this post was submitted on 08 Mar 2025
707 points (97.8% liked)
Technology
64938 readers
4924 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I love Lemmy and Voyager and the Fediverse. That said, if it were to become mainstream I forsee some problems. The fact that the login relies on only passwords is pretty terrible. Also, this makes the service vulnerable to bots, sock puppet accounts, brigading, etc.
Lemmy supports 2FA lol.
(At least on the web UI it does)
What would you propose replace passwords to not be susceptible to those things?
I personally like how secure and non intrusive passwords are, especially when using a self hosted password manager synced with git.
Passkeys are much better. Unlike what FAANG companies want you to believe, they do not have to be tied to a device. Use a password manager that supports them (BitWarden) and pretty much never get hacked again because of a password. Website doesn’t need to store anything that an attacker can use. No downside.
Any recommended reading for pass keys to get me up to speed? I use Bitwarden and have been happy enough with just passwords via that for a long time now. Only time I've seen pass keys mentioned really was Google trying to push it on me but I don't use their password manager.
A passkey is a public/private key pair used instead of a password. You store the private key, and the website stores the public key. Data encrypted with the public key can only be decrypted by the private key, and vice-versa.
This means you can share the public key freely with the website, and even if they get hacked and the public keys are stolen, they’re useless.
When you log in, they send you a challenge encrypted with the public key, and since you hold the private key, you can decrypt it, create a response to it, re-encrypt it with the private key, and send the response to the website; which then decrypts it with the public key to verify it.
The initial spec was that each device would have its own passkey and store it in a TPM (that thing Microsoft requires your computer to have for Windows 11), which is a secure memory storage location that only the kernel can access.
However BitWarden is also able to store them and make them portable. (I think the standard was loosened to allow for this? But don’t quote me on that.) So, now you can have one passkey for the site and it works anywhere you can use BitWarden’a browser extension.
TLDR: more secure than a password, nothing to forget, stops passwords being stolen.
2FA support would be better
Lemmy does support 2fa
oh. Nevermind then. I think this should be enough. maybe OpenID Connect support would be nice
It is hard to do well which is why I worry. Google probably has the best overall account security, you could fo worse than modeling after them.
The short answer to your question is Passkeys. But you need a whole system of account recovery around them.
Oh, you can easily bypass passkeys with automation. Don't even need an image recognition model, just a QR-code scanner like
zbarimg.But i never tried googles passkey feature since it never seemed as secure as a 48 char computer generated password. So I'm not sure exactly how it works.
Go read the FIDO threat model if you want to understand how it protects against specific attacks. It is pretty secure.
https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-security-ref-v2.0-id-20180227.html
That’s a pretty wild claim. It almost sounds like you don’t know what a passkey is. Explain.
Oh I don't know what it is, sorry I thought I made that clear. But a quick search on the internet said it was basically 2fa with a qr code and since the issue was how it would protect Lemmy from bots I just thought it wouldn't be hard for a bot to read a qr code.
Bruh that's gotta be one of the worst trains of thought I've seen recently ngl. I don't even know how passkeys work and I know that. Based on your understanding, you could log into someone's account just by reading a QR code. Which of these is more likely:
The entire cybersecurity community mysteriously and completely forgot that machines can read QR codes (which is, by the way, literally the entire purpose of a QR code)
You don't understand how passkeys work
How arrogant do you have to be?
Well again, the claim was that somehow passkeys would stop Lemmy from being flooded by bots.
So in that situation, we aren't talking about hacking. We are simply talking about if a login could be triggered programmatically. So if Lemmy required passkeys to be used instead of passwords. And if the passkeys required scanning a QR code to sign in. I imagine It would provide minimal disruption to an automated login.
Now if the passkeys somehow enforced a real human to do something that only a human could do, then yes it would stop an automated registration/login. However if it's possible to automate then it wouldn't stop bots.