But this is actually good. I don’t get the complaints. Choose whichever 2nd factor suits you (preferably passkeys), but SMS give a false sense of security
That’s ok, I heard you can get all the mickeysoft keys on GitHub anyhoo.
Not used to seeing headlines about Microsoft making good decisions. Isn’t that against company policy or something?
SMS authentication is bad and everyone knows that, on the other hand when they try to remove it they also push their shitty apps instead of using a unified and open authenticator like Aegis. If I don’t use a smartphone how they like or don’t use one at all, they lock me out. It’s already a fricking dystopia.
SMS mfa is so bad. Killing it off is worth the cost.
Bullshit. Killing off SMS mfa just forces everyone into walled gardens
Only if they are getting rid of one time code style applications as well. As of today I am still able to use my non Microsoft fully open source authenticator (aegis).
Provided the website implements some sort if TOTP, otherwise they just want you to add another app to your phone. I’d be fine with MS’s bs authenticator if it would work without network access.
Oops added my own comment didn’t see that, but yeah you can use whatever authenticator you want with it although they suggest their own or used to. Recent changes to their authenticator recently could have removef TOTP.
I’m just not a fan of giving them another datapoint. Between me, microsoft, and the government in the room, we’re all systems, let’s swap secrets and I’ll generate my own code instead of them sending it to me. Just seems safer all around, but I’m resistant to change sometimes. For now TOTP still works with most of my MS accounts, one is forced to a damn yubikey though (not really against a hardware token but sometimes use can be limited).
Honestly I love my yubikey and I prefer it to passkeys any day of the week. Proton pass made passkeys less annoying, but I still hate them.
the extra work this will no-doubt create for me might pay the rent for a couple months. but still, i’d rather it be opt-in, not forced upon users or them being tricked into it.
Passkeys are objectively better. They close the phishing attack vector. Depending on the site they remove the need to use a password at all. Different sites do different things.
- GitHub: Passkey only
- Amazon: Passkey -> SMS/Authenticator 2FA
- Google: Password -> Passkey 2FA (one of the options)
Not really comparable. Passkeys don’t replace 2FA. You need to bootstrap passkeys with 2FA.
Google allows for them to be used for 2FA.
You can use them for the password also which I didn’t know. You have to choose sign in another way to get the option.
That’s after you already have a passkey. I don’t think you can create a passkey without a different form of 2FA. At least…you shouldn’t be able to, because that would kind of defeat the purpose.
I think most people do not like them because the default is to let your OS store them, device locked, in a TPM.
More password managers need to support them. I store all mine in Bitwarden although given what seems to be going on there I don’t think I can recommend them anymore.
a password, and the concept, are also easier to comprehend. passkeys for most is just fairy dust and magic.
another consideration is something you have or something you are are different from something you know. phishing and hackers or scammers are not the only dangers to protect yourself from.
passkeys for most is just fairy dust and magic.
I suspect this is why Microsoft is forcing users into it. Not that I agree with or am defending that decision.
I can’t stand being forced into magic link email logins which are designed to also deal with phishing. Takes longer to login compared to Passwords+TOTP or Passkeys and email isn’t exactly private for the majority.
They aren’t magic. Its the same cryptographic signature primitive seen in applications like PGP or blockchains/cryptocurrencies.
I agree to most users they feel magical and are more difficult to reason about. You still “have” a private key stored on the device, but its invisible to the user, so it’s not something you “know”.
My passkeys are stored on my phone, I just scan a QR code and they’re sent over to the PC for that login. I’ve never seen the default on Windows be anything but this.
Yeah I need to check out vaultwarden. Huge disappointment as its been a great product, but I’m not liking where the recent website changes are heading.
Every website should’ve done this like ~7 years ago. It’s taking far too long for web developers to adopt this. We still got websites adding fucking SMS in 2026.
Eventually they’re going to make me learn Linux. I really don’t want to spend the time and effort learning a new system and messing with troubleshooting.
Plus I only look use it for Steam and internet.
Been there, now on Bazzite. 2 years now. I still didn’t learn anything, and that’s a good thing.
haha!! this is the perfect review
Passkeys are worth learning. Linux / GrapheneOS (de-googled Android) only household. This isn’t some Microsoft thing they are trying to push.
Passwordless logins (or 2FA depending on the site). Uses the same public key cryptography primitives that pretty much the whole internet is built upon.
Way more secure than passwords. The secret is never sent to the server you are logging into while passwords are which makes you a phishing target (noteable exception is opaque-ke). Users are trained to make crappy passwords and with passkeys there is nothing to memorize.
The big commercial operating systems I’m pretty sure all support storing them with cloud syncing across your devices.
If you care about privacy, password managers like BitWarden can handle them as well.
Not sure if vaultwarden (self-hosted BitWarden) stores them if you don’t trust any cloud provider.
Vaultwarden handles them just fine. Was a nice surprise feature
Awesome! With the recent direction BitWarden is going, I’ll be switching soon then to self-hosted.
Unless you’re playing competitive multiplayer games with kernel level anticheat, you’re the perfect candidate for Bazzite Linux. It is as hands off as Linux can be, the year I spend with Bazzite I never used the terminal. You can even install Microsoft Edge if you miss the windows experience. But wait till you’re ready or you’ll have a bad experience, not because it’s hard or anything but the workflow is a bit different.
Bazzite is based on Fedora and both are very well optimized for modern gaming. Learning curve is maybe 2 weeks. It’s never been easier.
https://www.makeuseof.com/using-bazaar-on-bazzite/
Unless you’re running 32bit hardware, but win 11 won’t run on that anyways…
Mint got ya covered, brother.
Now do Apple.
Oh, we’re supposed to have Micro$lop accounts?
