[xoa]

One of my major goals for 2023 is to migrate as much as feasible from passwords to tokens or at least passkeys. NitroKeys or YubiKeys for that. Process has already begun, but I definitely hope to see that accelerate big time (at long, long last) this year. Feels like there is serious industry momentum from the big players this time, and that cost, UX, support in frameworks to make it easy for non-sec webdevs, may all finally start to reach the tipping point. US Government is onboard now too, having dumped lots of obsolete terrible advice for a refreshingly great set of modern guidelines and updating government service sites in general for good uniform login with hardware token support. Ideally I'd like to see that become more universal for various web GUIs/access for services too (OPNsense in particular, which I now use for firewall/gateway services and is probably one of the more security critical bits of my infra).

Passwords though will have a very long tail even in the most optimistic scenarios, so yes password managers aren't going anywhere for a while yet. What I use right now is 1Password 7 with a slow migration towards Bitwarden clients and a self-hosted Vaultwarden server. I still have a standalone license and still have shared vaults in Dropbox, I will not be moving to the electron based 1P8. So end of the line on that decade+ journey I'm afraid, I'm disappointed with what happened with them but so it goes. Bitwarden/Vaultwarden seem solid to me so far though, and have client support across a range of devices. Nebula or Wireguard make keeping a bunch of selfhosted services accessible in a reasonably secure way pretty easy, and almost more importantly once setup have been rock solid reliable for me. Wrapping my head around them and making sure I had it all figured out certainly took a bit of time early on, but once setup it's Just Worked™ without being touched a single time ever again. No specific 3rd party dependencies is attractive.

If you have family/friends/coworkers to deal with though obviously the needs of the group are going to have to factor in on some level, and you may find you need to either run a few different things or compromise somewhat/pay more.

[edent]

I have over 1,000 logins in Bitwarden. I got a new Yubikey last year and found maybe a dozen sites which support it.

I hope this is the year that WebAuthN goes mainstream - but it'll be a long time before a plurality of sites support it.

[xoa]

>I hope this is the year that WebAuthN goes mainstream - but it'll be a long time before a plurality of sites support it.

Oh for sure, like I said passwords will undoubtedly have a long tail. Even more so for internal apps/hardware, I routinely deal with old stuff that I have to keep old browsers around to access since newer ones no longer will work, or reenable old SSH negotiation or whatever. I'm just hoping 2023 is when we start to see a critical mass, and further that it ends up being a non-linear adoption curve that goes better then we might expect. If it becomes a standard check box item for insurance or security assessments or interacting with other companies/government and gets integrated as default into widely used frameworks it might go quicker. I also expect adoption not to be randomly distributed, with important tech services more likely to pick it up or use it already. If financial and medical does as well then that'd hit a lot of the most vital ones even if it's not a plurality.

Realistically it'll probably take another few years after hitting the tipping point to truly ramp, since there are clearly remaining hardware and software rough edges to sand down/refine. But if 2023 proves the start of an S-curve I'll be happy.

[rrgok]

Ah this is what I wanted to hear about Yubikeys. The dozen site that support it. It feels like a huge PITA to have two system to login. I'll pass till it becomes more mainstream