[sam_lowry_]

As a 2nd reason not to use 2FA is the "privatization of authentication".

Previously you had only the login and the password. Now, you need a phone and likely probably an app on the phone.

This whole push for 2FA is actually a push against individual password managers where users generate long cryptographically secure passwords.

[kemotep]

Bitwarden, and keepassxc, support adding TOTP tokens to an account entry. Allowing you to only use the password manager for authentication, no secondary device or application necessary.

[eimrine]

The world is too complicated for me to learn about how TOTP works, who supports it, how smartphones work, how password manager works, etc. All I want is an ability to use login/password with neither extra knowledge nor extra property nor having extra installed software (cookies, password manager) on the computer I am accessing the website from. Let 2FA will remain for those who really want it as it was 10 years ago.

[kemotep]

And that is important. Usability and simplicity is important for adoption. Every security layer we add does in fact strip away a layer of convenience.

In my opinion, learning to use a password manager has effectively eliminated dozens if not hundreds of passwords and user names that I would have had to remember and all I need to remember is my one password manager password and everything gets copied and pasted in automatically. Even easier on my phone with FaceID unlocking the vault.

But it is still a complication and disruption to previous sign in flows that I had to adapt to and maintain.

[eimrine]

> learning to use a password manager has effectively eliminated dozens if not hundreds of passwords

Generating passwords properly gets rid of need of any password manager while each password keeps being unique. It is useful if most of my devices for internets don't have any password manager implemented (example - any Blackberry/Symbian/Opera Mini)

[kemotep]

Absolutely, which is why I use a custom diceware list to generate the few dozen passwords between work and home that I have to manually type out, such as my computer logins, phone, etc. Drives my wife crazy for our shared accounts that I use random strings of words numbers and symbols. The password manager is highly effective at creating even stronger passwords and managing the 50+ accounts that I can copy and paste the information into, such as this Hacker News account. And even serves as a safe place to save passwords that I rarely use and could otherwise forget.

[tzs]

What do you do if you need to change the password for a site, such as a site that enforced password age limits or a site that has had a leak that exposed passwords?

[eimrine]

Just add # symbol to the end. If you have an age limit for password, it is an ability to know how many old passwords the system remembers.