Comment by 🦋 CarloMonte
@repeater my point was that TOTP-based 2FA using a password manager (not an authenticator APP) which *you* control and which is in *your* backup (data at rest) sounds like a very good idea to me. One can often avoid getting into the situation where one is locked out of basic services.
2025-07-06 · 10 months ago
1 Later Comment
🦂 zzo38 · 2025-07-06 at 19:26:
I do not really like 2FA so much at all, and it also does not help as much with API keys which often do not use 2FA. I think X.509 client authentication will be better. This allows for many things including partial delegation of authorization, operating on behalf of others (if authorized by them), and the private key can be passworded which means that you can require a second factor. With username/password, the authentication can be stolen permanently; with TOTP, the authentication can be stolen for one minute; with X.509, it cannot be stolen. (For some things, other methods such as HMAC, digitally signed releases, will work better, than using TLS with X.509, though.)
Original Post
Say no to SMS — SMS is simple, SMS is convenient! Or so ðey said. And now I can’t login into anything or confirm anything ðat requires SMS because ðey arrive half an hour late and ðe code is already invalid by ðat time. Niiiiiiice 🐱☕ I wish people stopped pretending login and password is some rocket science ðat nobody is capable of understanding, it only helps corporations to siphon more data 🤷
💬 9 comments · 2 likes · 2025-07-05 · 10 months ago · #internet #SMS