I recently ordered something on ebay. Nothing expensive, just a £60 item, and delivered to an address I've ordered many things to in the past.
First I had to log into ebay - no problem, got my password manager right here, as soon as I unlock my phone with my fingerprint. Now I'll just key in my 12 character, randomly generated password with mixed case letters, numbers and symbols.
Then ebay decided they wanted to send me a code by SMS. I'd never enabled that security option, but whatever. I can do that, quick fingerprint to unlock the phone then key in the code.
Then I chose to pay with paypal, requiring a second password. And a 2FA code, this time from a TOTP app. For some reason paypal ask for TOTP every time. Easy enough, quick fingerprint auth then just key in the code.
Then I told paypal I wanted to pay by card, as I always do. They redirected me to my bank, who asked me to use their mobile app to authorise the payment with my fingerprint. After unlocking my phone with my fingerprint, naturally.
Clearly, the days when businesses thought online shopping ought to be low-friction are long gone.
Apple makes this experience as seamless as I think it possibly can be. (As long as you use Safari...). All my passwords synced across all devices all the time, instantly available with faceID or or my fingerprint. Apply pay makes checking out of most online retailers as fast as using my fingerprint or double-clicking the side button on my phone. Passkeys generally starting to replace passwords on many major sites, making the process even faster.
That whole process in the top level comment is much faster, in practice, on my phone. Everything auto-fills (unless a site manages to fuck up their forms). I don’t typically have to type or manually copy anything, including 2fa tokens. Wait for the notification to ping, “fill from message” option, done.
I can often go through an entire sign-up, entering shipping, and payment, at a new site, without typing a single thing.
Well, yes (I also use Apple Pay when it’s available—best overall experience by a long shot) but it’s still quite fast and often involves no typing or copy-pasting.
I use 1password but opt out of this feature. Just as described in the article masterpassword creates a single source of failure so I don't personally want to put more eggs in that basket.
I keep my unimportant 2FA in 1Password and the really important one’s (e-mail, domains, etc) in a separate 2FA app.
If someone has pwned my 1Password I don’t really care if they log on to my Discord or order a limited amount of crap on Amazon because I am in much deeper shit at that point.
It depends on the set of credentials. Your primary email address, your access to 1Password, things of that nature can and should be stored in a 2FA app on another device. But the majority of 2FA codes for most websites are fine to be stored in your password manager. This way you can enable 2FA on every site you use, without the inconvenience, but you can reserve the extra security of a second device for services that would be critical failure points for you.
That, I don’t, but I only have those on work accounts anyway. None of my work stuff is set up to be as nice as my personal stuff, but that’s mostly outside my control.
Oh, wait: Steam has them I guess. Every so often (once every few months?) I have to type in one of their codes.
I did just check and I guess I could be doing this with non-sms codes if I added them to my password manager. If I had more than just Steam that used them, I’d do that.
I love the Apple ecosystem, however I always have a low level of dread that someday I will somehow offend them and be permanently blacklisted. This is the main reason I've drawn the line at using their password manager or email - I use separate email and separate password manager so that in a worst case situation I don't get locked out of everything.
Don't worry, Google actually did lock me out of everything a few years ago and when you have the pleasure of using their wonderful services you're literally given no information and have to google (hehe) around for a form to send in a picture of your drivers license to which you will never receive a reply, your google account will remain "fraud blocked" and in 4 days you will have switched your entire life over to Apple/IOS to never deal with no customer service google again.
Then 1 yr later a hn thread will remind you to try to log into your google SSO and.. bam it works. And you still have no idea why ALL of your g servces (domains, email, gphone, etc) were disconnected a year ago.
I used to think the same - custom email domain, passwords managed by myself, but:
1) I’ve never ever heard Apple lock someone out of their Apple ID. Maybe they are obligated to do it for law enforcement in US but even none of that. Meanwhile I’ve heard a ton of stories of Google locking people out of their accounts.
2) The convenience of using Safari, with 2FA and passkeys set via iCloud Keychain is too good to ignore. Literally 1 click (passkeys) or 2 clicks at most, authenticated with Face ID.
