PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
The funniest part is that no matter how many security factors we use to replace passwords (two factor auth, passkeys, security keys, etc) there's always a backup that's just another password.
Structural security trumps computational security ... or ...
Diffuse structural security trumps amalgamated computational security ...
All your big, strong passkeys in one basket is less secure than your passwords in many individual baskets ...
Trying to explain this to tech bros can resemble pushing a wagon uphill ...
Because they want to sell something, logic is not paramount.
"A password in my brain is generally safer than an app or SMS stream that can be compromised. Although a passphrase may in some cases not be computationally more secure than a token mechanism or two-factor sytem, the simple passphrase is often structurally more secure because that passphrase only links to and exposes one service target."
"I like to compare it to having one basket of eggs in one spot, and many baskets of eggs in many places. If your one basket of eggs has the master key to all the other stronger keys, is it easier to get the one basket, or the many baskets with weaker keys? So in this scenario cipher strength is not the most important factor for security. With a single basket one fox or pick-pocket or one search warrant can own all of your eggs for all your services."
Google has kicked off World Password Day by announcing that over 400 million users have used passkeys since the tech giant rolled them out, logging over one billion authentications between them.
Passkeys rely on device-based authentication, often using a fingerprint scanner or face recognition, which makes logging in faster and more secure. Despite this, our passwordless future still feels some way off — @theverge considers why.
Apps that will only present the #2FA challenge upon a successful password #authentication — isn’t there a very good point in always providing both, as to not give any hints on whether the first factor credentials were correct or not?
> Digital Identities aren’t something unique to the fediverse and it’s not something Mastodon could stop if they wanted to. Nomadic identity is coming to the internet. The only question is who is going to own your identity. VISA/Mastercard, your government, Google, Microsoft, or you.
Worried about account takeover? You're not alone! Attackers often misuse the "forgot password" mechanism to hack us.
Our latest study revealed a game-changer to counter this: Risk-Based Account Recovery! Platforms like Google now tailor recovery mechanisms based on your device and location context, making it hard for bad actors but easy for legitimate users.
Thanks to Recorded Future's Allan Liska for his guest appearance on the latest "Smashing Security" podcast where we discusses AI religions, recycled mobile numbers, ransomware gangs, and the correct way to pronounce "papyrus".
Jean-Luc di Manno, digital #payment and #authentication solution architect at Fime, and member of the W3C Web Payments #WorkingGroup, presents how Secure Payment Confirmation (SPC) addresses a key issue in the #European payment ecosystem.
"In the same way that Touch ID revolutionized authentication using a fingerprint and Face ID revolutionized authentication using facial recognition, Optic ID revolutionizes authentication using iris recognition."
Fraser will cover how distributed #authentication has evolved, and the place of technologies like #FIDO2#passkeys and external #OAuth2 providers in the new landscape.
For user accounts that have enabled multifactor authentication, how do you handle self-service password resets? On online platforms, it is usually possible to reset the password via email. I think that is fine for accounts that don't use multifactor authentication. But what if a user logs in with their phone number (They have no email, just the phone) and use text message as their second factor? Sending a password reset code via text message would be a bit stupid. This would mean that the user doesn't really have two-factor authentication if you can reset the first-factor with the second-factor.
I do currently not allow self-service password resets if a user has multifactor enabled. They are required to get in contact with customer support in that case. For our use-case this is ok, but it's obviously not very user-friendly. However, I don't really see a solution in the case where the phone number is the primary identifier and second-factor. I am interested in some thoughts on the topic.
We really need to do away with this type of authentication.
The tests are often ambiguous. More importantly, they don’t meet accessibility requirements noted in WCAG 2.2. Specifically section 3.3.8 on “cognitive function tests”: