>does anyone still believe that Pluton, also copy-pasted from the Xbox, is about end user security?
I never did. The worst part is explaining it to people drinking the MS coolaid. I'm an MS admin so people at work love Win11, Intune etc all that max lockdown shit. To me that's not what Windows is about, for me Windows is excellent because of the admin tools and backwards compatibility. But hey that's just me.
Proton will be another TPM thing, introduce it, wait 5 years, then mandate it. They have time.
TPM end game is to have identity tied to a device on pcs, just like the monopolies already have on Android and IOS.
you know how google and apple dropped actual totp 2nd factor for their own accounts and force you to sign on another device to confirm signing on new devices? same thing.
Hell technical people can't figure it out. Everyone complains that it's fragile because what if their phone breaks, and those that think they know better, think it's because of the dozen one-time-use emergency codes.
It's not their fault though. Every web site or service that offers totp and the most user-facing apps like google authenticator all scrupulously avoid telling you to save the seed value in the initial setup qr code.
That short random string is all you need to have working totp on as many different devices as you want, set up a new one any time you want, and it's nothing but a simple static never-changing secret exactly like a password.
You can wake up naked in a foreign country and be all back in a few minutes and without having to re-setup any sites or anything like that.
That is, IFFFFF you have previously saved all the totp initial setup seed values right along with the passwords for those same accounts. If not, you can go do it right now.
Just when you enable 2fa on some site and it shows you a qr code (or however it gives you the code, it might be a regular url, and sometimes they even display the string in plain text)
save that string. If it's a qr code, save the qr code and read it with a regular qr code reader (probably just your camera app these days) and it will have a string or a url with the string as the query string.
That string is not just one-time use. You can just save it and enter it into totp apps all over the place all day for the next n years.
keepass apps all support it now for one example, so you could save the string in a notes field in keepass, but they have a dedicated totp field now too. You paste it in, and now that password entry not only stores your name & password for that site, it stores the totp seed for setting up totp apps, and also displays the current totp time code just the same way the totp app like google authenticator does.
It's all stored in the keepass db file just like the normal passwords, so to set up a new device, all you need is access to any copy of the keepass db file. Install any keepass app like keepassxc on a laptop, load the db, and there's your working current totp codes for all sites. You want a more convenient dedicated totp app than having to dive in to keepass, just copy the totp seed from keepass into gnome authenticator or whatever. The different apps have different ways to supply the string when not taking a picture directly with the camera. Some like google hide it from direct access. Last time I used google authenticator I think it had no usable export, but it just recently got the ability to store the seeds in googles cloud, but not like in an ordinary google drive file that would be useful, just some internal magic that all it does is if you can somehow manage to log in to your account on a new phone, it will pull the seeds down and start working on the new phone. It doesn't let you set up any other apps or devices, and Google has a copy of your seeds in a form they can read, even though you can't!
But the same seeds could be just as cloud-enabled by being inside a password manager db, which is still sitting on a google cloud server, but this time in a file that you own, and in a form that google can't read but you can.
I'm a bit late but FWIW Google Authenticator has a QR code export option, it generates a giant QR code (potentially multiple) that contain all the accounts and secrets. It's designed for you to scan into Google Authenticator on another device, but you can also read the contents of that QR code yourself with various open source utilities to get the accounts and secrets (or just print a copy for a physical backup of them). Overall it's not a terrible way to go, though like you said if you can save the original QR codes that's a nicer way to do it.
It being a Win11 requirement. It failing and triggering Bitlocker on our machines. It's just shit :) No I don't have another solution. Let me complain.
Every Windows Update that Lenovo kept pushing UEFI updates on their shiny new X13s with the Snapdragon and the Pluton chip in it kept tripping Bitlocker on every update.
FWIW, my old corpo HP would also trigger Bitlocker sometimes on random shit, such as upgrading the firmware of the docking station. But that was usually fixable either by unplugging USB devices while booting, or just trying many reboots until Bitlocker suddenly decided everything was OK.
I never did. The worst part is explaining it to people drinking the MS coolaid. I'm an MS admin so people at work love Win11, Intune etc all that max lockdown shit. To me that's not what Windows is about, for me Windows is excellent because of the admin tools and backwards compatibility. But hey that's just me.
Proton will be another TPM thing, introduce it, wait 5 years, then mandate it. They have time.