2a. No 2fa, so this is a reduction in my current security

That’s open to interpretation. Your current solution you thought was secure, but you used a service that as it turned out had bad security practices, which you just didn’t know (arguably couldn’t know). ANY online/cloud service that you don’t host yourself has this issue with being a black box of unkown quality. Any online service you do host has to be secured by you (or you need to trust that the base setup of that tool is “sufficiently secure”), and is in essence limited by your knowledge of the tool and technology used. Also if you’re reusing any passwords, anywhere, just stopping that practice is likely more secure in practice compared to 2fa in isolation.

2fa in general isn’t just plaing “better” than not having it, security is rarely this black and white. It also depends on what is allowed to be the “second factor”, and since yours included SMS, it really wasn’t secure at all (like others have also mentioned in this thread). And it depends on the password of course. For example if you use a really secure password (30+ characters), and don’t reuse it, it will in practice be more secure than a short(ish) password and a 2nd factor that allows SMS. Generally 2 factor is used as a term for 2 categorically different athentication methods: one thing you know (password, pin) and one thing you own (phone, physical device/key, or a file works too). The problem is that SMS doesn’t require your phone. It’s incredibly easy to get the SMS without having your phone (even easier with physical proximity) or flat out faking owning your phone number (dpends on a lot of factors how easy or hard that is in practice, doesn’t require physical proximity). Basically, if someone actively targets you and/or that account secured by SMS 2fa, it isn’t overly hard, but it’s good enough at preventing giving access through a data leak for example.

So, back to the security of “solution 2a”: how would someone get access to a long password you don’t use anywhere else, that isn’t written down anywhere (or nowhere accessible), and where you essentially never need to use/access the account in the first place? Nobody would even know that whole account exists unless you specifically tell them, let alone knowing how to get in. Note that this can also be combined with the concept in solution 4, so you’re then using it to only restore a single 2fa code. So that “safety net fallback account” very rarely needs to be updated with a newer Aegis-Backup, making it even more obscure/unknown. That 2fa code then lets you access your normal account and backups, and you restore the full suite of 2fa you need.

It boils down to this: local 2fa with a backup means you need to get access to a single file to securely restore full access to everything. That file can be transmitted insecurely (due to strong cryptography and hopefully a good password not used anywhere else), but I wouldn’t store it out in the open either. On the other hand, any cloud based solution is an inherent black box. You trust them to properly do things, and you only know they didn’t once it’s too late (like Authy). It also means they are, by nature of what they do (storing account access information), a target and if the attacker is successful, you’re the collateral without having been explicitly targeted. Maybe there are sevices out there that let third parties audit their security and publish the results, but I don’t know of any and it would probably increase the price by an prohibitive amount for most people.

Well I thought this was kinda obvious what I meant, but I guess not. What you say is a requirement (sms recovery of a cloud account) is just one of many solutions to your specific problem. I’ll just list off a few solutions below that involve neither SMS (the most insecure communication method in common use today) and only optionally a cloud account. For cimplicity sake I’ll stick to Aegis, where you can create password-protected local backups you can then put wherever you want. This password needs to be very strong for obvious reasons: I would recommend a long sentence (40 characters or more) that you can just remember, like a quote from a movie/tv show/book/poem or something, including normal punctuation as a sentence for example.

Solution 0: This is more of a trivial solution I wouldn’t actually recommend. You can allow account recovery via eMail and have your eMail not use 2fa, but a long/good password so you can login from memory (see above). This is probably more secure than SMS for the recovery-case, but less secure for the everyday use case of eMail, therefore “not recommended”.

Solution 1: USB Sticks are tiny, as in the size of a USB port (slightly longer but slimmer for USB-C). If you want to have a backup “on you”, I’m sure you can find a place where it wouldn’t get robbed with the phone/wallet. A tiny pocket somewhere, a string around your ankle, make a compartment in your shoe, or just have it with your luggage at the hotel. I’m sure you get the point. You get your new phone, you plug in the USB, you install Aegis and restore the backup.

Solution 2a: Dedicated “online” storage. This can be self hosted, or a free account of any cloud provider, but the important part is that it does NOT require 2FA and you do NOT use it for anything else. You have the backup in there. It also needs a very secure password (again: long, but easy to remember, no garbled letter nonsense), but obviously not the same as the Aegis-Backup. So you now need to remember 2 long passwords. You get your new phone, you log in, get the backup and proceed as usual.

Solution 2b: If not having 2FA is not an option for the solution above, you can have a friend/family store the 2FA on his phone. To log in, you go to the login page and enter your password (which your friend doesn’t need to know), and you ask him over the phone for the current 2FA-Code, which he tells you and you can log in, download the backup and proceed as above. I assume such a high security isn’t that critical, since you have been using something involving SMS. Restore then goes as per usual.

Solution 3: Store the whole backup with a friend and when you need it he just temporarily puts it somwhere you can access, and removes it again after. Since the backup is protected by a monster of a password, and the accessibility is temporary anyway, this isn’t security critical.

Solution 4: If you absolutely must, you can find a cloud-provider for 2FA, and use it only as the “first stage”. The only 2FA code in there is the one you need to get access to your main online storage/account where you then have your real Aegis-Backup and/or other files. Obviously this service would need to allow you to login without 2FA, and the usual password rules resulting fom that apply. You can just add the 2FA of your primary service to more than 1 app or service, or if it allows for this, you can generate multiple authenticators so you can also revoke them serperately if needed.

