Server use is typically its own license category. At the company I worked for, their server licensing was based on number of server CPUs (technically only those actually used by the service using the font) and was valid for a year meaning you’d have to re-up annually.
Each of StackExchange's sub-sites has its own cookie consent management. That said, once I make my choices initially on each one, I haven't had any issues with them popping up again (I'm also signed in, which could impact things).
The original article only discusses a specific, non-standard (to me, at least – probably made more sense for IT departments) method that Mozilla is calling ‘sideloading’ will be disabled. Per the article, ‘sideloading’ is defined as putting an extension file in a special folder that results in all instances of Firefox on the machine automatically loading that extension.
In the page yorwba linked, it shows how to generate a signed XPI file that can be distributed and installed locally from that file in a more conventional manner (e.g. drag & drop the file onto Firefox’s Add-ons page).
Yes, the older method of extension side-loading, supported at some point by Edge, Chrome, and Firefox, was for IT departments who created OS deployment images with software (incl. extensions) burned into them. Usually this was combined with Group Policy / Device Profile settings that made the extensions impossible to deactivate or remove ("force enabled") and potentially blocked any extensions other than those preinstalled.
I believe that all the browser makers have, at this point, reached a consensus that deploying extensions directly as on-disk files this way makes it 1. too easy for malware to just set itself up as seemingly "deployed by Group Policy"; and 2. makes it too hard for these extensions to be updated as often as they might need to be, or disabled if the browser-maker declares incompatibility with an API in them, etc.
What all the browser-makers seem to favor nowadays, for IT departments who want to do OS-image deployment, is an approach where the burned-in Group Policy will just list out a set of extension IDs that are to be force-installed and force-enabled; and then the browser itself will do the work of retrieving and installing them (but will still treat them like any other extension as it goes through the install process, vetting it for compatibility, upgrading it through its registered upgrade channel, etc.)
This means that every extension in these browsers now has to live in the browser's extension store—even if it's a private, just-for-your-own-company extension. (Which, honestly, there's not much to be said against; the "enterprise deployment" parts of app-stores don't usually force developers to go through pre-vetting before new versions are published or anything. It's just cloud hosting—with the proviso that, due to having download logs, the app-store can see if your "enterprise extension" has an install profile that looks more like that of a virus rather than an enterprise, and then blacklist it.)
Here's Google's documentation on the Group Policy settings that modern Chrome looks for, for comparison: https://support.google.com/chrome/a/answer/7532015?hl=en. Probably Firefox wants to move toward a similar model. And more power to them, honestly; right now, Firefox's extension ecosystem is far too easy a target for malware authors.
Many services offering 2FA, esp. TOTP, will give you a set of backup codes – print/store them separately, safely (using the rule of backups). At the very least, Google does and allows you to view the existing ones and I think regenerate new ones on-demand as long as you can currently securely access your account.
The same can be done with security keys – typically you can add more than one to your account so have at least two and keep one stored safely somewhere.
Sadly, I recently set up an AWS account and, from what I could tell during that period, they support TOTP/hardware keys, but you can seemingly only pick a single 2FA method – so either TOTP or one single hardware key. That’s a service I would have expected better from (or perhaps I am misunderstanding my settings panel where I can’t find a way to add another factor – I am rather new to managing that ecosystem/account).
I think that you are intended to use AWS as described in this comment [1]. Even if you are a one person operation, you can create those separate IAM accounts for admin and normal use. Once you have this hierarchy of accounts in place, it is fairly straightforward to deal with a lost hardware key.
In my organization there are certain operations that we require you to have authenticated with 2fa in order to perform them. For the CLI or terraform this means using something like awsmfa. There's no way of doing that with a FIDO key.
It would be nice to be able to use a FIDO dongle for the web console and TOTP for cli tools but the (bad) AWS restriction forcing you to only use one or the other means I'm stuck on TOTP for everything.
I remember having been able to jailbreak my iPhone 3GS for a period of time entirely through visiting a website and letting it exploit such vulnerabilities enough to perform the task. Searching for a related article, appears to have been possible on iOS 4.0/4.0.1:
Edit: I use ‘letting’ above loosely meaning that the specific website mentioned allowed the visitor to control whether the exploit was actually executed or not.
BItwarden does offer the ability to use on-premise hosting [1] rather than using their infrastructure to store/sync your data. Admittedly, I personally use their infrastructure so I can’t speak to the experience (config/maintenance/etc.) of their self-hosted offering.
Are you opposed to Google Keyboard/Gboard? It's had gesture typing for a while, and not too long ago added some nice gestures which use the spacebar to control cursor position and backspace key to delete one or more words at a time rather than character-by-character.
Its gesture-interpretation algorithm has gotten absolutely terrible for me recently, to the point that I frequently have to type out whole messages letter by letter because it will keep spitting out really strange guesses when I gesture. (It used to work a lot better, and when I revert to old versions they work great.)
