Royce Williams

TIL Proton dropped their maximum supported security keys (some time after mid-August 2024) from 8 to 4 keys?! (Notice the tiny "8 out of 4" label, because I had registered the maximum 8 keys)

I suspect my current config will be stable until I need to explicitly delete a key, in which case I won't be able to add a replacement unless I delete five keys. 😡

#MFA #SecurityKeys #FIDO2 #Proton

Jan 3, 2025 at 12:11amWeb
Show threadkeschi   Î˜Jan 3, 2025
@tychotithonus What even is the point of limiting this to such a low number, anyway?
Show threadRoyce WilliamsJan 3, 2025

@kescher

Sometimes pure naive thinking -- that fewer keys = more attack surface (which poorly maps to some threat models, robbing the user of autonomy over those models).

Sometimes because there are (brief) performance thresholds, because the set of all potential keys is enumerated during the initial presentation of the key. Google's informal "starts to get materially worse for the user" (but not enforced) is ten keys.I think there's a half-second delay with ten keys, IIRC.

Show threadHenryk PlötzJan 3, 2025
@tychotithonus Storage is expensive, ya know!
Show threadAdam KatzJan 3, 2025
@tychotithonus I've been pretty happy with Aegis (FOSS, Android only) if you're looking for a new authenticator
Aegis Authenticator

Aegis Authenticator is a free, secure and open source app for Android to manage your 2-step verification tokens for your online services.