[doubled112]

I liked the username, password and TOTP combination. I could choose my own password manager, and TOTP generator app, based on my preferences.

I have a feeling this won't hold true forever. Microsoft has their own authenticator now, Steam has another one, Google has their "was this you?" built into the OS.

Monetization comes next? "View this ad before you login! Pay 50c to stay logged in for longer?"

[AgentME]

Passkeys are an open standard with multiple implementations. It represents the opposite of the trend you're worried about there.

[tux3]

MS Azure Active Entra's FIDO2 implementation only allows a select list of vendors. You need a certification from FIDO ($,$$$), you need to have an account that can upload on the MDS metadata service, and you need to talk to MS to see if they'll consider adding you to the list

It's not completely closed, but in practice no one on that list is a small independent open source project, those are all the kind of entrenched corporate security companies you'd expect

[thayne]

But the way it is designed, you can require a certain provider, and you can bet at least some sites will start requiring attestation from Google and or Apple.

[nmadden]

Do they do attestation by default? I thought for Apple at least that was only a feature for enterprise managed devices (MDM). Attestation is also a registration-time check, so doesn’t necessarily constrain where the passkey is synced to later on.

[endgame]

Because that worked so well for OpenID. If you're lucky, you have the choice of which BigTech account you can use.

[wepple]

TOTP has substantial security gaps to make it a non-starter.

Maybe a pubkey system where you choose your own client would be what you’re looking for?

[pabs3]

TLS Client Certs (aka mTLS) is an option for that, but the browser UI stuff for it is terrible and getting worse.

[doubled112]

I couldn’t imagine trying to train the general public to use mTLS and deploy that system.

I’m not even sure it is difficult. Most people I’ve talked to in tech don’t even realize it is a possibility. Certificates are “complicated” as they put it.

[LoganDark]

> Google has their "was this you?" built into the OS.

Not only that, but it's completely impossible to disable or remove that functionality or even make TOTP the primary option. Every single time I try to sign in, Google prompts my phone first, giving me a useless notification for later, and I have to manually click a couple of buttons to say "no I am not getting up to grab my phone and unlock it for this bullshit, let me enter my TOTP code". Every single time.