The point is you physically and locally back up the database. Put it on your computer, or a flash drive or whatever. You can set a different, longer password for backups, and I would recommend you do that. When you get your new phone, you just copy the database into it and load it into a freshly installed Aegis. You don’t even need to self host anything, there is nothing to host.

Not everything needs to be “in the cloud”. I think this event illustrates nicely why.

Since you’re specifically looking to replace OneNote, you might want to take a look at BookStack. It has similar organizational concepts, and I think it’s FOSS.

Not trying to make the choice harder, but mailbox.org seems to fit into the choices as well (also hostesd in Germany). Also in terms of hosting in Switzerland, keep in mind that it’s not actually part of the EU, which is the primary/original source for many of the privacy laws you probably care about if you’re looking into these providers.

Of course they can interact with it just fine, look at “sponsorblock” plug-in. It would also solve this problem completely. It already exists and works well, it just isn’t “AI” nonsense.

Yea imagine this was a video of soldiers of some state murdering people. Same argument. You still agree? Also a video of one (or more) stabbings.

Yup, it would be. But many people are, so they changed that it’s displayed at all by default.

Since the other comment didn’t Go into detail: Microsofts “Recall” will so that on every Windows 11 PC soon. Literally index everything you do or look at, OCR-ing periodic screenshots. Also storing them, possibly including sensitive information like this.

Well to my knowledge there are (or at least were) workarounds to get win 11 to install anyway. It of course worked fine, despite saying it needed a TPM and/or specific minimum CPU.

From an eWaste perspective Microsofts decision to force literally millions of PCs into fake obsolescence is obviously horrible. And I honestly have no idea what their motivation even was for this.

As for trying Linux, these days it really isn’t even a weekend. Sure if you want to tinker and learn, you can invest a weekend. But if you want to just use the PC just pick any of the commonly recommended distros and just go. It’s installed in minutes and you can honestly just use the PC for whatever you used to use it before. Just backup/move your data off it and you got nothing to lose but like an hour, if it really doesn’t work as you need it to.

Ah yes of course, edited. Both are the unwanted stepchildren, so it’s hard to keep em straight when you don’t care about em…

You clearly misunderstood my post. Never said it was apples to apples, quite the opposite. I said the change from 7 to 10 was much bigger (and yes, we’re ignoring Win 8 completely).

And of course will there be an uptick in Linux usage, he says it would be a “big” one, to which I objected to. Linux desktop has been trending up for a while, and while there might be a slight additional bump, I highly doubt it will be far beyond the margin of error for that general positive trend.

I also said it “barely” moved (it being the market share), which implies it did move, just not a lot.

More to the expected magnitude of the 10 EoL date pushing people to Linux, it won’t be anywhere near what valve accomplished with the steam deck. Why? Because people buy a gaming console, they can play games on. Most don’t care that it’s Linux, it’s just a tool/toy. It happens to be Linux underneath. On their PC they actively have to change it themselves. If people bought a PC that had Linux on it, they probably wouldn’t overly notice or care either, but they just can’t. Overwhelmingly they just come with windows, it you want it or not (usually there is no option to not buy that license).

Edit: what is harder to predict (or guess) is the indirect influence of valves accomplishment. Now that gaming on Linux it’s actually viable, this might actually open the door for more people to give it a go. But as per usual with these things, it’s probably less people who actually do it than one would intuitively expect or hope.

Edit 2: changed Vista to Win8

People said that about Windows 7 EoL too, which was much more of a paradigm shift. Absolutely nothing happened. The dial for “market share” barely moved, let alone Linux increasing substantially.

Just not gonna happen. I really wish it would, but it’s just wishful thinking. Most people either don’t care (they just “use a PC”) or wouldn’t know how to switch anyway.

Dunno yet, sounds like future me’s problem. Mist likely some version of Linux unless win 11 drastically changes course (unlikely).

This also makes it easy to block Win 10 from upgrading to 11, just disable tpm in BIOS. From where I’m sitting, that’s kinda convenient.

Actual Ms paint works for that.

Or you just runs the ps script provided by Microsoft. 1 line. No clue why they can’t do that themselves for affected systems…

What low voltage though? Unless it’s 5V like USB (non-PD and non-QC), they should and need to be incompatible.

There are open source implementations of their launcher. Specifically there’s “legendary”, which is the thing that can download and launch games (this is a command line tool). Fortunately there’s also “Heroic”, which will use legendary in the background and give you a normal/usable user interface, desktop shortcuts and so on. Also doesn’t work like spyware for epic on your computer, as their own store/launcher does.

They have some shady (or at least questionable) enough actions in their past, some even covered by mainstream media, that made me dismiss them as an option. I went with the German hosted mailbox.org instead. Swiss law (where proton is hosted) is actually quite a bit less protective of privacy than EU/German law, or maybe just protected in other ways. The international reputation of privacy protecting character of Swiss law seems to be outdated?

Just to be clear, I can’t remember exactly what the specific events were that caused me to reconsider back when I switched years ago. When I just did some quick (!) searches just now, I found statements that they would only record ip addresses in “extreme criminal cases”, but examples include cases of trespassing and property damage. Not exactly child molesters and serial killers (example source). I also understand that the (Swiss) laws relevant to them probably forced them to, but at the very least that seems dishonest or misleading advertising.