So I’m using this setup rn. You can set custom domains with your iCloud email too.
Not to be argumentative, just wondering, has there been a case related to iCloud access that Apple has ever blacklisted someone? Certainly, I've heard of Meta and other companies doing not, but don't recall Apple outside of security confirmation issues people are having.
If you have 2FA and lose all your 2FA methods, and didn’t preplan by making a recovery key and storing it in a safe place you can find again… you can be screwed. It’s not a blacklist, but the net result is the same.
I’m terrified of losing access to all my stuff because of forced 2FA I never signed up for. I get that it’s more secure, but it can be secure to the point of having unrecoverable data. All it would take is someone carelessly deciding to get a new phone number. I have a friend who recently talked about wanting to get a new number with his new phone. I asked about 2FA and he seemed to have no knowledge of it and said he didn’t have anything like that. He kept his number, but if he didn’t, I could see him easily getting locked out of his Apple account (which he has), and his bank.
Setting up a recovery key for an Apple ID is optional. You can still recover your Apple ID. Apple will ask for information that can identify you, like previous iPhone passwords etc. If you have hit your head to a wall and can’t remember literally anything afair you are asked to wait some <1 week amount of time before being able to access, to prevent account fraud. The process is so complex and evolving I’m probably wrong on many things, but the idea is: Apple ID isn’t a footgun for the user.
If you have recovery keys enabled, it’s a different story. Enabling screen clearly states that you can get locked out of your account without your recovery key. You can set up recovery accounts too, like those of your family members.
Apple blacklisted Parler in January 2020. Of course, they were an app store app, not a user, but they established the precedent that they ban for political views they don't like.
you don't, that's the whole apple strategy lock-in your average younger, non technical person so much that they find it 'an ick' to have to interact with an android user.
If you go all-in on an ecosystem there's going to be pain if you decide to jump to another ecosystem. You can avoid some of that by using 1Password (I'm sure there are others as well). It integrates just fine with iOS.
It doesn't, but I've used Apple stuff for going on 25 years now and it is doubtful I will care to move to something different any time soon, so it works for me.
Always the tradeoff with Apple is choice and flexibility versus a seamless and pleasant user experience.
Anyone else feels that the double clicking of the side button doesn't feel ergonomic? It doesn't feel right to me when doing it. I end up holding it like a gun, and then double clicking it, as in the default pose of holding a phone, my thumb is unable to double click.
agreed, but i almost feel like it's supposed to feel a little weird to avoid accidentally buying things. either way, if you want to make it easier, there's an option under settings > accessibility > side button. You can adjust the speed required to register a double or triple click.
Order pizza, pay with virtual card. Payment provider needs 3FA+Captcha, one of the factors is email which is another 2FA challenge. Disclosing the card details once logged in prompts for another 2FA, finally VISA also challenges you with a recent payment question. Insanity.
It's pretty annoying that they load all this pain and suffering onto the user who's just trying to make a purchase, when the company's database is often the weakest link.
This is fascinating to me. Why do we have to go through all these hoops with the bank and somehow, when the credit card # is eventually and ineluctably leaked, the thieves have no problem using it to make purchases, whiteout going through all these 3FA etc.
Apple pay when available is about as low friction as you can get. I know it isnt available to everyone but there should be some similar standard that is. Near seamless.
I’m a happy ApplePay user, but you absolutely do have to give them your (card) information upfront through the whole adding your card in the Wallet app.
That being said, I feel the parent’s viewpoint is naively idealistic, the payment industry is huge with many players and most attempts at new standards or interoperability are by people trying to get a cut of the action, no one is going to adopt a new standard unless they feel they absolutely have to.
ApplePay is pragmatic in that it largely hooks into the existing CC systems and thanks to Apple’s market size they have enough clout to convince people it’s worth the effort.
A whole new standard just for the “general good of the public” will never get any traction without regulation, and in places like the U.S. where bribery is essentially legal (so long as you call
it lobbying), any new regulation like this faces an extreme uphill battle to being introduced except where someone standing to make lots of money is behind it.
