alternatives to passwords are just excuses to harvest info
It is quite normal to ask for an email address at registration even when using password based authentication.
Or the obscure ways for 2FA/MFA. Passkeys are mostly cloud based. Yeah fuck no! The weakest Passkey is weaker than my usual random generated password, if the site don’t do any shady business and require a weak password. Hardware keys are luckily not pushed for usage. I don’t like them either. You require at least 2, for backup reasons. They also cost quite some money and they have zero auth. Just connect to usb and tap it. Also retrieving the backup and get a replacement for a defective one, takes some time.
Good old TOTP as 2FA is perfect, paired with a strong, random password. With my TOTP, I have an encrypted backup in my cloud, on my NAS, older backups in secure places and backup codes in several places. The TOTP App I use is open source and I have a mirror of the source code.
This should be enough security, if sites don’t screw up all the time. You can bypass 2FA all the time. Even the credit card company screwed up big time. Usually you get 2 separate letters, one with your pin and one with your card. Both came on the same day. Also I actually didn’t needed the pin in the first place. I was able to add the card to the app and see the pin there, without actually verifying anything, except the credit card number.
Maybe when passkeys are supported in my password manager, I will try it but so far it isn’t and switching is not an option, as it doesn’t support the features I need. There is an open issue for an alternative password manager, with that feature request and it has some people wanting it, but its still not added. But passkeys doesn’t fix the issue for me using stronger keys, it fixes the site owners to allow stronger keys but they are still not required to use it. Some devs are just weird. I’ve read one PR for an FOSS project I use, where someone wanted to implement a universal oath or such stuff, that would support all types of external authentifications. Nope, the dev refused the PR and they wanted to stay at the 2 proprietary implementations, for 2 services, even though this universal implementation would work with these 2 too. I can’t tell exactly what it was. I was experimenting with an auth service for my self hosted stuff, to not deal with several accounts and rights systems. This service was the first one which I wanted to switch and they didn’t wanted to support it, leaving me with the standard login.
What password manager doesn’t support passkeys these days?
That’s the one good thing about just-eat leaving Denmark, no more having to deal with that BS.
As an autistic person I felt this in my bones. I cannot STAND email based authentication.
Recently finished a side project and I was glad I could go with pure login/pass auth. No email no oauth, just a pass phrase for account recovery. It’s refreshing and so damn simple.
It’s over the phone, but the “We’ll send you a text to confirm your identity if you provide a phone number.” Has got to be one of the stupidest wastes of time.
I slightly appreciate it, explicitly when it’s a service that excludes voip numbers.
Or worse:
Use email link -> use password instead
Enter password
Now enter the code that we sent you your email…
2 factor authentication, only when you feel like it.
They might as well be piping the password to
/dev/null
Passkeys or oauthn/fido. I just can’t believe we’re still talking about passwords in 2025 when these very robust, user friendly features have been widely available for years.
FIDO alliance FTW!
The best I’ve seen was yesterday where a website had the log-in button greyed out after the password manager filled my creds in.
So I had to manually click both the email and password field. Just click them. Then it enabled the log-in button.
So someone took their time to write a piece of JS that said “If the user hasn’t focused both fields at least once, no login”. Literally why? Extra code that does nothing useful.
I was hoping passkeys would be the solution to this madness, but it seems to me the entire spec gives too much power to the OS Makers and too little to the users because “mUh AtTtEsTatIoN” so now I don’t know anymore
I’ve definitely run into that. Even more frustrating is when there was one particular site that forced me to actually delete the last character of my password and then retype it. Just focusing in the field wasn’t enough, I had to actually send it a keystroke. And Ctrl-V to paste the password in manually didn’t count. I suppose typing a random character at the end and then deleting it would have worked too.
When ctrl+v is disabled to “prevent brute force bots” or something ridiculous
I used to have this problem with the payroll website ADP! So cursed
My utitlies website doesn’t let you login if the password field is autofilled by the browser. Whatever Angular-based form validation they are using doesn’t play nice with Firefox’s saved password feature. You have to manually type something in the password field, so I always add and remove a space from the password.
I sent an email to their support, hoping they would fix it, but they just responded saying that they can’t reproduce it.
Well, I can reproduce it. I even told you how. That sounds like a skill issue.
the user must be a human, so i imagine that being the rationale.
