this post was submitted on 25 Oct 2024
-4 points (46.7% liked)

Games

16742 readers
631 users here now

Video game news oriented community. No NanoUFO is not a bot :)

Posts.

  1. News oriented content (general reviews, previews or retrospectives allowed).
  2. Broad discussion posts (preferably not only about a specific game).
  3. No humor/memes etc..
  4. No affiliate links
  5. No advertising.
  6. No clickbait, editorialized, sensational titles. State the game in question in the title. No all caps.
  7. No self promotion.
  8. No duplicate posts, newer post will be deleted unless there is more discussion in one of the posts.
  9. No politics.

Comments.

  1. No personal attacks.
  2. Obey instance rules.
  3. No low effort comments(one or two words, emoji etc..)
  4. Please use spoiler tags for spoilers.

My goal is just to have a community where people can go and see what new game news is out for the day and comment on it.

Other communities:

Beehaw.org gaming

Lemmy.ml gaming

lemmy.ca pcgaming

founded 1 year ago
MODERATORS
top 27 comments
sorted by: hot top controversial new old
[–] [email protected] 4 points 3 weeks ago

The better alternatives are worse though. Key based authentication would allow you to effectively authenticate a trusted account on a trusted device with a single action, but requires you to not lose your keys, or to have a multifactor fallback. This is what I want tbh - I tap my yubikey when I set up my phone, and now it doesn't require passwords. For extra security, require tap on boot.

[–] [email protected] 8 points 3 weeks ago* (last edited 3 weeks ago)

There's literally nothing wrong with enforcing TOTP over just a password.

[–] [email protected] 47 points 3 weeks ago (2 children)

This is a pretty terrible take… if you take just a little bit of time to set up a password manager and use the browser plugin it is all just one password away. I actively seek out additional 2FA because it’s just simple and seamless, where my password manager will put the TOTP code on my clipboard ready to paste, or it’ll automatically pop up when the site asks for a passkey (like Google, referenced in the article).

Just sounds like this dude is whining about a problem that he doesn’t want to solve for himself.

[–] [email protected] 5 points 3 weeks ago (1 children)

Security and convenience will forever be on opposing sites of a spectrum. You can move alongside the spectrum but more of one thing will mean less of the other. That's just a fact.

[–] [email protected] 5 points 3 weeks ago

I gotta disagree with you there, my online life is by far more convenient now that I have it all organized and stored in a password manager. So much less to remember and so many fewer roadblocks now that I don’t have to remember usernames and passwords.

Even my mom swears by how much more convenient it is to have a password manager and she’s not what you would call “tech savvy”

[–] [email protected] 10 points 3 weeks ago (2 children)

As a game designer, I would prefer my security be maintained through an elaborate series of puzzles.

[–] [email protected] 6 points 3 weeks ago* (last edited 3 weeks ago)

It's all fun and games until the giant, hulking, unkillable zombie mutant starts stalking you and suddenly that elaborate lock involving 13 different Renaissance paintings arranged through a hallway under different colored lights seems vastly inferior to just having a fucking key and normal lock.

Umbrella Corp. Security Specialist: "Okay, but what if you lose the key?"

[–] [email protected] 3 points 3 weeks ago

Fun fact, any game dev's financial data can be stolen if you're capable of answering my riddles three

[–] [email protected] 2 points 3 weeks ago

Its literally meant to protect by needing another code that isn't just "Password1!"

[–] [email protected] 9 points 3 weeks ago (1 children)

I don't think that the problem is 2FA itself so much as poor UX on existing systems.

Let's say that I have a little USB keychain dongle in my pocket with an "approve" button and a tiny screen. When I sign in, at the time that I plug my password in, I plug the dongle in. It shows the information for whom I am approving authentication. I push the "approve" button.

It's got a trusted display (unlike a smartcard, so that a point-of-sale system can't claim that I'm approving something other than what I am).

It can store multiple keys, and I basically use it for any credentials that I don't mind carrying with myself.

I then keep another, "higher security" dongle at home with more-sensitive keys.

Does that add some overhead relative to just entering my password? Yeah. But is it a big deal? No. And it makes it a lot harder for someone to swipe credentials.

I agree that using phone-linked SMS 2FA authentication is problematic (for a number of reasons, not just because it locks you to a phone, but because there are also privacy implications there).

[–] [email protected] 3 points 3 weeks ago

I then keep another, "higher security" dongle at home with more-sensitive keys.

Noted :)

[–] [email protected] 10 points 3 weeks ago (1 children)

"Allow me to introduce myself."

~ Three Factor Authentication

[–] [email protected] 7 points 3 weeks ago (1 children)
[–] [email protected] 7 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

I don't care about a second layer of security on most of my things, like Lemmy for example, I really don't care if it's secure. My blizzard launcher, I really don't care. my discord? ok maybe a little

Being said due to this, I have both my TOTP and my Passwords in the same program. It still requires a second password to access, but it removes a little of the security. My vault is encrypted by a private key plus a password, and any type of off-system storage is encrypted an additional level past that, if someone gains access to that vault, I have far worse issues at hand then someone managing to steal my accounts.

[–] [email protected] 1 points 3 weeks ago (1 children)

I have both my TOTP and my Passwords in the same program

What're you using for this?

I'm using Bitwarden in a similar configuration but given they're being funky about their definition of 'open source', I'm maybe looking for an alternate.

[–] [email protected] 3 points 3 weeks ago

I'm using keepassXC with syncthing as my sync service, with my server as an encrypted longterm storage. It's pretty flawless, just make sure that you keep file versioning on(its a setting in syncthing) for at least 2 versions, I haven't had it happen yet but, with any dual system setup there might be a sync conflict if it fails to sync before being modified.

[–] [email protected] 23 points 3 weeks ago* (last edited 3 weeks ago)

The hassle and delay is part of how it works. If there was a seamless catch all then it wouldn’t be feasible to make it secure.

Having a second physical factor, as much as it can be a hassle, is much better than any single factor.

Your password can be breached, brute forced, bypassed if there’s an issue somewhere.

Your biometrics can’t be changed so anything that breaks them (such as the breach of finger prints in databases, etc) makes them moot.

A single physical token can be stolen and/or potentially cloned by some attack in physical proximity (or breach of an upstream certificate authority)

But doing multiple of those at the same time. That’s inordinately much harder to do.

I will say the point/gist of the article is a good one. The variety of types some used here and others used there does make it a hassle to try to wrangle all the various accounts/logins. Especially in their corporate and managed deployment which isn’t saving passwords and has a explicit expiration of credential cache (all good things)

[–] [email protected] 56 points 3 weeks ago

I don't mind the extra layer of security, and actually prefer it. The only exception is when the site/service only allows SMS or email delivery, and won't let me use an auth app.