differentiation between syncable and device-bound passkeys.
But there is no difference. I'd prefer if services just let me generate a passkey and leave it entirely up to me how I manage it. Whoever setup granny's device should have done so with a cloud based manager.
I think Google tries to make some confused distinction, or maybe that has more to do with FIDO U2F vs FIDO2. There you can add either a "passkey" or a "security key", but iirc I added my passkey on my security key so... yeah
null
valenterry
> Passkeys is the way to go
No, at least not on its own. Let's not repeat the mistakes.
Password managers are the way to go and ONLY FOR RARE EXCEPTIONS we should use dedicated MFA, such as for email-accounts and financial stuff. And the MFA should ask you to set up at least 3 factors and ask you to use 2 or more. And if it doesn't support more or less all factors like printed codes, OS-independent authenticator apps and hardware keys like yubikey, then it should not be used.
pyrale
We need to go further. If a service doesn't include 197 factors including blood samples, showing up at a physical location 50 miles from your home, and sending a picture of yourself in a specific posture, and doesn't require you to use at least 53 of them (determined randomly) to login, then it's insecure and should not be used.
johncoltrane
That's the French postal service's "identité numérique".
doublerabbit
Sounds like something the UK gov would love to implement, plus extra.
Such as finding a dinosaur fossil of your families name clan.
degamad
Passkey are more like password managers, and less like MFA tokens - despite the fact that many passkey implementations can function as MFA tokens as well.
Bitwarden the password manager includes a full passkey implementation, which doesn't involve any MFA.
valenterry
> Passkey are more like password managers, and less like MFA tokens
No: - I can always export and import all my passwords from/into my password manager - My passwords always work independently of a password manager or any specific app/OS/hardware
That is not true for passkeys and makes them much more like tokens. Of course they don't have to be used in MFA, just like passwords.
dchest
If you like password managers, you'll love passkeys!
Passkeys is an interface between your password manager and a website without all the fluff with filling or copy-pasting passwords.
valenterry
No need to write like that. I know, understand and use passkeys for quite a while now.
I don't love them. I don't love passwords either.
But while I don't fear passwords, I fear passkeys. The reason is that it makes the tech even more intransparent. My password manager stops working, completely dies or I can't use it anymore for other reason? No problem, I can fallback to a paper list of passwords if I really have to. This transparency and compatibility is more important than people think.
Passkeys lack that. They can be an interface like you described, but only if everyone plays along and they can be exported. But since there is no guarantee (and in practice, they often cannot be exported either) they are not a replacement for passwords. They are a good addition though.
Unfortunately, many people don't understand that and push for passwords to begone.
dur-randir
Let me decide for myself what must I love.
RHSeeger
I love password managers. I dislike passkeys. So clearly that's not the case.
account42
Also without all that pesky privacy and choice of what you run on your own computer.
codedokode
Password managers are those proprietary programs that you need to install, give full access to your computer, register an account and trust their word that your passwords are uploaded to the cloud securely? No thanks.
Also they are too complicated for an ordinary user. A physical key is much simpler and doesn't require any setup or thinking, and can be used on multiple devices without any configuration. And doesn't require a cloud account.
const_cast
Password managers are both significantly simpler to use than just passwords and more secure.
Passwords have always been bad. The problem is that users can't remember them. So they rotate, like, 3 passwords.
Which means if fuckyou.com is breached then your bank account will be drained. Great.
On top of that, the three passwords they choose are usually super easy to guess or brute force.
With a password manager, users only need to remember one password, which means they can make said password not stupid. You can automatically log in too with your new super secure passwords you never need to see.
Its the perfect piece of software. Faster, easier, more secure, with less mental load.
blkhawk
uh no - a password manager is an open source application you can compile and install yourself if you want. Its nothing more than a small specialised database with a excel like interface. Personally I think that the argument that things are "too complicated for the average user" eventually gets gets you users that find breathing and sphincter function too complicated.
yoz-y
I don’t like passkeys. Before my process to login was:
- open website
- if not already logged in, log in to 1Password
- autofill password
- autofill TOTP
Now:
- open website
- if logged in to 1Password the Use Passkey usually shows up
- if not:
- log in to 1Password
- choose use passkey
- this almost always does nothing
- choose “use other method”
- choose “password”
- autofill that
- now there is another dialog to choose the 2fa method, choose Authenticator
- autofill that
tecleandor
And if I'm not using passkey, but the web site detects I'm using a passkey-compatible browser or password manager, the site takes over and tries to "sell" me a passkey anyway. No, I don't want it!
al_borland
It’s also confusing if I’m being promoted to use an existing passkey or if I’m being promoted to create a passkey.
