I recently ordered something on ebay. Nothing expensive, just a £60 item, and delivered to an address I've ordered many things to in the past.
First I had to log into ebay - no problem, got my password manager right here, as soon as I unlock my phone with my fingerprint. Now I'll just key in my 12 character, randomly generated password with mixed case letters, numbers and symbols.
Then ebay decided they wanted to send me a code by SMS. I'd never enabled that security option, but whatever. I can do that, quick fingerprint to unlock the phone then key in the code.
Then I chose to pay with paypal, requiring a second password. And a 2FA code, this time from a TOTP app. For some reason paypal ask for TOTP every time. Easy enough, quick fingerprint auth then just key in the code.
Then I told paypal I wanted to pay by card, as I always do. They redirected me to my bank, who asked me to use their mobile app to authorise the payment with my fingerprint. After unlocking my phone with my fingerprint, naturally.
Clearly, the days when businesses thought online shopping ought to be low-friction are long gone.
Apple makes this experience as seamless as I think it possibly can be. (As long as you use Safari...). All my passwords synced across all devices all the time, instantly available with faceID or or my fingerprint. Apply pay makes checking out of most online retailers as fast as using my fingerprint or double-clicking the side button on my phone. Passkeys generally starting to replace passwords on many major sites, making the process even faster.
That whole process in the top level comment is much faster, in practice, on my phone. Everything auto-fills (unless a site manages to fuck up their forms). I don’t typically have to type or manually copy anything, including 2fa tokens. Wait for the notification to ping, “fill from message” option, done.
I can often go through an entire sign-up, entering shipping, and payment, at a new site, without typing a single thing.
Well, yes (I also use Apple Pay when it’s available—best overall experience by a long shot) but it’s still quite fast and often involves no typing or copy-pasting.
I use 1password but opt out of this feature. Just as described in the article masterpassword creates a single source of failure so I don't personally want to put more eggs in that basket.
I keep my unimportant 2FA in 1Password and the really important one’s (e-mail, domains, etc) in a separate 2FA app.
If someone has pwned my 1Password I don’t really care if they log on to my Discord or order a limited amount of crap on Amazon because I am in much deeper shit at that point.
It depends on the set of credentials. Your primary email address, your access to 1Password, things of that nature can and should be stored in a 2FA app on another device. But the majority of 2FA codes for most websites are fine to be stored in your password manager. This way you can enable 2FA on every site you use, without the inconvenience, but you can reserve the extra security of a second device for services that would be critical failure points for you.
That, I don’t, but I only have those on work accounts anyway. None of my work stuff is set up to be as nice as my personal stuff, but that’s mostly outside my control.
Oh, wait: Steam has them I guess. Every so often (once every few months?) I have to type in one of their codes.
I did just check and I guess I could be doing this with non-sms codes if I added them to my password manager. If I had more than just Steam that used them, I’d do that.
I love the Apple ecosystem, however I always have a low level of dread that someday I will somehow offend them and be permanently blacklisted. This is the main reason I've drawn the line at using their password manager or email - I use separate email and separate password manager so that in a worst case situation I don't get locked out of everything.
Don't worry, Google actually did lock me out of everything a few years ago and when you have the pleasure of using their wonderful services you're literally given no information and have to google (hehe) around for a form to send in a picture of your drivers license to which you will never receive a reply, your google account will remain "fraud blocked" and in 4 days you will have switched your entire life over to Apple/IOS to never deal with no customer service google again.
Then 1 yr later a hn thread will remind you to try to log into your google SSO and.. bam it works. And you still have no idea why ALL of your g servces (domains, email, gphone, etc) were disconnected a year ago.
I used to think the same - custom email domain, passwords managed by myself, but:
1) I’ve never ever heard Apple lock someone out of their Apple ID. Maybe they are obligated to do it for law enforcement in US but even none of that. Meanwhile I’ve heard a ton of stories of Google locking people out of their accounts.
2) The convenience of using Safari, with 2FA and passkeys set via iCloud Keychain is too good to ignore. Literally 1 click (passkeys) or 2 clicks at most, authenticated with Face ID.
So I’m using this setup rn. You can set custom domains with your iCloud email too.
Not to be argumentative, just wondering, has there been a case related to iCloud access that Apple has ever blacklisted someone? Certainly, I've heard of Meta and other companies doing not, but don't recall Apple outside of security confirmation issues people are having.
If you have 2FA and lose all your 2FA methods, and didn’t preplan by making a recovery key and storing it in a safe place you can find again… you can be screwed. It’s not a blacklist, but the net result is the same.