> I’m a happy ApplePay user, but you absolutely do have to give them your (card) information upfront through the whole adding your card in the Wallet app.
Do you actually have to give them the card? Or is it only stored somehow on the phone? I wonder how this works exactly.
When I replaced my old iphone with a new one, I did the whole "transfer everything" dance. Waited around for two hours (didn't restore from icloud, but transferred from old to new), and still had to manually add my CCs to Apple Pay again.
My experience is that you can start the process by entering your credit card details, or use your camera to try fill them in for you.
Apple then checks if your card issuer has ApplePay enabled and if so provisions a “virtual” card which is what is stored on the device’s Secure Enclave.
I also just checked my banking app quickly which can initiate the adding of the card to wallet, showing the wallet’s add card screen with the card holder name and the last 4 digits and asking if you want to proceed.
There is no way to see what the full virtual card number is, so there is no way to use this virtual card aside from tapping your phone on CC machines or using websites which have set up ApplePay as a payment method.
CC machines don’t actually have to support ApplePay specifically, as long as it supports tap to pay without insisting on a PIN, then ApplePay works with it. In essence your phone’s NFC exactly implements the same capabilities and protocols as NFC chips on normal credit cards.
> CC machines don’t actually have to support ApplePay specifically, as long as it supports tap to pay without insisting on a PIN, then ApplePay works with it. In essence your phone’s NFC exactly implements the same capabilities and protocols as NFC chips on normal credit cards.
IIRC it's not exactly the same. One user-facing example where things are different is that contactless payments with a regular credit card have a 50 € maximum. If there is a limit when paying with the iPhone, it's much higher.
I also seem to recall that the merchant's payment contract must support this, but I'll have to confirm with a colleague. Although Apple Pay support is very common where I live, it did happen a few times that some restaurant's terminal accepted VISA contactless but not Apple Pay.
I've also had a situation where my CC is set up to not allow payments outside my country. Payment with Apple Pay was denied as being "out of country", whereas the physical card worked fine. The store is from a big national chain, in the heart of the capital city.
I’ve used ApplePay on CC machines which were clearly made before ApplePay even existed.
I’m pretty sure that the limit amount before PIN verification is required is embedded in the NFC, or checked online or something. Both my credit cards have limits of R500 (~26USD) after which it requires I enter my PIN after tapping it.
For one of my credit cards I’m able to pay it off with my other credit card and I have in the past tapped my iPhone to do so for payments over R50,000 (~2600USD), I don’t think there’s a limit.
However, the biggest grocery retail chain here initially had a very annoying “custom” rule on their CC machines where it would ignore the card limit and insist on asking for PIN for any payments over R500, which would cause ApplePay tap attempts to auto decline, they eventually fixed this.
The out of country issue sounds like a configuration issue with your bank or that particular merchant. My cards by default disallow use out of country and I’ve never had an issue tapping anywhere with ApplePay.
Seems like parsing semantics. "Pre-given them" - are you giving it directly to apple.com? No. You're putting in your hardware, true. And... somehow... it makes it to all your other apple devices.
Apple Pay is one of the (few) things where that is not the case. New phone = manually re-adding cards to Apple Pay. Get an Apple Watch? It does not get your Apple Pay info until you manually add them to the watch.
I have access to card data in macOS safari that I entered on my iPhone. I don't double enter it. I do know if you disable security on the phone, you lose the card info and have to readd.
It's just a credit card though? Seems like a weird distinction when those details are intended to be given out. I presume if you're using one-time cards you're not using Apple pay at all. Plus you need the CVC code and such to re-auth them on new devices.
Apple has issues with privacy, but I don't really see how this is one of them.
That's just because they already have all of your identification, shipping, and payment information stored. Apple Pay isn't quite one-click fast, but it's damn near a miracle for one-off purchases from retailers you don't normally use. I've definitely made purchases I'd otherwise have walked away from (I'm pretty selective about who gets my credit card number).
