Thank you for this information, very helpful. For now, I’m sticking with two-factor authentication using a strong password first. I simply don’t have confidence in this password-less method, especially with my Microsoft account.
Passwordless with microsoft can go horribly wrong since there isnt two factors then giving someonr the first factor and they have full access and can change security info
The only factor of auth being used here is your email, so this isn't really using MFA. If the email service provider (eg: Gmail) is compromised, a bad actor can access your email and therefore get access your Medium account. One way to mitigate this is using another factor of auth such as an OTP texted to your phone via. This is more secure because while it's somewhat likely that either your email can be broken into or your phone can be stolen, the likelihood of BOTH occurring is negligibly small.
Amazing! A video of more than 8 minutes and nowhere do you mention the correct answer to the question in the title... 4:00 Medium not having a password means that if you lose access to your original email account, you also will no longer be able to log into Medium. A false sense of security should not have to come at the risk of losing your account completely because there is no sensible password backup available to get in. 5:00 Instead of password reuse, you have email reuse. All a hacker has to do, is fake up an email to get you to log in to a fake site and provide your personal information there. 7:30 And let's not forget that you are not the only person who has emails that get stuck and take ages to arrive, which means people can no longer log in at a moment's notice.
I use it on my lesser accounts. But not on my paypal or bank account. The accounts use my computer I.D. Of course anyone using my computer could log in but it is not likely at all.
I don't like having the Microsoft authenticator app requesting access when someone else is trying to get into my account. Seems like they should at least enable a pin before someone can just request to get into your account with passwordless. I don't want to see all the requests in my face if they aren't me. It seems like they should at least have to enter a pin before they can request passwordless entry and that way I wouldn't see any request that didn't have the pin. I'd feel better with passwordless if you could still keep an option to use a security key too.
I currently use a password and the Authenticator app. If my password gets hacked, they still need the authenticator access. On trusted devices I already only have to use the app, instead of a password. I’m still trying to figure out how passwordless is more convenient and safe
Thank you! Why do you not generally recommend signing in with third-party services, e.g. Google which itself may be strong enough with 2FA enabled whereas the initial website may lack 2FA option?
Because if you lose access to your Google account, OR if that Google account gets hacked, then ALL the associated accounts you've used it to login with are impacted.
@@vru-x5m because some website create a fake pop up sign in to google which will send you to a fake google log in page. where you enter your gmail and password and that's it.. you got hacked. but hey if you sign up there and use the same password as your gmail then that's the same thing. 😂😂 this is why they always remind not to use the same password on all your account. and google hates it coz they are being blamed for google account getting hacked even if they have very secure server. it's not their fault if you got hacked from other website. this is why 2FA become a standard. even if both you and the hacker have the password, he can't get through the 2FA.
Excellent explanation and I concur with your opinion about 2 form factor being gold. I prefer it myself. However if I loose my phone or stolen it does put a damper or chink in the armor. Or even an Issue with email. I use both authenticator apps, SMS and email with most that would allow it.
How can it even work?
Can you tell me, what brand is that orange speaker on the shelf in the background? Thanks!
@@rs3370 Ha! That's a 40+ year old Speakerlab .1 -- Speakerlab was a local company back in the day. :-)
Thank you for this information, very helpful. For now, I’m sticking with two-factor authentication using a strong password first. I simply don’t have confidence in this password-less method, especially with my Microsoft account.
Passwordless with microsoft can go horribly wrong since there isnt two factors then giving someonr the first factor and they have full access and can change security info
yubikey ftw
Email with a link is only one option for Passwordless. There is MFA within other Passwordless options that have no issues like the email delay issue.
The only factor of auth being used here is your email, so this isn't really using MFA. If the email service provider (eg: Gmail) is compromised, a bad actor can access your email and therefore get access your Medium account. One way to mitigate this is using another factor of auth such as an OTP texted to your phone via. This is more secure because while it's somewhat likely that either your email can be broken into or your phone can be stolen, the likelihood of BOTH occurring is negligibly small.
Amazing! A video of more than 8 minutes and nowhere do you mention the correct answer to the question in the title...
4:00 Medium not having a password means that if you lose access to your original email account, you also will no longer be able to log into Medium. A false sense of security should not have to come at the risk of losing your account completely because there is no sensible password backup available to get in.
5:00 Instead of password reuse, you have email reuse. All a hacker has to do, is fake up an email to get you to log in to a fake site and provide your personal information there.
7:30 And let's not forget that you are not the only person who has emails that get stuck and take ages to arrive, which means people can no longer log in at a moment's notice.
I use it on my lesser accounts. But not on my paypal or bank account. The accounts use my computer I.D. Of course anyone using my computer could log in but it is not likely at all.
I don't like having the Microsoft authenticator app requesting access when someone else is trying to get into my account. Seems like they should at least enable a pin before someone can just request to get into your account with passwordless. I don't want to see all the requests in my face if they aren't me. It seems like they should at least have to enter a pin before they can request passwordless entry and that way I wouldn't see any request that didn't have the pin.
I'd feel better with passwordless if you could still keep an option to use a security key too.
I currently use a password and the Authenticator app. If my password gets hacked, they still need the authenticator access. On trusted devices I already only have to use the app, instead of a password.
I’m still trying to figure out how passwordless is more convenient and safe
🥲 actually there is a way to get around, just with the password that is why I was looking for passwordless info :c
google "yubikey"
Awesome Explication really I understood very well, and I will follow your comments, thanks
PASSWORDLESS is safe for me because it removes the need to hide my password somewhere OFF of the local computer and the fear of losing that document
Interesting video you are right its not perfect
Thank you! Why do you not generally recommend signing in with third-party services, e.g. Google which itself may be strong enough with 2FA enabled whereas the initial website may lack 2FA option?
Because if you lose access to your Google account, OR if that Google account gets hacked, then ALL the associated accounts you've used it to login with are impacted.
@@askleonotenboom understood, thanks! But in your example with the link which is sent to email for login, the problem is basically the same
@@vru-x5m because some website create a fake pop up sign in to google which will send you to a fake google log in page. where you enter your gmail and password and that's it.. you got hacked.
but hey if you sign up there and use the same password as your gmail then that's the same thing. 😂😂
this is why they always remind not to use the same password on all your account.
and google hates it coz they are being blamed for google account getting hacked even if they have very secure server. it's not their fault if you got hacked from other website.
this is why 2FA become a standard. even if both you and the hacker have the password, he can't get through the 2FA.
Honestly my email account has been getting hacked into let me just say Microsoft/outlook security sucks.
Fir apne kya kiya
Excellent explanation and I concur with your opinion about 2 form factor being gold. I prefer it myself.
However if I loose my phone or stolen it does put a damper or chink in the armor. Or even an Issue with email. I use both authenticator apps, SMS and email with most that would allow it.