I’m terrified of losing access to all my stuff because of forced 2FA I never signed up for. I get that it’s more secure, but it can be secure to the point of having unrecoverable data. All it would take is someone carelessly deciding to get a new phone number. I have a friend who recently talked about wanting to get a new number with his new phone. I asked about 2FA and he seemed to have no knowledge of it and said he didn’t have anything like that. He kept his number, but if he didn’t, I could see him easily getting locked out of his Apple account (which he has), and his bank.
Setting up a recovery key for an Apple ID is optional. You can still recover your Apple ID. Apple will ask for information that can identify you, like previous iPhone passwords etc. If you have hit your head to a wall and can’t remember literally anything afair you are asked to wait some <1 week amount of time before being able to access, to prevent account fraud. The process is so complex and evolving I’m probably wrong on many things, but the idea is: Apple ID isn’t a footgun for the user.
If you have recovery keys enabled, it’s a different story. Enabling screen clearly states that you can get locked out of your account without your recovery key. You can set up recovery accounts too, like those of your family members.
Apple blacklisted Parler in January 2020. Of course, they were an app store app, not a user, but they established the precedent that they ban for political views they don't like.
you don't, that's the whole apple strategy lock-in your average younger, non technical person so much that they find it 'an ick' to have to interact with an android user.
If you go all-in on an ecosystem there's going to be pain if you decide to jump to another ecosystem. You can avoid some of that by using 1Password (I'm sure there are others as well). It integrates just fine with iOS.
It doesn't, but I've used Apple stuff for going on 25 years now and it is doubtful I will care to move to something different any time soon, so it works for me.
Always the tradeoff with Apple is choice and flexibility versus a seamless and pleasant user experience.
Anyone else feels that the double clicking of the side button doesn't feel ergonomic? It doesn't feel right to me when doing it. I end up holding it like a gun, and then double clicking it, as in the default pose of holding a phone, my thumb is unable to double click.
agreed, but i almost feel like it's supposed to feel a little weird to avoid accidentally buying things. either way, if you want to make it easier, there's an option under settings > accessibility > side button. You can adjust the speed required to register a double or triple click.
Order pizza, pay with virtual card. Payment provider needs 3FA+Captcha, one of the factors is email which is another 2FA challenge. Disclosing the card details once logged in prompts for another 2FA, finally VISA also challenges you with a recent payment question. Insanity.
It's pretty annoying that they load all this pain and suffering onto the user who's just trying to make a purchase, when the company's database is often the weakest link.
This is fascinating to me. Why do we have to go through all these hoops with the bank and somehow, when the credit card # is eventually and ineluctably leaked, the thieves have no problem using it to make purchases, whiteout going through all these 3FA etc.
Apple pay when available is about as low friction as you can get. I know it isnt available to everyone but there should be some similar standard that is. Near seamless.
I’m a happy ApplePay user, but you absolutely do have to give them your (card) information upfront through the whole adding your card in the Wallet app.
That being said, I feel the parent’s viewpoint is naively idealistic, the payment industry is huge with many players and most attempts at new standards or interoperability are by people trying to get a cut of the action, no one is going to adopt a new standard unless they feel they absolutely have to.
ApplePay is pragmatic in that it largely hooks into the existing CC systems and thanks to Apple’s market size they have enough clout to convince people it’s worth the effort.
A whole new standard just for the “general good of the public” will never get any traction without regulation, and in places like the U.S. where bribery is essentially legal (so long as you call
it lobbying), any new regulation like this faces an extreme uphill battle to being introduced except where someone standing to make lots of money is behind it.
> I’m a happy ApplePay user, but you absolutely do have to give them your (card) information upfront through the whole adding your card in the Wallet app.
Do you actually have to give them the card? Or is it only stored somehow on the phone? I wonder how this works exactly.
When I replaced my old iphone with a new one, I did the whole "transfer everything" dance. Waited around for two hours (didn't restore from icloud, but transferred from old to new), and still had to manually add my CCs to Apple Pay again.
My experience is that you can start the process by entering your credit card details, or use your camera to try fill them in for you.
Apple then checks if your card issuer has ApplePay enabled and if so provisions a “virtual” card which is what is stored on the device’s Secure Enclave.
I also just checked my banking app quickly which can initiate the adding of the card to wallet, showing the wallet’s add card screen with the card holder name and the last 4 digits and asking if you want to proceed.