God I hate those stupid magic links. They’re WAAAAYYY slower than just using my password manager.
AND they kinda contribute to locking you into Big Tech. I sometimes have problems with those stupid links because I don’t have a Gmail account. Somewhere along the stupid chain there’s probably some stupid check that delays or blackholes emails to non-big-tech domains.
Based.
Email is terrible. It’s an unreliable communication system. You cannot depend on sent emails arriving in the recipient’s mailbox—even the spam folder.
People indirectly assume that all emails at least get to their spam folder. They don’t. There are multiple levels of filters that prevent most emails from ever making it that far because most email traffic is bots blasting phishing links, scams, and spam. Nobody wants phishing and scam emails, but the blocks that prevent those are being used by big tech to justify discriminating against small mail servers.
I can’t remember the site, now, but I literally couldn’t log into one this week because the email never arrived.
I had an email never arrive because I used Firefox for Linux. It worked on my phone in a different browser. God knows what went on there. I suppose their website never really registered I even made a request from my desktop even though it told me the email was on the way. Really strange.
I can’t remember the site, now, but I literally couldn’t log into one this week because the email never arrived.
Well, email allows you to solve that issue by self-hosting. But what you can’t solve is that if you do self-host, gmail will drop your emails to spam or just discard them completely, just because it feels like it, even if you do the whole dance with DMARC and have used the domain for a good few years. It’s frustrating as shit.
Worst one I’ve seen: username and password plus a 2FA email, BUT if you hit enter instead of clicking the last button it refreshes the page.
Also This strange trend to split username and password on to two separate pages, or only showing the password field after confirming the username
- Username
- Password
- MFA
- Do the whole process all over again because the remember this device is on step 2 and it’s impossible to go back
Bonus stage 0: special login URL decided to crap out, and going back to any point in history automatically redirects to the error page that you can’t use to log in, so you need to keep going back and trying to copy the URL before it redirects becausw Firefox interprets pressing “stop” as “do whatever you want idk”
Fucking aws…
You forgot step 2.5: incorrectly identifying stoplights 6 times in a row.
Oh fuck, the stone piles -thing is the worst of those. Tiny images, badly generated so you can’t see shit, multiple rounds that have six or so images each round, you can’t make a single mistake, and you get to know did you make any mistakes only after completing all of the rounds. It’s straight up abuse
Once I had to try over five times and still kept failing, so I just gave up. I guess I’m not a human anymore
It took me years to learn that you’re supposed to do them very slowly. Otherwise it will keep bothering you to fill out more. Pretend you are 80 years old and you’re good to go on your first try.
Not that strange. Different users may belong to different groups which may have different authentication backends. The associated authentication method is brought up once a username has been provided.
You can do that as part of an OAuth workflow. You don’t need to have them on separate pages for that to happen.
if your choice of api route directly affects your auth flow something is very wrong.
Yes, but, it also lets them slurp up email addresses. Routing users is legit tho.
And the auto-submitting TOTP entry form where you’re apparently not allowed to make a typo. And obscuring the TOTP number like it’s a password or state secret.
This is because of Enterprise Single Sign On. You can try this for yourself by going to https://gmail.com/ and enter the email of a public person at a large org, for example the CEO of Doordash (
tony@doordash.com). After you enter the email, you get sent to Doordash’s employee portal to authenticate. Based on the email you provide, Gmail has to figure out if you need to provide a password to gmail itself or if the email authenticates another way.It’s not like you can’t add a “Log in with your company’s SSO” button to the form. That works just fine and at least Microsoft does something like that.
Not sure I’d take design inspiration from Microsoft of all places. Also https://login.live.com/ has the same workflow email -> continue -> password. Not sure where you’re seeing Log in with SSO option.
I see the Login with SSO option all over the place. Of course, that assumes the users actually understand what that means, and they know whether or not they need to click it.
My company uses Entra ID (or whatever they’ve renamed it to this week) and it’s a pretty common sight in our login flow. I think our SharePoint instance does it so it should be something MS does.
Of course it all depends on w how the company configures it.
Ok, I think I get what you’re saying. You mean have a different form input without the password, like how it’s done here: https://eu.app.orcasecurity.io/login? I guess that’s one way to do it, but it’s not really intuitive from a user perspective, since the first thing you see is a password field, and then think you don’t have access because you don’t have a password. This one comes to mind because I have had to tell people to click the tab for the email only field, not email and password.
