If cell service is available in at least one area of the property, you could have a dedicated sim for receiving SMS 2FA and use a 4G router to forward the SMS to an email, e.g. Teltonika have this functionality [1].
The 4G router also has the benefit of being able to use externally mounted antennas. Which might help in low signal areas.
Not ideal, but might at least be a solution for some people.
You can also get antennas with suction cups. I have used this before to get 4G internet in a house with no access downstairs, by sticking the antenna on an upstairs window.
An outdoor antenna would be better, but yeah more of a pain. I guess it really depends on how badly someone wants SMS.
Agree. Passkey should be reserved for credentials that can be synced or exported to different providers, as this is what is most analogous to a password from a user perspective.
There should be a different standardized term used for hardware bound keys. So users wont get confused.
"the GitHub repo for the project provides English documentation and the binary for the closed-source NanoKVM firmware that runs from the microSD card."
I was very excited until I saw this. I think I'd rather pay more for a device with this level of access to be running software that isn't completely unknown. I hope it's possible to have PiKVM support this at a future date.
Their phrasing makes it sound like they would pay more for open source.
So would I. I've used several of the standard ones for 20 years, and the closed nature universally makes it suck.
They always require some ancient java install or a license of one form or another, I have one that needs IE 6 with ActiveX! (AMI MegaRAK, standalone unit not built into a motherboard) And of course that thing only has ancient ssl and ssh and neither can be updated. Sure it's old, but there's nothing about it's job that changed or got harder requiring new hardware. I don't use it any more only because of things that are the result of it's closed nature. I actually really like the hardware. If I could replace the firmware I would still use it. Nothing about the job it does has changed, and so it doesn't matter how old the hardware is.
When I discovered PiKVM a few years ago before he was selling a product yet, I built one and it replaced a $600 Lantronix immediately.
This was a personal one not one work paid for, I already owned a spiderlinx, actually 2, one for vga & ps2, and one for dvi & usb, I already own these and I had paid the 500-600 retail for them, and a PiKVM built myself from a pi and a capture board from aliexpress and hacked into a generic aluminum box style pi case that I cut and drilled, is better. It's worth more in that it provides more functionality and flexibility.
Then I donated $500 to him, because that was still less than the cost of an equivalent, and now I get to have as many as I want for just the cost of the hardware, which I am free to scrounge up out of anything if I have to, and I'd wanted something like that for years and here it finally was. It was a real pain point for years and I was grateful and want to reward the things I want to exist.
And now that he sells a product with custom pcb, the entire kit including the pi is still about 1/2 of a spiderlinx.
You're right that it's normal that none of them disclose their firmware, or let you replace it, and it absolutely sucks all day every day every minute you have to use any of those normal ones.
For work before cloud times when we had all colo, what actually worked the best was serial consoles. You set up a little serial port server which you can ssh in to (and keep updated with current ssh) and it provides a serial connection to each machine in the rack. No java, no atvivex, no special browser, no licence manager, no software or platform requirements at all. Anything that can ssh can do a bare metal reinstall. And it works fine over a crappy cell connection.
But if you're forced to deal with a Windows box, or something else with only a screen & keyboard like a security camera console or a mac or something, or just any random non-server pc without serial console support in it's bios, if you do need a kvm, pikvm or equivalent is the only way to go.
A free punch in the nose is still a punch in the nose.
You can make a pikvm for almost free if you want, because it doesn't care what hardware you use. You probably either already own or at least have access to everything necessary for free. That fact is 100x more valuable even aside from the price, simply the fact that you can source the necessary hardware from anywhere at any time on zero notice. When things go wrong, you are far more likely to be able to lash up a solution immediately if all you need is any kind of computer and any kind of capture device, and you can even tell a remote customer what to buy at their local Walmart if you had to.
But even the full finished productized package with custom hat pcb and case is still 1/2 of the equivalent single port Lantronix, and is more convenient and more useful.
And even the proprietary code in something like a Lantronix which is a long standing industry name with accountability and a reputation to protect, is still a 100% different proposition than the proprietary code from an unknown nobody.
It would be crazy, today, completely grossly negligent irresponsible, to use such a device in a high consequense role as remote server administration.
An ip-kvm is fundamntally literally a man in the middle and a keylogger, which you use to access all the most critical things that everthing else happens on. No big.
pikvm solution is a Raspberry Pi Zero 2 W + HDMI CSI cable + pi pico for atx control + usb c splitter. It's actually cheaper. And once you put it together, you run stock pikvm image with smooth upgrades, etc.
I wish Yubikey allowed users to import their own FIDO2/webauthn seed and overwrite the factory generated one, and then also allow the resident passkey functionality to be disabled.
It should be up to the user if they want to have multiple duplicate hardware authenticators and be able to backup their seed however they wish.
Usernameless always seemed like an optimization too far to me.
I think it's totally reasonable, and probably a good thing for users having to use their username at login. Especially as it reminds them what username they are using for that service.
I could totally see a situation where a user uses a Usernameless passkey for years to access a service and for some reason loses access to the Usernameless passkey, and then has also forgotten the username for the service, so cannot even start an account recovery process.
> Usernameless always seemed like an optimization too far to me.
I think it depends on the service. But aside from the occasional forum or social site, usernames are just an extra step. I don’t want or need one for banking/administration/ordering a product. For better or worse, email is usually a better identifier, assuming you already need one for other reasons (like you say recovery is typically needed).
> Especially as it reminds them what username they are using for that service.
Like passwords, forced usernames are hard to remember, if you use different ones. If you use the same, then it leaks privacy across services. (Technically usernames can be private but the expectation from decades of social sites is they are public)
> […] loses access to the Usernameless passkey, and then has also forgotten the username for the service
Correct, no identifier at all can’t be recovered. Hence, email.
No, your person is your identity. Passkey don't pay for services, people do. So there is always a recovery process, at least for any business that actually values you as a customer.
No, that's like having only one key to your house.
If you have two passkeys from different providers, they serve as backups for each other. And there are other alternatives, like a printout of recovery codes.
This isn't great, but better then SMS and having to have a separate app for each authenticating service though.
A vendor neutral service would be a lot nicer.