this post was submitted on 10 Oct 2025
1033 points (99.5% liked)

Programmer Humor

26817 readers
2972 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
Feyter@programming.dev
anzo@programming.dev
BurningTurtle@programming.dev
pylapp@programming.dev
1033
Vibecoding is the future (lemmy.ml)
submitted 19 hours ago by cm0002@sh.itjust.works to c/programmer_humor@programming.dev
65 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] victorz@lemmy.world 6 points 12 hours ago (2 children)

Passkey or notification please. So sick of entering these codes on a daily basis.

[–] Opisek@piefed.blahaj.zone 4 points 11 hours ago (1 children)

If it's alright with your threat model, you can put the time-based OTPs into your password manager of choice, like Bitwarden. Upon filling your username and password, it places your OTP in your clipboard, so that you can simply paste it in. This does of course reduce the security of the system slightly, since you centralize your passwords and your OTPs. When opting for this method, it is therefore imperative to protect your password manager even more, like via setting up 2FA for the password manager itself or making sure your account gets locked after something like 10 minutes of inactivity. The usability aspect is improved by using a yubikey or another similar physical key technology.

[–] victorz@lemmy.world 2 points 10 hours ago (1 children)

Very good point. I have Bitwarden set up as a passkey for at least one account. I should remove that. 👍

[–] Opisek@piefed.blahaj.zone 1 points 17 minutes ago* (last edited 16 minutes ago)

Well, they're not a bad thing per se, it's just important to remember that by doing that you are essentially delegating the access security (including any means of MFA) from the target website to the password manager. I.e., instead of inputting password and 2FA code for example.com, you have to input your password and 2FA code for the password manager itself. This has the same security guarantees, so long as you don't set your vault to—for example—never lock automatically.

For the case of passkeys, using Bitwarden, even with 2FA does reduce the security level in my eyes somewhat, since I'd argue passkeys to be a more secure measure than password + OTP. Unless, of course, you use a different passkey to authenticate yourself to Bitwarden.

TLDR; be careful about putting everything inside Bitwarden. You'll be fine if you make sure to protect your password manager adequately, but if you put OTP secrets (or passkeys) for other website inside Bitwarden AND only use password authentication for Bitwarden without any MFA, then you are effectively reducing your MFA back to a single factor (the Bitwarden password).

I'm afraid user authentication on the internet is broken beyond salvation. It's already complex enough to grasp fully for tech-savvy people, meanwhile we've taught the general population to use password123 for all their accounts and write it on a post-it for a good measure.

[–] RaivoKulli@sopuli.xyz 1 points 8 hours ago

I just save the cookies tbh