Now that I’m so paranoid about this, and not remembering which sites I have them for, I always dismiss the passkey prompt, then have to click several more times to get to the password login and fill it in with my password manager.
jerf
I forget which site it is but there is one site I try to use with passkeys that somehow bypasses my BitWarden and rigidly insists on a passkey tied to Google and/or my phone, which I do not want. (My BitWarden stack is fully owned by me, as I self-host a VaultWarden instance, with daily backups of it, and I don't want my passkeys anywhere else.) That's definitely annoying.
geden
Passkeys work very smoothly with Safari and Apple Passwords.
Apple Passwords now sufficiently good to replace 1Password for me and I’m slowly transitioning.
I don’t mind subscription models per se but there was something about subscription for your own passwords that made me refuse to jump the fence when 1Password switched to that model.
Would be a bit faffy if you’re a Chrome user.
jonplackett
It works fine until you dare to have TWO accounts for the same website. Safari will just randomly pick one of them and always tray to log you in with that passkey every time you visit, and the interface for using a different one is really annoying.
al_borland
I stick with 1Password, because I don’t want my password manager to be part of the barrier to using other platforms.
I also have a bunch of stuff in 1Password that doesn’t have a home in Apple Passwords, which would be a problem.
And yes, Chrome with Apple Passwords is annoying. At work I’m forced to use Chrome for some things, and I’ve been dabbling with Apple Passwords. Every time I launch the browser I have to put in a code to link the extension with Passwords. It’s very annoying.
xobs
I've never gotten passkeys to work on the Mac. Every time I try it with either Firefox or Safari says I need to log into iCloud, which I really don't want.
kelnos
... or like most people, and not a Mac user.
arccy
That just sounds like you made a poor choice of password manager that doesn't put a priority on good ux...
Hackbraten
1Password used to be decent until they enshittified about five years ago, decided to rewrite their app from scratch in Electron, replaced their support staff with non-technical staff who are unable to write any meaningful response to critical bug reports, and hired developers who allowed the app to degrade beyond recognition.
agos
that says more about 1Password than about passkeys. With 1Password I often get "does nothing" when trying to autofill good old regular passwords
KingOfCoders
1. I don't get that with 1Password
2. If you get this often, why do you use 1Password, honest question.
roelschroeven
> “Click a link in the email” is a tiny bit better because it takes the user straight to the GOOD website, and passing that link to BAD is more tedious and therefore more suspicious.
"Click a link in the email" is really bad because it's very difficult to know the mail and the link in it are legitimate. Trusting links in emails opens to door to phishing attacks.
johnmaguire
How would a phishing attack against a website which doesn't use passwords, only magic links, be performed?
ramraj07
I know not to click links on random emails but comfortably click links on emails I initiated from a website.
roelschroeven
How do you know the email comes from that website? There are known cases of phishing mails being sent when people expect a legitimate mail.
Cthulhu_
You do, but does the average user? Security's reliance on people's behaviour / knowledge / discipline should be minimal.
johnisgood
Yeah, I was frowning when I read that. It is not any better at all, not even a tiny bit.
iEchoic
Four times a day, I get an email notification that someone requested a password reset for my Microsoft account, which gives me a six-digit number to recover my account. So every day, an attacker has four shots in 1,000,000 of stealing my account by just guessing the number. They've been doing this for years.
If the attacker's doing this to thousands of accounts - which I'm sure they are - they're going to be stealing accounts for free just by guessing.
I wrote up a security report and submitted it and they said that I hadn't sufficiently mathematically demonstrated that this is a security vulnerability. So your only option is to get spammed and hope your account doesn't get stolen, I guess.
Lukas_Skywalker
I have added what I think they call login alias to my account. This blocks logins using the normal account username (which is my public email address), and only allows them via the alias (which is not public and just a random string). Not a single foreign login attempt since I enabled the alias.
You can enable it on account.microsoft.com > Account Info > Sign-in preferences > Add email > Add Alias and make it primary. Then click Change Sign-in Preferences, and only enable the alias.
theschmed
I hadn't thought of this use case for aliases.
I had to make my Outlook email primary again on my Microsoft account, unfortunately, because of how I use OneDrive. I send people share invitations and there are scenarios (or at least there were the last time I checked) where sending invitations from the primary account email is the only way to deliver the invite. If your external email alias is primary, they'll attempt to send an email from Outlook's servers that spoofs the alias email :/
Lukas_Skywalker
I just checked, and it used my regular mail address for the invite. It's possible that they changed that.