Well, I was maybe a little unfair because the competitors have at least partially “caught up”, but at one point, of Domino’s, Pizza Hut, Little Caesars, Godfather’s, plus a couple online pizza store SaaS used by smaller local chains, Domino’s was the only one that would interrupt me to make me click “no thanks” to some offer or other before proceeding, including during checkout. Multiple times per order, in their case—they’d do it once or twice in the checkout flow, plus sometimes after adding an item to the cart. I dropped them from the “oops we failed at getting dinner ready, what can be delivered and is cheap-ish?” rotation for a while over it.
They’re still the worst about it AFAIK but more of their competitors now do that at least once an order now, too, so the difference isn’t as large.
Off topic: once worked at a company that built a "domino tracker" of some security service we were installing on customer hosts. The company spent more time and money on the tracker than the service installation. The installation tooling failed most of the time and threw errors out for "ephemerality". Good times.
I worked in a Pizza Hut delivery place when I was in college. I just took my son back for a campus visit and yeah, 30 years later, its still there - same location and save a few minor changes, the building still has the exact layout. A testament to whoever laid out the original floor plan.
The idiots removed the 1-click checkout feature and replaced it with a Dropbox to choose which address to deliver to, but it no longer ties that address to a payment method.
I’m not even embarrassed to say last night I went to check out, saw there wasn’t an Apple Pay option, waited through about 2 minutes of waiting for the credit card details panel to open before bailing.
If it took two minutes for a credit card form to open up that's clearly a site problem, and would likely have been just as broken even with an Apple Pay option.
Not sure if this is your experience, but when I broke a chunk out of my Samsung screen and then went to AT&T to trade for another Samsung, keeping the same phone number, I can't receive a two factor security code by text. Even after calling AT&T and being told that the traded in phone is "dead". So now I have to receive a call for security codes.
That's weird. I just log in with my fingerprint only, and my paypal is linked to my ebay. I don't even thing I enter a second password or fingerprint to pay. Also, what the what is this? "I'll just key in my 12 character, randomly generated password..." Key in? Seems like you're making your own life hard! ;-)
There are things you can do to make it easier. My phone sends all notifications to my desktop, and I have an app on the phone that creates a notification when it recognises a code in the SMS, so all I need do is double click on the notification (to select the entire "word" that is the code) then paste into the site I am verifying to.
There are also authenticator browser extensions so you do not have to use a phone app for those either.
The software I use for the SMS codes is KDE Connect and SMS code.
We shouldn't have to work installing & maintaining an awkward flow with random software to make buying experience less miserable. This should be fixed by the seller in the first place, where it makes sense and can be fixed easily and reliably.
eBay is responsible whatever partner they are choosing. They knowingly picked PayPal. If the integration is terrible, they can work on this with their partner and maybe find a common way to establish trust.
The seller is motivated to make the buying process as easy, fast, and uncomplicated as possible. This is a direct correlation with how many things they sell, and in response how much money they make.
On the other hand - consumer opinion and regulation forces them to ensure that the buying process is secure, that someone else isn't buying things on your account, that they have proper logging of what goes on, etc.
The seller shouldn't "Fix" the buying experience by removing the security aspects of it. They should fix the buying experience by using modern authentication like passkeys and ensuring that their applications and sites support password managers.
In general I agree, but KDE Connect is not random software and it's fucking awesome, especially if you are a KDE user, for a lot of reasons. The use-case described in the grandparent is just one of many handy things available via KDE Connect
I use GNOME: the gsconnect extension on my laptop, the kdeconnect app on my mobile devices. They can even share data and files between themselves without going through the laptop, ring another one when I lost it somewhere at home, control the media playing on another device or my laptop.
Installing an maintaining is not awkward. Most people seem to install lots of random apps, so why not something useful.
Of the two applications I use for the SMS flow, one is generally useful to have anyway. The authenticator extension or an app is absolutely necessary for this type of 2FA and the alternative to some app is to not use 2FA at all or use SMS authentication.
Really interesting, here in Mexico I think that's unheard of, what I have to use is a digital card with a dynamic 3 digit cvv that's generated on my app.
