For years, the internet has been shrinking. Not in size, not in data, but in ownership. A vast, decentralized network of personal blogs, forums, and independent communities has been corralled into a handful of paved prison yards controlled by a few massive corporations. Every post, every “friend,” every creative work—
It is hard to do well which is why I worry. Google probably has the best overall account security, you could fo worse than modeling after them.
The short answer to your question is Passkeys. But you need a whole system of account recovery around them.
Oh, you can easily bypass passkeys with automation. Don’t even need an image recognition model, just a QR-code scanner like
zbarimg.But i never tried googles passkey feature since it never seemed as secure as a 48 char computer generated password. So I’m not sure exactly how it works.
Go read the FIDO threat model if you want to understand how it protects against specific attacks. It is pretty secure.
https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-security-ref-v2.0-id-20180227.html
That’s a pretty wild claim. It almost sounds like you don’t know what a passkey is. Explain.
Oh I don’t know what it is, sorry I thought I made that clear. But a quick search on the internet said it was basically 2fa with a qr code and since the issue was how it would protect Lemmy from bots I just thought it wouldn’t be hard for a bot to read a qr code.
Bruh that’s gotta be one of the worst trains of thought I’ve seen recently ngl. I don’t even know how passkeys work and I know that. Based on your understanding, you could log into someone’s account just by reading a QR code. Which of these is more likely:
The entire cybersecurity community mysteriously and completely forgot that machines can read QR codes (which is, by the way, literally the entire purpose of a QR code)
You don’t understand how passkeys work
How arrogant do you have to be?
Well again, the claim was that somehow passkeys would stop Lemmy from being flooded by bots.
So in that situation, we aren’t talking about hacking. We are simply talking about if a login could be triggered programmatically. So if Lemmy required passkeys to be used instead of passwords. And if the passkeys required scanning a QR code to sign in. I imagine It would provide minimal disruption to an automated login.
Now if the passkeys somehow enforced a real human to do something that only a human could do, then yes it would stop an automated registration/login. However if it’s possible to automate then it wouldn’t stop bots.