Hnrobert42
Then, is the login alias sort of a password? In that, it is something you know.
Lukas_Skywalker
In a way, yes. I don't count on it being private though. But it appears nowhere online, so it's not used by credential stuffers or other bots.
BiteCode_dev
Yep, back to passwords, but less secure ones.
ramses0
joe@smith.com, joe.smith@bigcompany.com
...those will get "drive by" attacks no matter what.
Interesting that they're letting you alias it back to "coolkid5674321" again...
nomercy400
I had to do this as well. My account got spammed daily in such a way I had to verify my account and change my password on every login.
With the alias I no longer have this issue.
lanfeust6
This is what I do. The crucial thing is to only use the alias for logging in.
Aachen
I had the same issue on a useless old account. Could see the IP addresses of the sign-in attempts, they came from all over the world, all different ISPs, mostly residential. Nearly every request was from a unique /16! If botnets are used for something this useless, I dread to think what challenges at-risk people face
Adding 2FA was the solution
I couldn't find the method they were using in the first place, because for me it always asks for the password and then just logs me in (where were they finding this 6-digit email login option?!), but this apparently blocked that mechanism completely because I haven't seen another sign-in attempt from that moment onwards. The 2FA code is simply stored in the password manager, same as my password. I just wanted them to stop guessing that stupid 6-DIGIT (not even letters!) "password" that Microsoft assigns to the account automatically...
NoGravitas
If they are doing this to 125,000 accounts, they should get an average of one account per day, right? So on average it would on average take them 342 years to get any specific account, but as long as they aren't trying for any particular account, they've got a pretty good ROI.
I guess the fix for this would be exponential backoff on failed attempts instead of a static quota of 4 a day?
vdfs
Why would doing this to 125K accounts give them access to one account per day? The chances of guessing 6-digtis pin code for each account is the same (10^6) regdless of how many accounts your are attacking
bradleyankrom
I get a similar message constantly for an old Instagram account - "sorry you're having trouble logging in, click here to log in and change your password!"
ccppurcell
I get it too! I always assumed it was some hangover from that time I had to use crosses self Microsoft teams.
klabb3
The code length should ideally be adaptive and increase if this happens.
Randor
Microsoft allows you create a second "login only" account username to access your e-mail and other services. I was having the same problem as you but much worse. Check into it, only takes a few minutes to setup.
timdumol
Does adding MFA not protect you against this? If you are secured by a TOTP on top of your password, it should not matter if they manage to reset your password.
Huppie
Somewhat, but imho the Microsoft MFA is also full of similar flaws.
As an example: I've disabled the email and sms MFA methods because I have two hardware keys registered.
However, as soon as my account is added to an azure admin group (e.g. through PIM) an admin policy in azure forces those to 'enabled'.
It took me a long time debugging why the hell these methods got re-enabled every so often, it boils down to "because the azure admin controls for 'require MFA for admins' don't know about TOTP/U2F yet"
Imho it's maddening how bad it is.
rsanheim
The worst part about this is it just further reinforces horrible habits and expectations.
Using a modern password manager, like 1password, is _easier_, safer, and faster than the stupid email-token flow. it takes a little bit of work and attention at first to setup across a couple devices, and verify it works.... but its really about the same amount of effort as keeping track of a set of keys for your house, car, and maybe a workplace.
If you make a copy of a door key when you move into a new place, you test the key before assuming it works. Same thing with a password manager. Save a password on your phone, test it on a different device, and verify the magic sync works. Same as a key copier or some new locks a locksmith may install.
Humans can do this. You don't need to understand crypto or 2fa, but you can click 'create new password' and let the app save some insanely secure password for a new site. Same with a passkey, assuming you don't save to your builtin device storage that has some horrible, hidden user interface around backing that up for when your phone dies.
And the irony is the old flow just works better! You let the password manager do the autofill, and it takes a second or two, assuming their is an email _and_ a password input. Passkeys can be even faster.
southp
I get the point. However, from my own experience this type of one-time passcode is unfortunately the 2nd well-understood authentication method for non-tech people surrounding me. The 1st is the password, of course.
I don't know the general situation, but, at least in our small town, people would go to the phone service shop just for account setup and recovery, since it's just too complicated. Password managers and passkeys don't make things simpler for them either –– I've never successfully conveyed the idea of a password manager to a non-tech person; the passkey is somehow even harder to explain. From my perspective it's both the mental model and the extra, convoluted UX that's very hard to grasp for them.
