Hacker Newsnew | past | comments | ask | show | jobs | submit | dyml's commentslogin

I also used Kagi, but decided to cancel my subscription last year when it was revealed they pay Yandex for their search, which is a Russian company that ultimately fuels the Russian war on Ukraine.

Once Kagi stops transferring money to Russia, I’d be happy re-subscribe.


Do you have a source how funding yandex funds the war? Yandex is a great search engine, so I would hate to find out that this is true


  https://en.wikipedia.org/wiki/Yandex#Legal_issues_in_Ukraine
  https://www.zois-berlin.de/en/publications/zois-spotlight/the-sad-fate-of-yandex-from-independent-tech-startup-to-kremlin-propaganda-tool


It's based in Russia so it presumably pays taxes and salaries in Russia.


All American companies pay taxes to America which is basically always commiting atrocities so I don't think that's a strogn enough reason on its own.


.ru is but .com is based on Europe with different results for each.


I have the feeling that, if you look a little closer, a lot of products you are using are supporting atrocities somewhere directly or indirectly.


I work at bitwarden and I can confirm this. While technically you have the data, any other app need to support our json format (which they totally can, our code is open source) - but CXP (the standard) is happening this year so we’re planning on using it.


I worked on this standard and we’re all excited that it’s rolling out to most of not all password managers and platforms.


We're enabling it by default, you can opt-out.


I just want to point out that the title is wrong. 2FA is on by default, but not mandatory. Dang, can we change the title?


The title was correct but they appear to have changed the policy since the post was made, likely as a response to feedback.

Notice that in the archive from earlier today the "Who is excluded from this account email-based new device verification?" section did not have the new fifth bullet point about being able to opt-out:

https://web.archive.org/web/20250128011007/https://bitwarden...

Thought it was worth pointing this out since I've already seen people reply to old comments thinking people didn't read the article without realizing it was later changed.


Ok, we've done that now. (Submitted title was "Bitwarden introduces mandatory 2FA for new devices".)


I work at Bitwarden and I have that same pet peeve! Let's see if I can get a PR up without causing a UX stir :)


Very unfortunate and caused me to cancel my subscription immediately. Any alternatives that people can recommend to someone who throughly enjoyed Kagi?

I really hope they reconsider their arrangement.


I heard Yandex has pretty good search results.


Please don’t use WebAuthn on every page load.

Two reasons: the protocol is not designed to do this - and the UI/UX is not designed to support this. There are better ways.

2) it will likely not work. There are virtual/software authenticatators (available in dev tools) that could generate a valid response without a human.


FWIW using WebAuthn to start a session, set up a cookie, and validating that cookie to get access seems like a pretty usable pattern. Not much more invasive than the "checking your connection" screen Cloudflare likes to throw.


Use a password manager, like Bitwarden


You can use any passkey provider app. I work at Bitwarden and we’re building mobile passkeys for android right now. We can do the e2e sync, but if you want you can always self host Bitwarden server and just use our clients app.


The BitWarden passkey dialog irks me because it makes me click the passkey I want, even if I have exactly one. It would be better to have a feature where I could specify "always use this passkey and don't prompt", since that's what I need 99% of the time.


This has been annoying me as well: WebAuthN even provides metadata that lets authenticators know which credentials they're willing to accept, so at least in that case (usually the flows where you have to enter a username), auto-selection should be possible.

With discoverable credentials (which Passkeys by definition are), i.e. the flows where you don't even enter a username and the website learns it from the selected passkey, I don't think there's a way around a key selection process, but the UI can definitely be improved to distinguish the two.

Maybe something like "website XYZ is trying to verify your account 'username' – is that ok?" vs. "website XYZ wants to authenticate you – which passkey do you want to present to them (if any)"?


Good feedback, thanks! will bring it up when I’m back at work


Thanks! I also opened a feature request on the same thing a while ago.


This is such a big small thing.

Patiently waiting for passkey support on Bitwarden iOS to replace all my passwords everywhere.

Do you guys have any rough idea how far away you are from launch? Is it weeks? Months? Quarters?


I'm already seeing Bitwarden as an option for Passkey authentication on iOS! Apparently the app already exposes itself to iOS as a WebAuthN backend (or the API is the same as that used for password managers).

Unfortunately that API doesn't seem to be wired to anything in the app yet, so selecting it inevitably fails.


Very soon


Any testflight one can join to get in on a early beta?

I'm eager to give it a try.


Send an email to me at aaberg@bitwarden.com and I’ll look into it!


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: