this post was submitted on 18 Jan 2025
34 points (90.5% liked)
Technology
60828 readers
3751 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I think for some apps you need a mainstream os. But maybe you can use the bank website instead?
It's less convenient but it's a payoff
Unfortunately, in the country where I live pretty much everything requires requires a 2fa app from the government and also my job requires a 2fa app in general, so not having those would make the whole device useless.
That is too bad. Scary what the government can do. Sounds like you will need two devices if you care to have one that is open source.
Requiring 2FA is a good idea though.
There are plenty of 2FA apps you can use that aren't made by the government and will work fine on any phone.
2FA isn't the problem. It's being required to use a specific app.
My guess would be that a 2FA app from the government is likely using PKI (private + public keys) or something similar, rather than a basic TOTP algorithm. There's not really a generic app for something like that. Many services are moving away from TOTP since it's not phishing-resistant.
Nothing is phishing resistant though?
FIDO2 tokens (like Yubikeys and passkeys) can't be phished.
Yes, it's as easy as with the TOTP app. A message that says "ok, now tell us the code"
FIDO2/WebAuthn hardware tokens don't use a code. That's why they're phishing resistant. You have to press a hardware token (usually plugged in via USB) to authenticate, but it doesn't do anything obvious on the screen like type a code. On mobile, these tokens usually use NFC, so you just tap the Yubikey or whatever to the back of your phone.
Ah ok. Last time I had a hardware key it had a little display that showed numbers. I thought yubikey did the same thing.
That's pretty cool. Ideally I'd get something like a yubikey to unlock my password manager, except I'm not sure how the yubikey is supposed to interact with a desktop computer, especially a shared/public one.
Oh yeah, I had one of those a long time ago for my PayPal account, before smartphones were widespread.
I'm using a Yubikey with my password manager (self-hosted Vaultwarden) and it works well! The Yubikey is a USB device - you can get it either as a USB-C or USB-A. It should work with any desktop PC as long as USB devices are allowed. I've got one on my keychain, and a second one stored somewhere safe. Good to have a spare one as a backup just in case the main one dies.