You could consider switching to passkeys, an emerging standard to improve logins. It is much easier to use than passwords and time-based 2FA. Passkeys are broadly supported across operating systems, browsers, and devices now, but website support is still hit-and-miss. For the websites that support them, however, it is a good balance between security and convenience.
The SDMB, for example, DOES support them. (They call it a Physical Security Key, which is actually something different, but that same feature actually does support passkeys. You can access it at https://boards.straightdope.com/u/your_username/preferences/second-factor (or Preferences → Security → Two-factor authentication → Physical Security Keys).
What is a passkey?
-
It is a “shared secret” between your device (computer or phone or tablet, typically) and a remote server (the website you’re visiting). This shared secret is automatically generated and cryptographically strong. There is a lot of fancy math involved, but it basically boils down to public key cryptography similar to how HTTPS and SSH keypairs (for developers/sysadmins) work.
-
For you as a user, the big thing is that there is nothing to remember and there is nothing to steal. Each passkey is only good for one website/app. Your device automatically communicates with the remote server to securely transmit the passkey, and only to its intended recipient. Neither you yourself nor any rogue apps can steal or accidentally leak the passkey (generally speaking).
-
So your device/browser manages all this complexity for you. In exchange, all of you have to do is remember either 1) your device master login (like your phone PIN/pattern or your computer password OR 2) use your biometrics (like Apple Face ID or your fingerprint sensor) to authenticate yourself. The nuance here is that you are only authenticating yourself TO YOUR DEVICE, same as you do every day — neither your password nor your biometrics are ever sent to a remote server. Once you authenticate to your device, your device deals with the passkey situation automatically on your behalf, sharing only that particular passkey for that one particular server (and only the public part).
Compared to passwords:
- They are much safer, hundreds or thousands of times stronger
- Are never reused between websites
- Don’t need you to remember anything
- Just like passwords, can be stored locally on your device OR synced to the cloud (via Windows Hello, Apple Keychain, Chrome/Firefox sync, 1password or another password manager, etc.)
Compared to time-based 2FA:
- They don’t require you have another device or app handy
- They don’t need you to type in anything that expires in 30 seconds
- They can be easily synced across devices (if you so choose)
- They don’t have their own set of recovery keys that you need to print out to keep track of (they fall back to your passwords if you lose a passkey)
All in all, it’s a hugely convenient way to deal with website and app logins. Create one passkey for service and you can 1-click login to it from all your synced devices, in a way that’s much stronger than password alone. It is a little weaker than true 2FA, since it’s no longer two-factor… you are replacing “something you know and something you have” with “one very strong secret that only your device/password manager knows”, but for most practical purposes, it is a much better balance of security and convenience.
2FA and long complex passwords mostly protect the user from themselves, which is also what passkeys do, just in a far simpler way. It’s literally one click to log in after you set it up.
But… it can’t really replace passwords altogether (because you still need one if you ever lose a passkey), so that means your password is still ultimately the source of truth, and ideally would be strong and randomly generated (which means you would still need a password manager). But even with a password manager, a passkey login is much faster than a password + 2FA + email/text auth.