@Tutanota : rubbish.

Two WEAK locks may be LESS pointless than one WEAK lock, but they're still pointless. Go read https://www.csoonline.com/article/4147134.

U2F has been superseded by FIDO2 (hardware keys in WebAuthn mode) and Passkeys (example in Dutch: https://todon.nl/@ErikvanStraten/116285192238090438).

Both WebAuthn methods have advantages and disadvantages.

If you don't like them, use a trustworthy passwordmanager and:

• Let it create a unique, random, as long as possible, pw per account

• Make backups of the pw mngr database

• Device compromise means "game over"

• Use Autofill (easy in Android and iOS/iPadOS)

• If Autofill does not automatically retrieve your credentials, it probably is a fake (phishing) website. Do read https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

Please stop misinforming people.

#WeakMFAsucks #Weak2FAsucks #FIDO2 #WebAuthn #Passkeys #AutoFill #KeePassium #KeePassDX

🧵1
Draadje met screenshots: passkey aanmaken en gebruiken om in te loggen - gebruikmakend van de KeePassDX als wachtwoordmanager onder Android.

Als eerste moet de app KeePassDX zijn geïnstalleerd (https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) en geconfigureerd (dat beschrijven voert te ver voor deze serie toots). Als enige: in de hoofdpagina van de database heb ik "mappen" aangemaakt met als namen "0-9", "ABC", "DEF" etc. om de zaak overzichtelijk te houden (zie de screenshot hieronder).

Daaronder maak ik, per website, een submap aan (met de naam van die website zonder eventueel voorafgaande "www.").

#KeePassDX #Android #AutoFill

@maaikees : unfortunately, no. If such a solution would exist, spammers and phisher-(wo)men would immediately start using it.

Using an email provider with a good reputation *or* (evil) big tech is your best bet.

Note: when switching email provider, first make a list of *all* websites where you have an account, either with the old email address as user-ID or another user-ID but where the old email address can be used for password resets.

It's okay to create a new email address (using another provider and domain name), but do not close your old email account until it has been removed (or replaced by your new address) from all websites where it may be used to authenticate you.

My advice: use a password manager (*). Apart from other advantages, if you record in it every site where you enter your email address, you'll have a nice overview of sites that know your email address.

(*) Full list of tips:
Dutch: https://security.nl/posting/912904

English: see the list in https://todon.nl/@ErikvanStraten/115611078608008423

#PasswordManager #AutoFill #PhishingPrevention #Phishing