I also often see implementations where there’s a first step where you have to select how to log in. It’s an extra click but very clear (and usually one of the options is some form of SSO where that one click fully logs you in if you already have a session open).
1Password handles this gracefully
HEY BUT DO YOU WANT TO USE A PASSCODE?? PASSCODE! PASSCODE! USE THE PASSCODE! -_-
Yeah what the hell is up with that one? Seems so sketchy
Passkeys are okay, but your browser and OS want you to use them because you can’t just take a passkey to another platform, you have to create a new one, and it’s a pain in the ass.
It’s a lock-in gimmick latching on to a real useful solution.
Ok that makes a lot of sense. It definitely seems like it’s more for them than it is for the user’s “convenience”
Password managers can hold Passkeys now and they’re portable. Bitwarden stores all of mine, use them on any machine.
While true, it still means you’re locked into only being able to log in from a browser that has the password manager extension installed and logged in. Sometimes I want to log in from another machine, or another OS, or another browser, or even an incognito window that doesn’t have access to my extensions.
Yeh, I have passkeys in bitwarden.
I get it. Once they become ubiquitous, you click “login” your password manager prompts you to select account, and you are in.
No password that can be leaked, incorrectly stored, brute forced.
Corporations can pre-register company service passkeys for new users.
It’s like mTLS, except staged.
That’s false. My passkeys sync to my password manager and are available on all my devices
Passkeys are fine. It’s just MTLS but by marketers (if by passcode you mean passkeys. otherwise, what’s a passcode?)
Ah but you see it’s one factor of authentication that also conveniently loops in whichever email provider is spying on you
Ding! Ding!
This is the real answer: mail providers get to track you, your service get constant confirmation that your email is live (so they can send more ads from themselves plus their 400 closest affiliates). It’s a win-win situation for everyone /s.
“The
beatingsenshitification will continue, until moral is improved.”Of course. How would Microslop or Google LLMs snoop on your data then? You guys really make no effort… /s
Just let me use passkeys at this point. The way that people typically use passwords is less secure anyway, why not just make it as simple as possible?
I would love to use my physical Yubikey, but all the websites I’ve seen that allow passkey login always deny both Yubikeys.
That’s a shame, yubikeys are a really neat tool. I’ve considered picking one up so many times
I forget. Are passkeys the access method that prevents you from logging in ever again if you lose access to a device?
Typically, no. You’re thinking of TOTP/Authenticator based 2FA. Those still come with backup codes in case you break the phone that has the TOTP codes warehoused. I always recommend keeping those backup codes saved in the notes of whatever password manager you’re hopefully using.
Passkeys are essentially just one half of a cryptographic key pair (like what you’d use for authenticating SSH without passwords). These allow you to authenticate once using password + 2FA, then use the generated passkey for future sessions. Since these are much more complex than passwords and remove the need to actually remember anything, they are significantly more secure.
There are also some other features that I’m forgetting, and that may not be a perfectly accurate description, but I think you can get the gist.
Passkeys are supposed to be bound to one device and protected by that device’s OS’s secure enclave. If you have a second device you’re supposed to create a second passkey.
That’s why many sites will flat out refuse to let you create a passkey with a desktop browser since a PC-stored passkey doesn’t fit the security model.
Websites should not get to dictate my security model. I’ll accept annoying me about being less secure because I get that people are dumb, but you’ve gotta choose somehow! Also, any passkey is safer than a password, so that’s still BS.
The logic behind it is that a smartphone-bound passkey represents two factors of authentication: what you have (the phone) and who you are (the fingerprint used to unlock the phone’s passkey store).
Anything on a PC is easily copied and can only ever be safely assumed to represent one factor: what you know (the password to unlock your password manager). Thus the benefit of getting a two-factor authentication in one convenient step falls away.
Of course it’s still super annoying, especially if you don’t really trust your smartphone OS vendor and use a portable password manager already.
Yeah, that’s how I understood it to work, as well. I didn’t mention it because I’ve seen a bunch of different implementations that don’t seem to work that way. I didn’t want to speak too much on that specific point, since I don’t have a very thorough understanding of it.
Only if you use the OS built-in saving.
Most password managers support them at this point, making them portable and secure.
No? My password manager holds them so they are available everywhere…
Yes