There is no way to see what the full virtual card number is, so there is no way to use this virtual card aside from tapping your phone on CC machines or using websites which have set up ApplePay as a payment method.
CC machines don’t actually have to support ApplePay specifically, as long as it supports tap to pay without insisting on a PIN, then ApplePay works with it. In essence your phone’s NFC exactly implements the same capabilities and protocols as NFC chips on normal credit cards.
> CC machines don’t actually have to support ApplePay specifically, as long as it supports tap to pay without insisting on a PIN, then ApplePay works with it. In essence your phone’s NFC exactly implements the same capabilities and protocols as NFC chips on normal credit cards.
IIRC it's not exactly the same. One user-facing example where things are different is that contactless payments with a regular credit card have a 50 € maximum. If there is a limit when paying with the iPhone, it's much higher.
I also seem to recall that the merchant's payment contract must support this, but I'll have to confirm with a colleague. Although Apple Pay support is very common where I live, it did happen a few times that some restaurant's terminal accepted VISA contactless but not Apple Pay.
I've also had a situation where my CC is set up to not allow payments outside my country. Payment with Apple Pay was denied as being "out of country", whereas the physical card worked fine. The store is from a big national chain, in the heart of the capital city.
I’ve used ApplePay on CC machines which were clearly made before ApplePay even existed.
I’m pretty sure that the limit amount before PIN verification is required is embedded in the NFC, or checked online or something. Both my credit cards have limits of R500 (~26USD) after which it requires I enter my PIN after tapping it.
For one of my credit cards I’m able to pay it off with my other credit card and I have in the past tapped my iPhone to do so for payments over R50,000 (~2600USD), I don’t think there’s a limit.
However, the biggest grocery retail chain here initially had a very annoying “custom” rule on their CC machines where it would ignore the card limit and insist on asking for PIN for any payments over R500, which would cause ApplePay tap attempts to auto decline, they eventually fixed this.
The out of country issue sounds like a configuration issue with your bank or that particular merchant. My cards by default disallow use out of country and I’ve never had an issue tapping anywhere with ApplePay.
Seems like parsing semantics. "Pre-given them" - are you giving it directly to apple.com? No. You're putting in your hardware, true. And... somehow... it makes it to all your other apple devices.
Apple Pay is one of the (few) things where that is not the case. New phone = manually re-adding cards to Apple Pay. Get an Apple Watch? It does not get your Apple Pay info until you manually add them to the watch.
I have access to card data in macOS safari that I entered on my iPhone. I don't double enter it. I do know if you disable security on the phone, you lose the card info and have to readd.
It's just a credit card though? Seems like a weird distinction when those details are intended to be given out. I presume if you're using one-time cards you're not using Apple pay at all. Plus you need the CVC code and such to re-auth them on new devices.
Apple has issues with privacy, but I don't really see how this is one of them.
That's just because they already have all of your identification, shipping, and payment information stored. Apple Pay isn't quite one-click fast, but it's damn near a miracle for one-off purchases from retailers you don't normally use. I've definitely made purchases I'd otherwise have walked away from (I'm pretty selective about who gets my credit card number).
Well, I was maybe a little unfair because the competitors have at least partially “caught up”, but at one point, of Domino’s, Pizza Hut, Little Caesars, Godfather’s, plus a couple online pizza store SaaS used by smaller local chains, Domino’s was the only one that would interrupt me to make me click “no thanks” to some offer or other before proceeding, including during checkout. Multiple times per order, in their case—they’d do it once or twice in the checkout flow, plus sometimes after adding an item to the cart. I dropped them from the “oops we failed at getting dinner ready, what can be delivered and is cheap-ish?” rotation for a while over it.
They’re still the worst about it AFAIK but more of their competitors now do that at least once an order now, too, so the difference isn’t as large.
Off topic: once worked at a company that built a "domino tracker" of some security service we were installing on customer hosts. The company spent more time and money on the tracker than the service installation. The installation tooling failed most of the time and threw errors out for "ephemerality". Good times.
I worked in a Pizza Hut delivery place when I was in college. I just took my son back for a campus visit and yeah, 30 years later, its still there - same location and save a few minor changes, the building still has the exact layout. A testament to whoever laid out the original floor plan.
The idiots removed the 1-click checkout feature and replaced it with a Dropbox to choose which address to deliver to, but it no longer ties that address to a payment method.
I’m not even embarrassed to say last night I went to check out, saw there wasn’t an Apple Pay option, waited through about 2 minutes of waiting for the credit card details panel to open before bailing.
