@Evono
I understand your point, and you’re right — in the everyday user space, adoption of new technologies like passkeys or TOTP isn’t widespread yet. But that’s exactly why we need to start educating and encouraging the shift from traditional passwords to more secure alternatives.
Here are a few things to consider:
Passwordless doesn’t mean less secure. In fact, many passwordless systems (including passkeys) are built on strong public-key cryptography, which is far more secure than traditional passwords. Unlike passwords that can be guessed or stolen, a private key used in passkey authentication stays on your device and is never sent over the network.
Passkeys and password managers are not the same. While some people store their passkeys in managers like 1Password or iCloud Keychain, passkeys themselves cannot be phished or reused. The authentication is based on a challenge–response system using public/private key pairs, not shared secrets.
TOTP is useful, but not a complete solution. TOTP does add a layer of security, but it’s still vulnerable to phishing and time-sync issues. WebAuthn/FIDO2 is designed to be phishing-resistant because it only works with the correct origin (domain) and doesn’t transmit secrets that can be intercepted.
Email is risky precisely because it's still tied to passwords. That’s another reason why passwordless is important. If you protect email accounts using passkeys or security keys instead of just passwords + TOTP, they become far more secure.
The more complex a system (password + TOTP), the higher the chance of user error.
People forget to back up TOTP, lose their password, fall for phishing, or lock themselves out. Passwordless methods simplify access while actually reducing these points of failure — assuming the device is secure.
To use passwordless authentication methods, we don't need to buy expensive hardware security keys. We can take advantage of Apple ID, Windows Hello, or Bitwarden.
Back to the original idea: if Vivaldi only offers a password manager and doesn’t include a TOTP generator, that’s not really a problem. We can still use Bitwarden or Proton Pass, which can store usernames, passwords, TOTP generators, and even passkeys — all in one place.
Does that sound risky? Not really. As long as we keep our Bitwarden or Proton Pass account secure, we can enjoy entering passwords and TOTP codes from a single place with just a few clicks.
However, if a system already supports passwordless authentication (especially passkeys), I’d always choose that and disable password + TOTP login entirely.
