Security 2FA Passkey Authenticator apps

[Excalibur]

Decided to look at improving password authentication. The whole set up is confusing not helped by the fact I've got 1 Microsoft account, 2 Google accounts, 4 email addresses and 3 in-total Passkeys. I have a notebook full of username/passwords and Chrome has Google Password Manager showing dozens of saved passwords.
Additionally I use Chrome and Edge so I can be signed into 2 different accounts simultaneously.

Looking at various Youtube, there's talk of Authenticators by Google and Microsoft and others. It's abit unclear how these fit into the scheme of things. Do they make things easier. Are they necessary?

Other talk about using SMS, email etc as part of the 2 step process. Commentator suggested email to be slow while SMS wasn't totally secure.
Does a Passkey replace both these methods?

There must be countless people doing nothing about improving security. This thread might help quite a few.

Thanks for any thoughts on how to simplify, how to set up or just to get a better understanding.

[king1]

i'm not sure there is ever is going to be a simplification of authentication mechanisms nowadays. But i'll add few thoughts of my own.

Generally speaking, a username and password are no longer considered secure. 2FA is a mechanism to provide a 2nd tier authentication of a signin, in addition to the user/password credential. This can be done in several forms...

- An email to a previously registered email address
- A text to a previously registered mobile number
- An automated call to a previously registered landline/mobile number
- Requesting a code from a previously registered 2FA, such a Authy, Microsoft or googles Authenticator app etc

Some organisations, eg Microsoft, seem to feel that passwords are no longer required and can be done away with completely going forward, in favour of 2FA, biometrics etc

The problem these days is you can go through a myriad of these 2FA challenges just to complete a seemly simple task like change your recovery email.

Best advise is don't get hung up on the why, don't let the emotions get in the way - it is just a process you have to go through, as many times as the powers that be deem it necessary, for you to actually prove that you are, in fact you. Ultimately it is for your own benefit to protect your own data...

Now on the subject of password managers, I have never been a fan of local password managers, on more than one occasion i have seen the database corrupt rendering it useless... Browser password managers is as much as I will use since they can be backed up to the online account (NEVER for banking/finance of course!), trusting it will be secure...

I do however use KEYPASS which is similar concept but is more like a digital vault for all sorts of data, passwords, files etc

HTH

[Wainuitech]

Just setup the Microsoft Authenticator on my phone, installed easy enough Via Google play, then setup the account for the App, Had to turn on 2FA on the email 1st.

On A computer, when you enter your Password it will give you a number, you open the Ph tap the corresponding Number, approve and away you go. There's an option to use a password instead, BUT that bypasses the App and sends a code that you have to approve via a std message.

So if anyone was trying to get in they would still need your phone to approve.

[Excalibur]

Thanks for the great points. It helps a lot. Just reading the talk is helping 

I was able to confirm 2FA has not been turned on in any of my MS or Google accounts. However I have had to respond to sms when logging in so I wondered if this was Passkey. From memory it sends 3 numbers from which I must choose the correct one.

Anyway I went ahead and turned 2FA on for MS account. So far so good. I'll let that settle for a bit before I tackle the Google accounts.

Funny thing, today I was out socializing with a friend. I asked if he was using 2FA and he didn't know what it was. After describing it, he said yes, certain sign in used it.

Microsoft Authenitcator looks very interesting. Studying

Microsoft Authenticat

[Wainuitech]

This is an example of what  you get on the computer screen, on the Authenticator  App, you would tap the Same number / Approve - Done

[Excalibur]

Went into battle with 2FA on the galaxy. I'd enter the number, get approval, then immediately be asked to sign in again. Over and over in continuous loop.
Consequently aren't in any hurry to do Google accounts.

[Excalibur]

Decided to bite the bullet. Move both Google accounts to 2FA.

The first 1 under Chrome browser went OK except Person 2 is the only profile listed. I think I solved it, created another profile. Plenty to go wrong of course.

Moved to Edge browser to tackle the 2nd Google account. Went to switch it to 2FA and boom, error 403, unknown something or other.
Anyway, scratching around I discover there's 2 accounts with the same name. They are Brand accounts.
What's more is, it's had 2FA since 2021.

I deleted 1 account and it appears to be happy.

Now I know why it wanted 2FA sign in, other times not. No wonder I'm confused

Passkeys
I see passkeys listed. Windows created Feb 16, 2024, last used Oct 22
Also Galaxy, not used yet, created by Android, no date.
Next thing is to find these, should they pop up automatic? Or perhaps click: sign in a different way or similar?

Thanks for any thoughts.