If it took two minutes for a credit card form to open up that's clearly a site problem, and would likely have been just as broken even with an Apple Pay option.
Not sure if this is your experience, but when I broke a chunk out of my Samsung screen and then went to AT&T to trade for another Samsung, keeping the same phone number, I can't receive a two factor security code by text. Even after calling AT&T and being told that the traded in phone is "dead". So now I have to receive a call for security codes.
That's weird. I just log in with my fingerprint only, and my paypal is linked to my ebay. I don't even thing I enter a second password or fingerprint to pay. Also, what the what is this? "I'll just key in my 12 character, randomly generated password..." Key in? Seems like you're making your own life hard! ;-)
There are things you can do to make it easier. My phone sends all notifications to my desktop, and I have an app on the phone that creates a notification when it recognises a code in the SMS, so all I need do is double click on the notification (to select the entire "word" that is the code) then paste into the site I am verifying to.
There are also authenticator browser extensions so you do not have to use a phone app for those either.
The software I use for the SMS codes is KDE Connect and SMS code.
We shouldn't have to work installing & maintaining an awkward flow with random software to make buying experience less miserable. This should be fixed by the seller in the first place, where it makes sense and can be fixed easily and reliably.
eBay is responsible whatever partner they are choosing. They knowingly picked PayPal. If the integration is terrible, they can work on this with their partner and maybe find a common way to establish trust.
The seller is motivated to make the buying process as easy, fast, and uncomplicated as possible. This is a direct correlation with how many things they sell, and in response how much money they make.
On the other hand - consumer opinion and regulation forces them to ensure that the buying process is secure, that someone else isn't buying things on your account, that they have proper logging of what goes on, etc.
The seller shouldn't "Fix" the buying experience by removing the security aspects of it. They should fix the buying experience by using modern authentication like passkeys and ensuring that their applications and sites support password managers.
In general I agree, but KDE Connect is not random software and it's fucking awesome, especially if you are a KDE user, for a lot of reasons. The use-case described in the grandparent is just one of many handy things available via KDE Connect
I use GNOME: the gsconnect extension on my laptop, the kdeconnect app on my mobile devices. They can even share data and files between themselves without going through the laptop, ring another one when I lost it somewhere at home, control the media playing on another device or my laptop.
Installing an maintaining is not awkward. Most people seem to install lots of random apps, so why not something useful.
Of the two applications I use for the SMS flow, one is generally useful to have anyway. The authenticator extension or an app is absolutely necessary for this type of 2FA and the alternative to some app is to not use 2FA at all or use SMS authentication.
Really interesting, here in Mexico I think that's unheard of, what I have to use is a digital card with a dynamic 3 digit cvv that's generated on my app.
What actually happens is with 3DS: a merchant gets liability shift. Liability resides with the issuer then. Whether you as a customer can be held liable for damages depends on your jurisdiction and when you report your devices / credentials stolen.
I have a Mastercard branded card issued by the Dutch quasi-monopolist (ICS). Every time I have a transaction with a merchant with ties to NL, they force me to do 2FA using their crappy app.
When I use my AMEX card online it sometimes does an extra "validation" step but as I recall I don't have to interact with it. It's probably checking location, etc, and deciding if further validation is necessary.
Years ago I had to do that sometimes, but I haven't gotten prompted to authenticate my credit card with my bank in quite a long time. I thought maybe it just went out of style, but I guess some people still use it.
I'm in the US, and for some purchases I have to. There's like an iframe in which I have to log into my credit card account, and approve the transaction.
The goal is to cover their asses for when data is stolen. It’s not a matter of “if”, it’s “when”, and they want to be able to point to every obnoxious POS practice they made standard to show they did their best. I’m not making any comments on whether this is good or bad, just that it, to me, explains a ton of the n behavior.
The involuntary signup for two factor you didn't want is incredibly annoying. Especially when initiated by a bank or similar financial institution with no warning.
"BTW, for your own safety, we implemented two factor on your account, and tied it to your old phone. Wait, you don't have that phone anymore, cause it was something like a 10 yr old retirement that you never obsessively check? And we didn't give you the option for an email? Or even warn you? Too bad. We now no longer accept logins for your own money."
Payment gateways (paypal, apple, google), in general, do NOT let you cancel individual services and are linked to your CC. Vendors (I'm looking at you, Audible!) constantly hide their account termination under layers of dark patterns. For awhile, I had several ghost subscriptions that I a.) didn't want and b.) couldn't cancel.