Until one day we come up with something intuitive for general audience, passwords and the "worse" one-time code will likely continue to be prominent for their simplicity.
myflash13
just stick with passwords then
danenania
If you have password reset via email, as almost every service using passwords does, there’s no security gain over magic links/codes.
It’s actually worse, since now the email account or the password get you in, vs. just the email account.
MetaWhirledPeas
> If you have password reset via email, as almost every service using passwords does, there’s no security gain over magic links/codes.
I disagree. The problem with the magic code is that you've trained the user to automatically enter the code without much scrutiny. If one day you're attempting to access malicious.com and you get a google.com code in your email, well you've been trained to take the code and plug it in and if you're not a smarty then you're likely to do so.
In contrast, email password recovery is an exception to the normal user flow.
dspillett
And even if proper passwords are used, many sites/apps use this pattern for account recovery if the password is forgotten so effectively this is the only security as an attacker has “forgotten” the password and just uses this flow to login.
I've got a little generic login tool that bits I write myself use for login, using this method, but it is not for anything sensitive or otherwise important (I just want to identify the user, myself or a friend, so correct preferences and other saved information can be applied to the right person, and the information is not easily scraped) - I call it ICGAFAS, the “I Couldn't Give A Factor” Auth System to make it obvious how properly secure it isn't trying to be!
Another issue that email based “authentication” like this (though one for the site/app admins more than the end user) has is the standard set of deliverability issues inherent with modern handling of SMTP mail. You end up having to use a 3rd party relay service to reduce the amount of time you spend fighting blocklists as your source address gets incorrectly ignored as a potential spam source.
0xfeba
> And even if proper passwords are used, many sites/apps use this pattern for account recovery if the password is forgotten so effectively this is the only security as an attacker has “forgotten” the password and just uses this flow to login.
Was about to post just this. This is the flow they use for account recovery so it's the weakest link in the chain anyway.
clement_b
What's quite annoying is how agressive most products are into forcing this method over regular email+pw / Social Logins. Let me use my 100 chars password!
pas
You are not the target audience, you are not even an outlier, it's probably time to accept this and look for long-term solutions that allow you to interface with the "mainstream".
sampullman
Many (most?) people I know in the "target audience" want to keep their email+password logins.
tristan957
The UX of having to switch apps or websites is terrible when I have auto fill available via the Web browser or a password manager.
whyever
Such long passwords are silly, they will be effectively truncated by the key length of the underlying cryptography.
FabHK
Agreed. But since every character gives you around 6 bits (26*2 letters + 10 numbers + some special characters ≈ 64 = 2^6), you'd need 256/6 ≈ 43 characters to exhaust the checked entropy, so up to that level it makes sense.
If you use sentences instead of randomly generated characters, the entropy (in bits/character) is lower, so 100 characters might well make sense.
null
sweetjuly
Passwords are (or, rather, SHOULD be) cryptographically hashed rather than encrypted. It's possible to compute a hash over data which is longer than the hash input block size by feeding precious hashes and the next input block back in to progressively build up a hash of the entire data.
xx_ns
bcrypt, one of the more popular password hashing algorithms out there, allows the password to be up to 72 characters in length. Any characters beyond that 72 limit are ignored and the password is silently truncated (!!!). It's actually a good method of testing whether a site uses bcrypt or not. If you set a password longer than 72 characters, but can sign in using just the 72 characters of your password, they're in all likelihood using bcrypt.
whyever
Yes, in this case it would be easier to brute-force the key instead of the password, so the additional characters don't really help.
browningstreet
I just deleted my gofundme because they kicked me into this cycle today. Somehow I've managed to have an account there and make contributions over the years, but now they wanted my phone number and an MFA code to proceed, and there was no opt-out. I went through it but then deactivated my account. I need less of this in my life, and gofuneme is not essential to my life.
I'm in the rental market right now, and Zillow not only has a log-in for the app, but to read messages in your inbox, you have to MFA again each time, and the time-out period is about an hour.
We're being annoyed to death.
This is madness.
StillBored
And there is _NOTHING_ worse than being locked out of an account because without asking they reverse the password and second factor authentication while your traveling and don't have access to a phone/etc.
Nevermind. that pretty much all services treat the second factor as more secure than my 20 character random password saved in a local password safe. And those second factors are, lets see, plain text over SMS, plain text over the internet to an email address, etc, etc, etc.
marifjeren
> This is terrible for account security
It's "terrible" because the author can describe exactly one phishing vector?..
