Installed Steam on a new computer. Signed in. It sent a passcode to my GMail. I signed into GMail. It wanted me to 2FA because I hadn’t signed into Google on that device. It sent a notification to my phone, which I never received. I had it resend the notification twice, still nothing. Tried again with my phone’s offline passcodes. Neither worked. Tried the QR code/Bluetooth connection, and that finally did it.
At least I got through in the end, but fuck, it’s annoying.
I guess our tech overlords have determined that “Passkeys” are going to be the replacement and fix for this kind of multi-factor authentication hell. Should be nice once everything actually adopts and implements it well. Still need like an email-based password reset or something like that.
I really like GRC’s Secure Quick Reliable Login (SQRL). It’s basically just the open version of the prompt on your phone. Authentication requests are made for a specific domain and sent back to that domain only, so no phishing. So much more phishing resistance than has been typical, similar to passkeys. It’s as seamless as scanning any QR code with a phone, or it integrates with a browser or local password manager/daemon. The prompts on the phone show you the unobfuscated domain name of what generated the QR code/auth request and if it’s never been used before like a phishing site, it’ll only offer user registration (usually with one-click).
The backups of your credentials are just QR codes and can be printed on standard printer paper.
It is used internally at a midsize organization for their internal systems authentication. Way less hassle than the Microsoft authenticator, no added hardware like a passkey.
Passkeys aren’t added hardware. They’re just private keys.