My credit card card [1] has fundamentally changed my online purchasing experience as it bridges what I feel is a gap between new payment methods (Apple, Google, et al) and classic payment methods (CC).
An ounce of prevention is worth a pound of cure.
When I purchase something line, I create a new one-time card (three taps on my phone) and use that new, valid CC for purchasing. Everybody takes a CC. The card is instantly deleted after purchase, and I don't have to worry about my paypal account, apple pay account, google wallet account, ghost subs, account hacks, identity theft -- the works.
>Payment gateways (paypal, apple, google), in general, do NOT let you cancel individual services and are linked to your CC.
Paypal absolutely lets you stop recurring payments unilaterally on their side. I use Paypal for subscriptions wherever it's offered precisely for this reason.
I think it maybe only shows companies you had recent transactions with.
In 2023, I had a fraudulent $0.99 Paypal Automatic Payment for "Domain Name Forwarding - Renewal" from a company (DomainsPricedRight/OwnMyDomain aka GoDaddy) that I last did business with in 2005. Yes, 18 years prior.
I was able to 'deactivate' the 'subscription' on the Paypal site after I noticed the charge but I don't think automatic payments existed on Paypal in 2005 and I'd certainly never signed up for it.
The original 2005 business I did was a one time domain purchase that was transferred to another registrar within a year.
It was real fun to also see on Paypal that I could have been fraudulently charged up to $10,000.
It's kind of scary to think that any company I've done a Paypal transaction with could maybe do the same thing (or any of the companies that eventually acquire their merchant accounts...)
I've been using Privacy.com for this "create single use credit card" for years now. They make money via the interchange fees, afaik, and not by selling your data stream.
I don't know the details of when it is and isn't required. I am asked pretty much all the time for transactions using my Danish cards, and only some of the time for the British cards.
>> I also don't do this on my phone, but on a regular PC.
I do the same. Too many times I've had major issues trying to buy stuff on mobile so I just stopped doing it like 8 years ago. Literally the only thing I pay for with my phone is my hockey sessions via Venmo.
> Clearly, the days when businesses thought online shopping ought to be low-friction are long gone.
I bought some lottery tickets online for a present to myself and the experience was smooooth. No cart, no checkout steps, no need to create an account, there was a QR code right next to the tickets that I had to scan with my banking app to buy them right here, right now.
Business don't want online shopping to be high-friction, but Thankfully consumer opinion is pushing more for security and less for making it as easy as possible to buy stuff online.
I'll happily take this shit-show cacophony of various 2fa methods and authentication types if nobody is stealing money from my bank account or ordering stuff on ebay on my behalf.
The flip side of this - is that if companies properly setup auth and allow you to use username+password (or passkeys) and a TOTP method then this is all basically copy/paste from your password manager or verify on your phone and the process is super easy.
> I'll happily take this shit-show cacophony of various 2fa methods and authentication types if nobody is stealing money from my bank account or ordering stuff on ebay on my behalf.
Even better: I wouldn't care about people stealing money from my bank account if cleaning it up and making whole was my bank's responsibility and not mine or some hapless vendor. Neither I, nor store vendors should have to put up with the "shit-show cacophony." The bank's entire reason for existence is to secure access to my money--it should be entirely their problem.
They want mandatory macrobugs (aka smartphones, the bug not payed and carefully placed by those who want to spy, but the one payed and babysitted by the spy target) for anyone, so if you use a desktop you are a threat and you need to be not in comfort...
PayPal is my first choice and if I go to check out on your store and you don't have PayPal as an option, the chances I abandon my cart if I don't have my wallet just went up exponentially. I use it as a buffer between me and the provider. Everything goes through a credit card so I still get the points/miles I would get entering the card directly. Except now they don't have a credit card token they can keep charging forever. They have a PayPal token that I can log into PayPal and immediately revoke, asynchronously, without involving the merchant or my credit card at all.
I don't need to worry about my details still being with that merchant. I don't have to worry about the merchant's convolution and likely-illegal cancellation process. The only negative I can think of is that any dispute has to go through PayPal, and while I've never done it I would bet money they are going to be skewed more in the merchant's favor than the credit card company. But that being said I have had fully legitimate chargebacks (as in not "I want a refund and they said no" but "this is a fraudulent charge I never agreed to") get denied and reversed by Discover so that's not a 100% certainty either.
I never receive money through PayPal so while I've read all the same horror stories everyone else has, that doesn't seem likely to affect me. My biggest gripe is the full-screen advertisement for whatever service they're pushing every time you log in on the website.
