[type_Ben_struct]

I’m still disappointed by Apples implementation of security keys. I want to be able to prevent all 2FA methods other than security keys, but it still seems possible in certain flows to authorise a new login with another iOS device making it vulnerable to this attack.

[lloeki]

Interesting. I was contemplating moving to security keys (which according to the setup flow "replaces verification codes" but IIUC you're saying one can still fall back to verification codes in some flows?

[antihero]

Just change over to using HSMs instead of push.

https://support.apple.com/en-gb/HT213154

[EasyMark]

If I was doing something that needed heavy security, but I'm just a boring average joe. My critical accounts are protected by TOTP on one (backed up) device only, other things are kind of "good enough" with passkeys and passwords. If I ever become a criminal mastermind or double agent I'll probably dive into such methods though.

[2OEH8eoCRo0]

YubiKeys aren't HSMs, Yubico sells an HSM though.

https://www.yubico.com/product/yubihsm-2-series/yubihsm-2-fi...

[dm]

What flows have you found not to use security keys?

[ThePowerOfFuet]

All of them.