What actually happens is with 3DS: a merchant gets liability shift. Liability resides with the issuer then. Whether you as a customer can be held liable for damages depends on your jurisdiction and when you report your devices / credentials stolen.
I have a Mastercard branded card issued by the Dutch quasi-monopolist (ICS). Every time I have a transaction with a merchant with ties to NL, they force me to do 2FA using their crappy app.
When I use my AMEX card online it sometimes does an extra "validation" step but as I recall I don't have to interact with it. It's probably checking location, etc, and deciding if further validation is necessary.
Years ago I had to do that sometimes, but I haven't gotten prompted to authenticate my credit card with my bank in quite a long time. I thought maybe it just went out of style, but I guess some people still use it.
I'm in the US, and for some purchases I have to. There's like an iframe in which I have to log into my credit card account, and approve the transaction.
The goal is to cover their asses for when data is stolen. It’s not a matter of “if”, it’s “when”, and they want to be able to point to every obnoxious POS practice they made standard to show they did their best. I’m not making any comments on whether this is good or bad, just that it, to me, explains a ton of the n behavior.
The involuntary signup for two factor you didn't want is incredibly annoying. Especially when initiated by a bank or similar financial institution with no warning.
"BTW, for your own safety, we implemented two factor on your account, and tied it to your old phone. Wait, you don't have that phone anymore, cause it was something like a 10 yr old retirement that you never obsessively check? And we didn't give you the option for an email? Or even warn you? Too bad. We now no longer accept logins for your own money."
Payment gateways (paypal, apple, google), in general, do NOT let you cancel individual services and are linked to your CC. Vendors (I'm looking at you, Audible!) constantly hide their account termination under layers of dark patterns. For awhile, I had several ghost subscriptions that I a.) didn't want and b.) couldn't cancel.
My credit card card [1] has fundamentally changed my online purchasing experience as it bridges what I feel is a gap between new payment methods (Apple, Google, et al) and classic payment methods (CC).
An ounce of prevention is worth a pound of cure.
When I purchase something line, I create a new one-time card (three taps on my phone) and use that new, valid CC for purchasing. Everybody takes a CC. The card is instantly deleted after purchase, and I don't have to worry about my paypal account, apple pay account, google wallet account, ghost subs, account hacks, identity theft -- the works.
>Payment gateways (paypal, apple, google), in general, do NOT let you cancel individual services and are linked to your CC.
Paypal absolutely lets you stop recurring payments unilaterally on their side. I use Paypal for subscriptions wherever it's offered precisely for this reason.
I think it maybe only shows companies you had recent transactions with.
In 2023, I had a fraudulent $0.99 Paypal Automatic Payment for "Domain Name Forwarding - Renewal" from a company (DomainsPricedRight/OwnMyDomain aka GoDaddy) that I last did business with in 2005. Yes, 18 years prior.
I was able to 'deactivate' the 'subscription' on the Paypal site after I noticed the charge but I don't think automatic payments existed on Paypal in 2005 and I'd certainly never signed up for it.
The original 2005 business I did was a one time domain purchase that was transferred to another registrar within a year.
It was real fun to also see on Paypal that I could have been fraudulently charged up to $10,000.
It's kind of scary to think that any company I've done a Paypal transaction with could maybe do the same thing (or any of the companies that eventually acquire their merchant accounts...)
I've been using Privacy.com for this "create single use credit card" for years now. They make money via the interchange fees, afaik, and not by selling your data stream.
I don't know the details of when it is and isn't required. I am asked pretty much all the time for transactions using my Danish cards, and only some of the time for the British cards.
>> I also don't do this on my phone, but on a regular PC.
I do the same. Too many times I've had major issues trying to buy stuff on mobile so I just stopped doing it like 8 years ago. Literally the only thing I pay for with my phone is my hockey sessions via Venmo.
> Clearly, the days when businesses thought online shopping ought to be low-friction are long gone.
I bought some lottery tickets online for a present to myself and the experience was smooooth. No cart, no checkout steps, no need to create an account, there was a QR code right next to the tickets that I had to scan with my banking app to buy them right here, right now.