And tied to a direct back account, requiring you to use cash and lose any CC benefits. I use Privacy for things I know I only want to charge once (e.g. $1 trials or things of that nature) but not being able to charge a CC with Privacy is a bit blocker most of the time.
I'm saying I get rewards when I use PayPal (because everything ends up on a credit card anyway with added privacy/control benefits compared to using the card directly), so a solution where I don't get those rewards ends up being second-class. I also haven't had issues with PayPal that [many] others have, so there could certainly be a scenario where that changes.
Up until not so long ago that was the easiest "payment wallet" to have around.
Want to have charges go direct to your bank for 2 weeks ? you move it up on the list.
Want to try a new card but are not sure you'll keep using it ? add to the wallet and move up or down depending on how much you want to use it.
And it also managed subscriptions.
It is now a steaming pile of garbage for so many reasons, and it has always been a death trap for any small merchant, but they gave a fairly good shot at the wallet side of things. Good luck getting Nintendo for instance trust any other third party wallet system.
Because I don't want to give the credit card details to every site out there.
And Because the Resolution Center works wanders with merchants who are not being forthcoming to resolve your problems.
I once had an issue that a merchant had delivered less than half of the items that I had ordered, i contacted them and they requested (after 2 days) Proof that I had not received the items. I could only produce the photo of the opened package which was clearly too small to contain everything they were supposed to deliver and the weight in the package label that clearly was too little for everything I was supposed to get. They tried to stall asking proof that i had not received a second package with the rest of the missing items.(How can you prove a negative?
I got fed up and opened a refund ticket with paypal describing the problems and within 30 min the merchant contacted me promising to send the missing items and refund 20% of the cost if i closed the ticket in paypal.
No I asked the merchant to commit to resend the missing items inside the resolution center and resolved the issue only after the items arrived.
The aim is not "profit" but to get the deserved attention and bypass clear stalling tactics like having to prove a negative.
Needles to say that I Did not ever use that merchant again.
If you use a password manager (which they say they do) it's much quicker to just save that info and automatically populate it. Doubly so considering the MFA hell they went through.
Too many sites have broken forms. Sure, you can have the card autofilled but maybe it doesn't trigger the autofill for the address or maybe that wasn't even loaded yet. Maybe you can just click there and have it auto-fill but they can be so broken it doesn't autofill completely or fills wrong. Some sites are smart enough to have a checkbox for "shipping address is the same as billing" and others aren't.
When you use a 3rd party payment provider like PayPal it does a really good job of forcing all of this to be automatic compared to things trying to autofill custom forms just because it's integrated by the site instead of the user. MFA hell is starting to erode that actually being easier though and now there is more and more often no simple approach left.
Yeah, CC autofill is nice but fails about 1/4 of the time. It doesn't include the security code either. A few sites will also have finicky inputs, like accepting spaces but rejecting the payment if you use them.
Sometimes there's no choice, usually for international purchases. eBay used to also prefer PayPal somehow, idk how it is now. I know that some Etsy sellers are PayPal-only.
Sounds like you've got some unusual configuration options turned on or something.
The most glaring odd thing here is that you apparently don't have your password vault available on the same machine you're shopping from, which seems odd to me. Even so, if I went that route it'd still be easy b/c with the Apple ecosystem, the clipboard is shared between devices. One can copy a password from the phone and paste it on the Mac.
The tl;dr here is that I really don't understand why you had to retype your password. I never type my strong passwords. Why would you put yourself in a position where that's required?
Finally, when I pay via Paypal using my Amex, I never have to re-auth to Amex. It just flows through. So it sounds like that's something you've chosen to set up, not something inherent to the process.
Opening your password manage and displaying the strong password openly on the screen while manually retyping it on a different machine - rather than just installing the password manager on that machine - definitely sounds like a "why are you doing that?" kind of thing.
Likewise I've used a half dozen different cards and multiple bank accounts through PayPal for the last couple decades and can't remember the last time I've had to reauth on any of them during a checkout.
> Opening your password manage and displaying the strong password openly on the screen while manually retyping it on a different machine - rather than just installing the password manager on that machine - definitely sounds like a "why are you doing that?" kind of thing.
That one's on me, yes. The Yubikey I needed to unlock the password manager on the PC was upstairs and I couldn't be bothered to get it, so I used my phone instead.
(Why was the yubikey upstairs? Well you see, that's where the fireproof safe is. But I can't blame ebay for that, so I didn't mention it)
> Opening your password manage and displaying the strong password openly on the screen while manually retyping it on a different machine - rather than just installing the password manager on that machine - definitely sounds like a "why are you doing that?" kind of thing.
