[KomoD]

> Now do the same with GitHub and compare the experience. They've made merely logging in such a massive pain in the ass that somehow goes beyond the anticipated pain around "here's a forced 2FA workflow you didn't ask for but have to run through, anyway".

I don't agree, in my opinion it's easier than logging into HN because Github has passwordless auth with passkeys.

I don't even have to enter a username, I just click "Sign in with a passkey" and use my passkey and then I'm logged in, no "forced 2FA workflow"

[cxr]

Those passkeys that you and GitHub are talking about require a separate authenticator to use.

> no "forced 2FA workflow"

What does "2FA" stand for?

> it's easier than logging into HN

You have your thumb on the scale (which seems to happen every time someone criticizes GitHub). You have already indicated a willingness/desire to use an authenticator. At that point, there is literally nothing stopping the authenticator from providing the exact same user experience, where instead of releasing your "passkey", it provides your password to HN's login form. And oh wait that's exactly how scores of password managers work, including the ones that are built in to every mainstream browser. (If you're somehow using one that for whatever reason doesn't do that, then it's self-inflicted, which is exactly opposite to the case of the forced 2FA flow that GitHub imposes.)

This is without even mentioning that you have to set all this up.

[KomoD]

> What does "2FA" stand for?

Two factor authentication, I'm sure you can google it.

> The passkeys that you (and GitHub) are talking about require a separate authenticator to use.

I'm not using anything other than my browser.

> You have already indicated a willingness and desire to use an authenticator

I'm only using my browser, it was 1 click.

> This is all before we even mention that you have to set all this up.

Yeah, once (which doesn't take longer than 15-20s), just like registering on HN, you do it once.

Also as I stated it's my opinion, having a different opinion doesn't make me dishonest

[satvikpendem]

> Two factor authentication, I'm sure you can google it.

The question was rhetorical, they are showing how a passkey is also a form of 2FA.

[Ferret7446]

It's not, though. The passkey itself is strictly a single factor. That's kinda the point, to reduce user toil.

Your passkey could have 2FA locally (e.g., a Yubikey with a PIN), but that is up to your discretion. It may be single factor.

[cxr]

> It's not, though. The passkey itself is strictly a single factor.

The passkey alone is not sufficient to log in. You must also provide a successful response to the WebAuthn challenge from an authenticator that has been registered/configured with that passkey.

> That's kinda the point, to reduce user toil.

It's almost as if letting people elect to enter their secure, never-written-down-anywhere-else passphrase would accomplish that.

[cxr]

> ["2FA" stands for] Two factor authentication

Great. Now go ahead and try to argue the indefensible position that relying on an authenticator to supply a passkey is somehow not a form of two-factor auth.

> I'm not using anything other than my browser.

... as your authenticator. The fact that you're using your browser and its built-in support for this as your authenticator but are using the term "browser" when you're talking about it instead of the word "authenticator" (GitHub's term—here's their documentation about authenticators, which I'm sure you could have Googled: <https://docs.github.com/en/authentication/authenticating-wit...>) doesn't change its role.

> (which doesn't take longer than 15-20s)

Aside from the fact that the ~5 seconds that it takes to create an HN account is not even the same as the 15–20 second estimate that you're offering here, there's the minor problem that that estimate is bogus.

You are simply not being honest in your reckoning of the respective costs. Here's GitHub's own documentation for the process of adding a passkey to your account:

<https://docs.github.com/en/authentication/authenticating-wit...>

(I'm sure you could have Googled it.)

> as I stated it's my opinion, having a different opinion doesn't make me dishonest

Stating your opinion doesn't make you dishonest, but arguing about things that are matters of fact and not opinions—measurable, quantitative things—and doing it with bad quantities chosen in a dishonest way is, in fact, dishonest.

Here's the Wikipedia article about intellectual dishonesty:

<https://en.wikipedia.org/wiki/Intellectual_dishonesty>

I'm sure you could have Googled it.