Business don't want online shopping to be high-friction, but Thankfully consumer opinion is pushing more for security and less for making it as easy as possible to buy stuff online.
I'll happily take this shit-show cacophony of various 2fa methods and authentication types if nobody is stealing money from my bank account or ordering stuff on ebay on my behalf.
The flip side of this - is that if companies properly setup auth and allow you to use username+password (or passkeys) and a TOTP method then this is all basically copy/paste from your password manager or verify on your phone and the process is super easy.
> I'll happily take this shit-show cacophony of various 2fa methods and authentication types if nobody is stealing money from my bank account or ordering stuff on ebay on my behalf.
Even better: I wouldn't care about people stealing money from my bank account if cleaning it up and making whole was my bank's responsibility and not mine or some hapless vendor. Neither I, nor store vendors should have to put up with the "shit-show cacophony." The bank's entire reason for existence is to secure access to my money--it should be entirely their problem.
They want mandatory macrobugs (aka smartphones, the bug not payed and carefully placed by those who want to spy, but the one payed and babysitted by the spy target) for anyone, so if you use a desktop you are a threat and you need to be not in comfort...
PayPal is my first choice and if I go to check out on your store and you don't have PayPal as an option, the chances I abandon my cart if I don't have my wallet just went up exponentially. I use it as a buffer between me and the provider. Everything goes through a credit card so I still get the points/miles I would get entering the card directly. Except now they don't have a credit card token they can keep charging forever. They have a PayPal token that I can log into PayPal and immediately revoke, asynchronously, without involving the merchant or my credit card at all.
I don't need to worry about my details still being with that merchant. I don't have to worry about the merchant's convolution and likely-illegal cancellation process. The only negative I can think of is that any dispute has to go through PayPal, and while I've never done it I would bet money they are going to be skewed more in the merchant's favor than the credit card company. But that being said I have had fully legitimate chargebacks (as in not "I want a refund and they said no" but "this is a fraudulent charge I never agreed to") get denied and reversed by Discover so that's not a 100% certainty either.
I never receive money through PayPal so while I've read all the same horror stories everyone else has, that doesn't seem likely to affect me. My biggest gripe is the full-screen advertisement for whatever service they're pushing every time you log in on the website.
And tied to a direct back account, requiring you to use cash and lose any CC benefits. I use Privacy for things I know I only want to charge once (e.g. $1 trials or things of that nature) but not being able to charge a CC with Privacy is a bit blocker most of the time.
I'm saying I get rewards when I use PayPal (because everything ends up on a credit card anyway with added privacy/control benefits compared to using the card directly), so a solution where I don't get those rewards ends up being second-class. I also haven't had issues with PayPal that [many] others have, so there could certainly be a scenario where that changes.
Up until not so long ago that was the easiest "payment wallet" to have around.
Want to have charges go direct to your bank for 2 weeks ? you move it up on the list.
Want to try a new card but are not sure you'll keep using it ? add to the wallet and move up or down depending on how much you want to use it.
And it also managed subscriptions.
It is now a steaming pile of garbage for so many reasons, and it has always been a death trap for any small merchant, but they gave a fairly good shot at the wallet side of things. Good luck getting Nintendo for instance trust any other third party wallet system.
Because I don't want to give the credit card details to every site out there.
And Because the Resolution Center works wanders with merchants who are not being forthcoming to resolve your problems.
I once had an issue that a merchant had delivered less than half of the items that I had ordered, i contacted them and they requested (after 2 days) Proof that I had not received the items. I could only produce the photo of the opened package which was clearly too small to contain everything they were supposed to deliver and the weight in the package label that clearly was too little for everything I was supposed to get. They tried to stall asking proof that i had not received a second package with the rest of the missing items.(How can you prove a negative?
I got fed up and opened a refund ticket with paypal describing the problems and within 30 min the merchant contacted me promising to send the missing items and refund 20% of the cost if i closed the ticket in paypal.
No I asked the merchant to commit to resend the missing items inside the resolution center and resolved the issue only after the items arrived.
