I’ve just stumbled across this alarming banner announcing MFA “will be enforced”. This made me curious, so I’ve started reading the thread about it.
It didn’t take long before I had to chuckle a little bit, that probably adults are arguing over something like this.
You have to use MFA, not to do so is just fucking stupid. How are you surviving on the corners of the internet, e.g. where this forum is located?
Secondly: it’s wild to claim passkeys would not be considered 2FA/MFA. That’s exactly what they are, what they’ve been invented for, and why every auth mechanism is using them nowadays. @VladTheImplier should consider that “deciding” because of an (unfounded) opinion, that one MFA is better then the other, is not not longer about security. Actually, even the infographic is contradicting this idea . We should chill and do what makes sense
I understand that the discussion derailed spectacularly in the thread and that’s why it got closed, and I don’t want to start it again. But just get it together guys.
Click https://discuss.eroscripts.com/my/preferences/security and press “Add Passkey” to add a magic no-brainer auth to your iPhone, browser or password manager in about 5 seconds.
Maybe this will even inspire you to use them everywhere
Just so youre aware, i asked Vlad directly about this. Passkeys will not overwrite the need for another form of MFA. if you set up a passkey, you will ALSO need another form… This is what my main issue with it from the start was personally, not that i needed MFA at all, but that passkeys werent going to be a catchall to remove the need for other forms of it.
Ill just post the actual message i sent and received:
Seems like we’re getting triggered by the same thing
But then again, I know how it feels when it’s not so easy to acknowledge you’ve maybe had a construed view of something
just reading a bit more through some other threads on here, it seems like passkey DOES bypass the need to login at all(?). I guess ill setup MFA and a passkey, and see what happens.
I’m glad everyone found the answers they’re looking for here. You can also review the linked video I sent from the announcement. It covers the experience for both TOTP and Passkeys.
To comment on this:
You’re absolutely right and I failed answer your topic title question in that thread.
Basically, the enforcement for MFA in discourse is a toggle. Doesn’t reveal more info than yes or no.
I suspect based on the discourse devs history that they don’t even know what passkeys purpose is and I don’t trust them to behave correctly without TOTP.
I suspect that once enrolled signing in with just username/password will still work without a 2nd factor. Leaving accounts still unsecured. Admittedly I haven’t tested it, but I’m not confident in the discourse devs.
It is also best practice in general to use TOTP or another factor as break glass access when needed.
Id just like to point out btw: BitWarden’s TOTP is now a premium feature… i see when you made the video, so some time in the last 2 weeks, it has been made premium unless you already had premium, which i guess could be the case
KeePassXC seems way too finicky, i have to login everytime i open the software, and the browser plugin doesnt integrate properly from my experience. It also seems FAR slower as a password manager than any others ive used. it also doesnt seem to support TOTP which would be the reason id need it in the first place…
You mentioned in the other topic that you had a way to hide the site name from something like google authenticator, but i couldnt find that anywhere. could you link that here?
(imho 1password or keepassxc are better in multiple ways, but thats not relevant for the regular user i think)
–
Now i get it. It’s not that you’re deciding that passkeys are not regarded as MFA, but discoures backend is probably deciding this. That changes the way i think about the original thread Sorry for being rude, Vlad
Actually, i’ve been digging and found on their forums that they acknowledge that discourses “force 2fa” does not allow passkeys as 2nd factor. They say this a usability problem and they will eventually fix this.
I think it’s really telling that I didn’t even bother to test it or look it up and could tell discourse fucked up passkey usage.
They do this in a lot of avenues.
I’m sure you read in the thread, that I’m intimately knowledgeable about authentication security.
A lot of the trouble for education is the mixing of terms in trying to explain complex things in a simplified way.
For most people, professionals included passkeys and TOTP are MFA. Which correct, but it would be more accurate to say passkeys are a protocol that wraps a Fido2 credential and MFA.
Most people don’t care about the difference. So explaining passkeys in the context of discourse is additionally stupid because discourse doesn’t use them correctly.
. We should chill and do what makes sense 