If the machine with the passwords is less exposed it's on average a lot safer (but now you have the problem of keyloggers of course)
> Finally, when I pay via Paypal using my Amex, I never have to re-auth to Amex. It just flows through. So it sounds like that's something you've chosen to set up, not something inherent to the process.
To be fair to the parties involved, they might well blame "EU strong customer authentication rules"
> Gileadite soldiers used the word "shibboleth" to detect their enemies, the Ephraimites. The Ephraimites spoke in a different dialect so that they would say "sibboleth" instead. Experience : you just had to say a word. Security : there's a single word to authenticate multiple users and it can be cracked by learning how to spell it.
Although that's roughly how the Wikipedia entry[0] summarises it, the actual wording of the story indicates a slightly different issue:
> for he could not frame to pronounce it right.
It's not a spelling difference per se, it's (AIUI) that the Gileadite pronunciation uses a phoneme that was not used at all in the Ephraimites spoken language, so an Ephraimites soldier was literally incapable of pronouncing the word "correctly".
e.g. How some spoken dialects/accents do not use a rhotic "r", or do not distinguish between "l"/"r", or are not tonal languages. If you have not already learned how to make that specific sound, and distinguish it from the other one, through repeated practice, you will be unable to replicate it properly. And this will be the case no matter how the word is spelled, or even if you try to immediately copy someone saying it the exact way they want you to say it.
See also: the Parsley Massacre in the Dominican Republic, which preyed on Haitians' inability to pronounce the word "perejil" as a native Spanish speaker would:
> The Haitian languages, French and Haitian Creole, pronounce the r as a uvular approximant or a voiced velar fricative, respectively so their speakers can have difficulty pronouncing the alveolar tap or the alveolar trill of Spanish, the language of the Dominican Republic. Also, only Spanish but not French or Haitian Creole pronounces the j as the voiceless velar fricative. If they could pronounce it the Spanish way the soldiers considered them Dominican and let them live, but if they pronounced it the French or Creole way they considered them Haitian and murdered them.
> so an Ephraimites soldier was literally incapable of pronouncing the word "correctly".
And, importantly, they would not even have realized that they were saying it wrong, because they would have been unable to hear the difference.
As a modern example: I have an acquaintance from Tonga. At some point she got very frustrated with the people around her who didn't understand what she meant by the "rittel bin". She finally pointed at the trash can.
"Oh, the litter bin!"
"That's what I said, the rittel bin!"
In Tongan, l and r are the same phoneme, and native speakers cannot distinguish them without practice.
I learned French as an adult, and I cannot at all hear the difference between the words "rue" and "roue." People tell me there's a difference and they try to sound it out to me, but each time they do, I just have to trust that they aren't saying the same thing twice.
There are native-English dialect groups which make no distinction between the vowels in 'pin' and 'pen'.
For all I rib my wife about falling on the other side of that line, it took my American ear a long time to hear UK-dialect(s) distinctions between 'Mary', 'merry', and 'marry', and still a fair bit of concentration to reproduce them!
It's not that you're unable to hear the difference, you have to pay closer attention to what you're really hearing. I'm a native french speaker and when first learning english, I was made to carefully notice the subtle difference in certain vowels, intonations, silent consonants, etc. Like in sit and seat. The former vowel doesn't exist in french, so most french speakers learning english would pronounce it like the latter, as in "seat down". English vowels are very different from french, but there are some similarities and if you don't care to notice, you'll use approximations. E.g. imagine a french person saying "book", with the "ooh" sound and a noticeable exhalation after the k. Small little things like that can be brought to attention and corrected.
It also doesn't help that we much rely on the written word to learn. Which reinforces the reliance on existing symbol-pronunciation associations, instead of creating new ones.
Another famous example of l and r confusion is Japanese.
One I'm struggling with: Norwegian (bokmal at least) has the "y", which is between i and the German ü. I can kinda hear the difference, if I pay close attention and the speaker is deliberate about the pronounciation, but saying it is kinda hard, and I get it wrong most of the time.
Somewhat similar to how English (and other) speakers can have trouble distinguishing between the intonations in tonal languages like Chinese — "mā, má, mǎ, mà", and all that.