The aim is not "profit" but to get the deserved attention and bypass clear stalling tactics like having to prove a negative.
Needles to say that I Did not ever use that merchant again.
If you use a password manager (which they say they do) it's much quicker to just save that info and automatically populate it. Doubly so considering the MFA hell they went through.
Too many sites have broken forms. Sure, you can have the card autofilled but maybe it doesn't trigger the autofill for the address or maybe that wasn't even loaded yet. Maybe you can just click there and have it auto-fill but they can be so broken it doesn't autofill completely or fills wrong. Some sites are smart enough to have a checkbox for "shipping address is the same as billing" and others aren't.
When you use a 3rd party payment provider like PayPal it does a really good job of forcing all of this to be automatic compared to things trying to autofill custom forms just because it's integrated by the site instead of the user. MFA hell is starting to erode that actually being easier though and now there is more and more often no simple approach left.
Yeah, CC autofill is nice but fails about 1/4 of the time. It doesn't include the security code either. A few sites will also have finicky inputs, like accepting spaces but rejecting the payment if you use them.
Sometimes there's no choice, usually for international purchases. eBay used to also prefer PayPal somehow, idk how it is now. I know that some Etsy sellers are PayPal-only.
Sounds like you've got some unusual configuration options turned on or something.
The most glaring odd thing here is that you apparently don't have your password vault available on the same machine you're shopping from, which seems odd to me. Even so, if I went that route it'd still be easy b/c with the Apple ecosystem, the clipboard is shared between devices. One can copy a password from the phone and paste it on the Mac.
The tl;dr here is that I really don't understand why you had to retype your password. I never type my strong passwords. Why would you put yourself in a position where that's required?
Finally, when I pay via Paypal using my Amex, I never have to re-auth to Amex. It just flows through. So it sounds like that's something you've chosen to set up, not something inherent to the process.
Opening your password manage and displaying the strong password openly on the screen while manually retyping it on a different machine - rather than just installing the password manager on that machine - definitely sounds like a "why are you doing that?" kind of thing.
Likewise I've used a half dozen different cards and multiple bank accounts through PayPal for the last couple decades and can't remember the last time I've had to reauth on any of them during a checkout.
> Opening your password manage and displaying the strong password openly on the screen while manually retyping it on a different machine - rather than just installing the password manager on that machine - definitely sounds like a "why are you doing that?" kind of thing.
That one's on me, yes. The Yubikey I needed to unlock the password manager on the PC was upstairs and I couldn't be bothered to get it, so I used my phone instead.
(Why was the yubikey upstairs? Well you see, that's where the fireproof safe is. But I can't blame ebay for that, so I didn't mention it)
> Opening your password manage and displaying the strong password openly on the screen while manually retyping it on a different machine - rather than just installing the password manager on that machine - definitely sounds like a "why are you doing that?" kind of thing.
If the machine with the passwords is less exposed it's on average a lot safer (but now you have the problem of keyloggers of course)
> Finally, when I pay via Paypal using my Amex, I never have to re-auth to Amex. It just flows through. So it sounds like that's something you've chosen to set up, not something inherent to the process.
To be fair to the parties involved, they might well blame "EU strong customer authentication rules"
First I had to log into ebay - no problem, got my password manager right here, as soon as I unlock my phone with my fingerprint. Now I'll just key in my 12 character, randomly generated password with mixed case letters, numbers and symbols.
Then ebay decided they wanted to send me a code by SMS. I'd never enabled that security option, but whatever. I can do that, quick fingerprint to unlock the phone then key in the code.
Then I chose to pay with paypal, requiring a second password. And a 2FA code, this time from a TOTP app. For some reason paypal ask for TOTP every time. Easy enough, quick fingerprint auth then just key in the code.
Then I told paypal I wanted to pay by card, as I always do. They redirected me to my bank, who asked me to use their mobile app to authorise the payment with my fingerprint. After unlocking my phone with my fingerprint, naturally.
Clearly, the days when businesses thought online shopping ought to be low-friction are long gone.