Last year, when doing some digital spring-cleaning, I realised that I had 800 different passwords.
I tried going through them, removing long-dead websites, closing old accounts, and deleting anything incriminating. I now have 891 accounts.
I also went through my 31 different 2FA accounts. Getting rid of old employers’ email tokens, failed crypto wallet providers, Club Penguin etc. I now have 40 different TOTP tokens.
So, about 4% of my accounts have 2FA security.
I don’t know if that’s good or not. It feels like it ought to be more, but I’m not sure if I want the administrative burden. Even with a password manager and OTP manager, it’s a headache.
I do have a Yubikey (which I hate) but so few services support it. And, frankly, it’s pain trying to find it and shove it in a USB socket.
A few services, like Steam, use their own special 2FA app. And some only offer 2FA via email or SMS. Yeuch! Google has a fancy set of push notifications on Android – but that only works with Google accounts.
Is this a problem?
Any of my accounts which handle payments are tied to my credit cards or PayPal – so I don’t care too much if someone cracks my password to Pizza Planet; there’s limited damage they can do.
But there has to be a better solution. Things like WebAuthN look interesting – but I worry that they’re too complicated for mere mortals to understand. And I’m worried about how fragile it is to have all your credentials tied up on one physical token. And I’m worried that credentials are tied to your browser.
So what’s the solution?