Have you ever tried resetting a password before? Passwords have a similar phishing vector, plus many other problems that magic links and one-time login codes don't have.
If six-digit login codes are less secure than passwords, the reasons why are certainly not found in this article.
Angostura
I read this sentence 4 times and I still can't parse it:
> An attacker can simply send your email address to a legitimate service, and prompt for a 6-digit code. You can't know for sure if the code is supposed to be entered in the right place.
antirez
Because the sentence makes no sense, but what the author wanted to say was:
- You are in front of the attacker site that looks like a legitimate site where you have an account (you arrived there in any way: Whatsapp link, SMS, email, whatever). Probably the address bar of your browser shows something like microsoft.minecraft-softwareupdate.com or something alike, but the random user can't tell it's fake. The page asks you to login (in order to steal your account).
- You enter the email address to login. They enter your email address in the legitimate site where you actually have an account.
- Legitimate site (for example Microsoft) sends you an email with a six digit code, you read the code, it looks legit (it is legit) and you enter it in the attacker site. They can now login with your account.
trinix912
I think one can also understand it as the attacker being the one to enter the email first.
> An attacker can simply send your email address to a legitimate service, and prompt for a 6-digit code. You can't know for sure if the code is supposed to be entered in the right place.
Replace "can simply send your email address" with "can simply input your email address". An attacked inputs your email at login.example.com, which sends a code to your email. The attacker then prompts you for that code (ex. via a phishing sms), so you pass them the code that lets them into the account.
kenjackson
I read it as just some web page that was bad, but not necessarily imitating a good sits. For example some new gaming forum that pops up, which is bad, but uses the gaming forum to get people to send them six digit codes which they use for whatever sites they see fit. Then the people who run the gaming forum are now stealing your Etsy account.
Bender
I don't like any of the methods used today. Passwords are OK for me since I pick strong pass phrases, use different emails per site but for me the superior option for me is IP/CIDR restrictions. A small handful of sites support it and some of those don't expose that they do because some people think a long DHCP lease is a static IP and that can cause a customer support ticket. It was a battle but I have managed to get some financial institutions to enable it for me. Every bank big and small can do this but tellers and bankers have no idea, only their IT person. When that fails I just disable internet access to my account from the financial institutions and go talk to a real person face to face. If that isn't an option I just don't do business with them. Simple as. I do 99.999999% of my internet access from home but if I depended on mobile I would have a VPN back to my home to utilize my static IP from a Linux laptop. I do not browse the internet from a cell phone and never will. Not perfect, nothing is.
kazinator
I believe (and the article should make it clear) that the article is criticizing specifically the use of the code that user must enter into a box, which invites man-in-the-middle attacks.
The article is not advocating against e-mail-driven URL-based password reset/login, whereby the user doesn't enter any code, but must follow a URL.
The six digit code can be typed into a phony box put up by a malicious web site or application, which has inserted itself between the user and the legitimate site.
The malicious site presents phony UI promoting the user to initiate a coded login. Behind the scenes, the malicious site does that by contacting the genuine site, and provoking a coded login. The user goes to their inbox and copies the code to the malicious site's UI. The site then uses it to obtain a session with the genuine site, taking over the user's account.
A SSL protected URL cannot be so easily intercepted. The user clicks on it and it goes to the domain of the genuine site.
The attack pattern is:
1) User goes to BAD website and signs up.
2) BAD website says “We’ve sent you an email, please enter the 6-digit code! The email will come from GOOD, as they are our sign-in partner.”
3) BAD’s bots start a “Sign in with email one-time code” flow on the GOOD website using the user’s email.
4) GOOD sends a one-time login code email to the user’s email address.
5) The user is very likely to trust this email, because it’s from GOOD, and why would GOOD send it if it’s not a proper login?
6) User enters code into BAD’s website.
7) BAD uses code to login to GOOD’s website as the user. BAD now has full access to the user’s GOOD account.
This is why “email me a one-time code” is one of the worst authentication flows for phishing. It’s just so hard to stop users from making this mistake.
“Click a link in the email” is a tiny bit better because it takes the user straight to the GOOD website, and passing that link to BAD is more tedious and therefore more suspicious. However, if some popular email service suddenly decides your login emails or the login link within should be blocked, then suddenly many of your users cannot login.
Passkeys is the way to go. Password manager support for passkeys is getting really good. And I assure you, all passkeys being lost when a user loses their phone is far, far better than what’s been happening with passwords. I’d rather granny needs to visit the bank to get access to her account again, than someone phishes her and steals all her money.