I recently switched from Android to GrapheneOS for reasons that should be obvious to anyone who cares about privacy.
GrapheneOS is largely great, but there are plenty of incompatible apps and getting RCS chat working is a nightmare.
But that’s not important right now! What is important is what I found while having to re-log in to all of my websites and apps post-install.
Logging in anywhere is a pain now
Back in the golden days of the web, all you needed to sign in to any online service or app was a username and a password.
Later, 2FA came along to protect us from ourselves, and that began the slow but steady march toward inconvenient and inconsistent login flows across services. Password managers were supposed to protect us from this, but 2FA has effectively turned them into spicy notepads that just know where to paste things.
Login schemes today
Simple Login:
- Email / Password.
- Thanks! You’re in!
The ol’ standby. Simple. Reliable. Nothing’s wrong with ’em as long as you use strong, unique passwords.
2FA Variations:
Two Factor Authentication combines something you know (a password) with something you have (a device), which basically means you…have two passwords instead of one now.
- Email / Password.
- Thanks! That’s not enough! Check your phone for a text and enter that code now!
- If you live in a mobile service dead zone, oh well.
- Thanks! That’s not enough! Check your phone for a text and enter that code now!
- Email / Password.
- Thanks! That’s not enough! Check your authenticator app, scroll down to find the right site, look for a code, and enter it now!
- Email / Password.
- Thanks! That’s not enough! Check your email for a code and enter it now!
- You have 60 seconds! If you use Gmail to check an IMAP inbox, it won’t poll any faster than five minutes, so BOOK IT to your provider’s webmail and grab that code, pal!
- Thanks! That’s not enough! Check your email for a code and enter it now!
- Email / Password.
- Thanks! That’s not enough! Scan this QR code with our app!
- Email / Password.
- Thanks! That’s not enough! A thing will pop up on one of your logged-in devices. Click that!
- Email.
- Thanks! We know you have a password, but we don’t want it! Click a link in your email instead!
Did you lose access to your phone number, email address, 2FA app, don’t have a currently-logged in alternate device, or some combination of any of these? No problem! Just burn off a one-time-use backup code. What happens when you run out of those? Nobody’s really sure!
Passkeys:
- You don’t know what your password is. That’s because passkeys are passwords that require a password manager.
- Want to switch to another password manager? Tough. Passkeys are (currently) non-transferrable. You’ve got to jump through the login hoops above to generate a new one!
What’s the fix?
While 2FA has certainly made the web safer, actually using it is messy and inconsistent across services because there are just so many ways to implement it. Logging in to 50+ websites and apps today on a new device is an absolute chore that can take up the better part of an afternoon.
I think passkeys might be a good way to go eventually, but they come with this layer of obfuscation that I’m not entirely comfortable with. Passkeys are still not universally portable across password managers, but that’s slowly changing. For now, that makes them feel like much more of a novelty than something truly portable and open.