You can still accidentally leak your password via phishing or malware. 2FA is fine if you don’t tie it to a phone number, simplest way: install any authenticator app for TOTP tokens. Scan the QR code on multiple devices like phone + tablet, or old phone, for redundancy. Or save the secret key.
Google and most critical services also give you a list of 10 single use emergency codes that you should print or save in Keepass - lost the phone? Nbd just use one of the codes and reset 2FA.
I also never thought my non shared password would be public but one day I suddenly got prompted on the authenticator if I wanted to login; still no idea how or why but at least no one could get in and immediately rotated out the password.
Nah, any decent password manager or security application can manage multi-factor security credentials of any kind without lock-out due to phone loss.
Password authentication is beyond primitive by offering too many avenues of attack: the full secret is transmitted & shared.
Passkeys, client certificates, OTP don’t transmit the secret key.
Passkeys & client certificates authentication never share a secret key, so the server can’t expose it.
This is what I do as well. A few services force 2fa though and also have 0 good options (let me use my flipper as a u2f through not chrome, ungoogled-chromium works, but damn), and for those I’m forced to use text.
While I’m here, anyone have a good chrome based browser that is private and can use serial ports for flashing meshtastic devices and u2f? Need android mainly because I have ungoogled-chromium on linux, but will take recs for linux too if there’s a better one.
Yea this is exactly why I don’t use 2FA
If the password is like 64 characters randomly generated by Keepass, the 2FA doesn’t matter.
You can still accidentally leak your password via phishing or malware. 2FA is fine if you don’t tie it to a phone number, simplest way: install any authenticator app for TOTP tokens. Scan the QR code on multiple devices like phone + tablet, or old phone, for redundancy. Or save the secret key.
Google and most critical services also give you a list of 10 single use emergency codes that you should print or save in Keepass - lost the phone? Nbd just use one of the codes and reset 2FA.
I also never thought my non shared password would be public but one day I suddenly got prompted on the authenticator if I wanted to login; still no idea how or why but at least no one could get in and immediately rotated out the password.
Nah, any decent password manager or security application can manage multi-factor security credentials of any kind without lock-out due to phone loss.
Password authentication is beyond primitive by offering too many avenues of attack: the full secret is transmitted & shared. Passkeys, client certificates, OTP don’t transmit the secret key. Passkeys & client certificates authentication never share a secret key, so the server can’t expose it.
This is what I do as well. A few services force 2fa though and also have 0 good options (let me use my flipper as a u2f through not chrome, ungoogled-chromium works, but damn), and for those I’m forced to use text.
While I’m here, anyone have a good chrome based browser that is private and can use serial ports for flashing meshtastic devices and u2f? Need android mainly because I have ungoogled-chromium on linux, but will take recs for linux too if there’s a better one.