App based 2FA is better. Either the app generates a time based code that you enter into the site or the site sends a push notification to the app asking you to verify the login attempt.
Passkeys are good too as they replace the password completely and leave the 2FA part to the device.
If it’s alright with your threat model, you can put the time-based OTPs into your password manager of choice, like Bitwarden. Upon filling your username and password, it places your OTP in your clipboard, so that you can simply paste it in. This does of course reduce the security of the system slightly, since you centralize your passwords and your OTPs. When opting for this method, it is therefore imperative to protect your password manager even more, like via setting up 2FA for the password manager itself or making sure your account gets locked after something like 10 minutes of inactivity. The usability aspect is improved by using a yubikey or another similar physical key technology.
What’s the best alternative?
TOTP, FIDO2 or not worrying about logins and just using {GitHub,Google,Microsoft,selfhosted.lan} as identity provider with OIDC
App based 2FA is better. Either the app generates a time based code that you enter into the site or the site sends a push notification to the app asking you to verify the login attempt.
Passkeys are good too as they replace the password completely and leave the 2FA part to the device.
Passkey or notification please. So sick of entering these codes on a daily basis.
I just save the cookies tbh
If it’s alright with your threat model, you can put the time-based OTPs into your password manager of choice, like Bitwarden. Upon filling your username and password, it places your OTP in your clipboard, so that you can simply paste it in. This does of course reduce the security of the system slightly, since you centralize your passwords and your OTPs. When opting for this method, it is therefore imperative to protect your password manager even more, like via setting up 2FA for the password manager itself or making sure your account gets locked after something like 10 minutes of inactivity. The usability aspect is improved by using a yubikey or another similar physical key technology.
Very good point. I have Bitwarden set up as a passkey for at least one account. I should remove that. 👍
Okay, but then you have to develop an app
You don’t for the one time codes because there is a standard that is supported by many authenticator apps.