undefined | Better HN

0 pointsrstuart41336y ago0 comments

> I tried to get mine as future-proof as possible

I don't think that's possible right now. Until they come up with a solution to "I've lost my 2fa token" that isn't as painful as losing you wallet there will be new designs coming out. (Actually, it's more painful. You only have a few cards in your wallet, while your 2fa token may be recognised by 100's of sites.)

This isn't a criticism of FIDO2/WebAuthn. I am impressed by how each iteration solves a new part of the problem, and FIDO2 was definitely a step forward, fixing rough edges in FIDO. But we aren't there yet. We need a FIDO3 and possibly 4, 5 and 6.

0 comments

AdmiralAsshat6y ago

Having a backup 2FA token seems like a solution, no? As I already said, I've got a lower-end Yubikey that is basically only there to be a backup in case of emergencies.

rstuart4133OP6y ago

To be honest I didn't understand your backup strategy. As far as I'm aware it isn't possible to clone a key - and I sincerely hope that's true. If you can't clone it the only other way I can think of using a backup is having every site you log into accept two so you can authenticate with either - but I've never noticed a site that can do that.

Assuming it's the "authenticate with either" solution, it ain't a great solution. If you have to replace a key you still have to visit every site you authenticate with and provide you new key. Looking at my password manager that seems to mean 100's of sites in my case.

There are lots of potential solutions to the "dog eat my token" that don't require me to visit every site I authenticate with - or even notify them. Online servers can even handle the "someone stole my token" case. Right now the only deployed online solution we have is OAuth, which really an authorisation mechanism. It sucks at for authentication.

j / k navigate · click thread line to collapse