Open evolve2k opened 4 months ago
First off, thanks for opening this issue and sorry for the delay in responding. I think it's a good issue to discuss and wanted to take some time to write up my thoughts on this.
In some ways I agree; Passkeys are a bit of a disaster UX wise, at least at the moment. Adoption of the full "Passkey" login has not been great, and it's definitely confusing for users. But while I can't predict Passkey adoption with consumers, for more security focused users (enterprise/corporate) it's already the standard (hardware keys via Webauthn).
Even as bad as the Passkey UX is, there's no way I could recommend TOTP in 2024 for most users.
If you've got a user's email and security concerns are low, I think sending them a magic link is probably as safe for most users as TOTP, easier to use and easier for developers to implement (no need to encrypt and manage shared secrets and users don't need a separate app).
For users in more security critical roles, Webauthn/Passkeys is the solution while OTP is actually a liability ^1.
From personal experience I've moved every provider I can to Passkeys and haven't had much trouble. However it's clear from adoption rates that Passkeys are still not great for many users. But I think that's starting to change. For users with a password manager, like 1Password or Bitwarden (the beta on Testflight just added this on iOS and it works great), it's incredibly easy to use Passkeys now. It mostly just works, and works well.
While I think Passkeys still have many UX issues to solve, falling back to TOTP isn't an option. Put simply, if security is a big concern for your organization, YOU SHOULD NOT BE USING TOTP, or any OTP for that matter. For users that just want a simple 2FA solution, I think you'd be better off just using a simpler solution like magic links.
Currently the README implies that Webauthn/Passkeys are the way forward. Consensus in 2024 is that passkeys/webauthm is a shattered dream. Related Front Page discussion on HN.
"The biggest issue with passkeys is that I just can't trust the companies offering them" -- Top comment on HN
Request that this front matter is removed and the section on this moved further down the readme, maybe including that issues around passkeys/webauthm are still being resolved and that there is still no mass adoption of this approach.
MFA TOTP remains best practice for password security in 2024 and this project is doing excellent work in this space.