On the other end, there is an excessive use of 2FA with systems for whom the concept of SSO seems to be a foreign thing. It's also sort of funny that 2FA can just mean using a TOTP capable password manager, reverting it back to one factor.
this post was submitted on 13 Mar 2026
658 points (98.4% liked)
Programmer Humor
30336 readers
1539 users here now
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
Rules
- Keep content in english
- No advertisements
- Posts must be related to programming or programmer topics
founded 2 years ago
MODERATORS
This. This so much. Totp based login is just two passwords where one is more annoying to use.
I love FIDO logins and next to fucking no one implements them :(
And when they do they only offer them as the second factor.
Yes, let me first input my password (from a password manager), the let me approve with a passkey that is meant to make my password not necessary.
But email based login: FUCK THAT SHIT.
What are they?
Public key cryptography tied to physical hardware, so if you lose your phone / usb key, you need to use your backup recovery code; a fairly short one time password that negates the security benefits of Fido in one easy step.
It can also use biometrics, but that requires every device you log in on to have biometric readers.
Or you could use multiple fido key's as backups
A lot of motherfuckers typing in code with a keyboard need a beating with said keyboard.
If a programmer can’t get a login form right they need permabanned from ever shipping another release.
alternatives to passwords are just excuses to harvest info
Not if it comes to hardware-based passkeys I would argue
load more comments
(4 replies)
Exactly
The best I've seen was yesterday where a website had the log-in button greyed out after the password manager filled my creds in.
So I had to manually click both the email and password field. Just click them. Then it enabled the log-in button.
So someone took their time to write a piece of JS that said "If the user hasn't focused both fields at least once, no login". Literally why? Extra code that does nothing useful.
I was hoping passkeys would be the solution to this madness, but it seems to me the entire spec gives too much power to the OS Makers and too little to the users because "mUh AtTtEsTatIoN" so now I don't know anymore
It's not perfect but will break many bot logins and people trying different logins from data leaks.
I've definitely run into that. Even more frustrating is when there was one particular site that forced me to actually delete the last character of my password and then retype it. Just focusing in the field wasn't enough, I had to actually send it a keystroke. And Ctrl-V to paste the password in manually didn't count. I suppose typing a random character at the end and then deleting it would have worked too.
When ctrl+v is disabled to "prevent brute force bots" or something ridiculous
load more comments
(2 replies)
Oh, it gets worse. I've had some where I have to enter a character into the boxes before it would figure its shit out...
My utitlies website doesn't let you login if the password field is autofilled by the browser. Whatever Angular-based form validation they are using doesn't play nice with Firefox's saved password feature. You have to manually type something in the password field, so I always add and remove a space from the password.
I sent an email to their support, hoping they would fix it, but they just responded saying that they can't reproduce it.
Well, I can reproduce it. I even told you how. That sounds like a skill issue.
They inevitably didn't write it for that reason. They wrote it to say the field is invalid until the user changes it to be valid after someone landed on the page holding the enter key down and instantly locked themselves out after submitting the form 50 times in 3 seconds.
Unless you know otherwise, it's easy to think that "form interaction" is the same as "form changed", and one of those is much easier to check.
I'm unsure what you mean about passkeys. I don't think I've heard anyone mention significant concessions to os makers and I'm pretty tuned in on the topic.
load more comments
(1 replies)
Also This strange trend to split username and password on to two separate pages, or only showing the password field after confirming the username
That ones because users like choice. They need to look up who you are to know how you've chosen to authenticate. At least, that's how it started. Some could be doing it because the big kids are, but that's why the big kids do.
And they support choice because businesses want to use their login infrastructure and refuse to share. So you enter "user@businessOrUniversity.com.edu" and it forwards you to your institutional login.
Not that strange. Different users may belong to different groups which may have different authentication backends. The associated authentication method is brought up once a username has been provided.
if your choice of api route directly affects your auth flow something is very wrong.
You can do that as part of an OAuth workflow. You don’t need to have them on separate pages for that to happen.
load more comments
(1 replies)
- Username
- Password
- MFA
- Do the whole process all over again because the remember this device is on step 2 and it's impossible to go back
Bonus stage 0: special login URL decided to crap out, and going back to any point in history automatically redirects to the error page that you can't use to log in, so you need to keep going back and trying to copy the URL before it redirects becausw Firefox interprets pressing "stop" as "do whatever you want idk"
Fucking aws...
You forgot step 2.5: incorrectly identifying stoplights 6 times in a row.
load more comments
(3 replies)
Came here to say that! For the love of God, stop with this nonsense!
And the auto-submitting TOTP entry form where you're apparently not allowed to make a typo. And obscuring the TOTP number like it's a password or state secret.
load more comments
(10 replies)
Or worse:
Use email link -> use password instead
Enter password
Now enter the code that we sent you your email...
2 factor authentication, only when you feel like it.
They might as well be piping the password to /dev/null
Passkeys ❤️
Website wants you to make a passkey, go to login but the entry form only accepts the user name, then you have to click next to password which may or may not accept the passkey.
Is that FIDO? What's the difference?
If they arent on a USB stick, protected against being copied, they are only a single factor that instill false safety.
load more comments
(1 replies)
As an autistic person I felt this in my bones. I cannot STAND email based authentication.
God I hate those stupid magic links. They're WAAAAYYY slower than just using my password manager.
AND they kinda contribute to locking you into Big Tech. I sometimes have problems with those stupid links because I don't have a Gmail account. Somewhere along the stupid chain there's probably some stupid check that delays or blackholes emails to non-big-tech domains.
Based.
Email is terrible. It's an unreliable communication system. You cannot depend on sent emails arriving in the recipient's mailbox—even the spam folder.
People incorrectly assume that all emails at least get to their spam folder. They don't. There are multiple levels of filters that prevent most emails from ever making it that far because most email traffic is bots blasting phishing links, scams, and spam. Nobody wants phishing and scam emails, but the blocks that prevent those are being used by big tech to justify discriminating against small mail servers.
I can't remember the site, now, but I literally couldn't log into one this week because the email never arrived.
load more comments
(2 replies)
HEY BUT DO YOU WANT TO USE A PASSCODE?? PASSCODE! PASSCODE! USE THE PASSCODE! -_-
load more comments
(11 replies)
Or the obscure ways for 2FA/MFA. Passkeys are mostly cloud based. Yeah fuck no! The weakest Passkey is weaker than my usual random generated password, if the site don't do any shady business and require a weak password. Hardware keys are luckily not pushed for usage. I don't like them either. You require at least 2, for backup reasons. They also cost quite some money and they have zero auth. Just connect to usb and tap it. Also retrieving the backup and get a replacement for a defective one, takes some time.
Good old TOTP as 2FA is perfect, paired with a strong, random password. With my TOTP, I have an encrypted backup in my cloud, on my NAS, older backups in secure places and backup codes in several places. The TOTP App I use is open source and I have a mirror of the source code.
This should be enough security, if sites don't screw up all the time. You can bypass 2FA all the time. Even the credit card company screwed up big time. Usually you get 2 separate letters, one with your pin and one with your card. Both came on the same day. Also I actually didn't needed the pin in the first place. I was able to add the card to the app and see the pin there, without actually verifying anything, except the credit card number.
Maybe when passkeys are supported in my password manager, I will try it but so far it isn't and switching is not an option, as it doesn't support the features I need. There is an open issue for an alternative password manager, with that feature request and it has some people wanting it, but its still not added. But passkeys doesn't fix the issue for me using stronger keys, it fixes the site owners to allow stronger keys but they are still not required to use it. Some devs are just weird. I've read one PR for an FOSS project I use, where someone wanted to implement a universal oath or such stuff, that would support all types of external authentifications. Nope, the dev refused the PR and they wanted to stay at the 2 proprietary implementations, for 2 services, even though this universal implementation would work with these 2 too. I can't tell exactly what it was. I was experimenting with an auth service for my self hosted stuff, to not deal with several accounts and rights systems. This service was the first one which I wanted to switch and they didn't wanted to support it, leaving me with the standard login.
Every hardware based key I ever used also required PIN, but as far as expense and backups, yes, for personal use the cost generally may not be justified. I got all my personal ones as a bundle that was on sale. For work I would argue that some businesses can easily justify the cost to create a rotating stock of hardware keys to deal with lost keys. Generally in that environment you have centralized PKI, where you can revoke the certificate on the lost key and then issue a new certificate on a new hardware key. This doesn't help for all sign in methods tied to hardware keys, but can be very practical when implemented right.
I also agree on TOTP as the ultimate generic 2FA method, with several worsening options until the despised email or sms 2FA. I will also add that you can setup TOTP on modern hardware keys, where you must insert and complete PIN entry. The inconvenience is that you must have all your keys and password manager available at setup time for places that don't support multiple TOTP codes.
What password manager doesn’t support passkeys these days?
Vanilla KeePass. The Dev isn't interested to providing a communication outside of its program, but he clarified, that plugins have all the right access, to do that but as it seemed to the dev, there is no dev interested to making such a plugin. KeePassXC does support it but they are still missing entry templates. This is the only missing feature that is holding me back to switch.
load more comments
(2 replies)
view more: next ›