This one’s really fun in Bengali, where they have three relevant consonants, but they’re quite commonly all pronounced about the same: Shibboleth is শিব্বোলেত্ and Sibboleth সিব্বোলেত্ , but শ and স may be pronounced the same (though some distinguish them), which could be more like sh or like s, depending on the region and person. And, by experimentation grounded in this specific verse, apparently many of them can’t reliably hear a difference between sh and s, which I find difficult to comprehend given the significant spectral difference. But hearing is at least as much a brain thing as an ear thing.
So when a Bengali is reading the verse, what they’ll speak can be basically “they said, ‘Then say “Sibboleth”’, and he said ‘Sibboleth’ because he couldn’t pronounce it properly”.
In the Finnish civil war in 1918 the White Guard asked captives to say "one" in Finnish ("yksi"). The word starts with the wovel [y]. This is very hard to even learn to pronounce.
When the Russian speaking captives tried and failed to utter the [y] they were shot on the spot. Finnish natives got the luxury to starve often to death in concentration camps.
In the early days of the Russian invasion, Ukrainians used "palyanytsia" as a shibboleth to detect spies. How well that worked in detecting actual spies is anyone's guess, but you can hear the difference in pronunciations really well if you enter паляниця into Google translate and use the TTS function with Russian and Ukrainian. It's really very difficult for a Russian to learn to pronounce this, but anyone who grew up in Ukraine (even if their first language is Russian and they struggle to converse in Ukrainian, like many older people in the south where I'm from) have no issues with it whatsoever due to many years of exposure to the relevant phonemes.
A modern example that might be intuitive to native English speakers is asking people to pronounce "The rural squirrel measures the tomb". You will be able to tell most Germans apart from native speakers by the first word alone
For a fairly similar experience for English speakers, see the sound that is written in Chinese pinyin as "sh" vs "x". They're two distinct sounds but will likely both register as "sh" to English speakers. Likewise "ch" and "q".
Dutch people still jokingly invite newbies in the country to pronounce the name of the town 'Scheveningen'; this is kind of hard for native English speakers and very difficult for native German speakers, so it was used as a filter by the Dutch resistance during WW2.
I recall reading some interesting neurological research on this topic, about how phonemes are learned and accessed. The specific sounds stored in the brain are largely fixed by a pretty young age, making it almost impossible for adults to learn certain pronunciations that differ from anything they were exposed to as a child.
Hebrew also lost the voiceless pharyngeal fricative (Heth/ح) which iirc can only be pronounced by Mizrahi Jews (aka of Jewish Arab origin). It was merged into the voiceless uvular fricative כ khaf (خ in Arabic). Though as I understand it, interestingly the letters themselves are still found in Hebrew with distinct glyphs (ח vs כ) but one has just lost its unique pronunciation.
Ayin (ע) is the letter, and was the original letter used in the spelling of Gaza — עזה is the oldest and original name of Gaza, for as long as it's had that name. The Hebrew alphabet hasn't changed letters in thousands of years, long predating other Semitic languages like Arabic which continue to use the Gh sound; ancient Hebrew is still easily understood in written form by modern Hebrew speakers — much more so than even Shakespeare is to modern English speakers. When people say "Hebrew lost..." what they mean is the pronunciation of letters changed, not that the alphabet changed (unlike e.g. English, which really has lost and gained letters even over very short periods). And in some cases the sounds were only lost in specific communities; Yemenite Jews have done a pretty good job retaining sounds, e.g. their pronunciation of ע, as well as ת. (Similarly, Ashkenazis' much-maligned pronunciation of ת is probably closer to the original than modern non-Yemenite Mizrahi/Sephardic pronunciation — although Yemenite is closer.)
The last time written Hebrew meaningfully changed was when the Paleo-Hebrew script was exchanged for Aramaic block script 2.5 thousand years ago, but even then, the replacement was 1:1 — ע was still Ayin, it was just written with a different character. And Paleo-Hebrew script has been around since the Bronze Age.
I don’t know if it’s true or a common myth, but US soldiers in the Battle of the Buldge would ask possible spies baseball questions. Even if you were an American that didn’t like baseball, it was absolutely massive back then and would know some things about recent seasons.
Why do I need to activate mandatory 2FA in services like GitHub repositories for hobby projects? It's a lot of extra effort for a questionable security improvement, and anyway, if someone impersonates me there, it's not the end of the world. If they care about end users (which my projects mostly don't even have) mark me as "unverified" or something, but let me avoid the hassle.
And in more serious services, like banking... since there is no such thing about 100% security (and in particular 2FA is far from it, e.g. if your phone is stolen with the banking app open, you're screwed), actually the most important thing is that the bank responds and can refund the money if fraud is committed, which it inevitably will for some percentage of unlucky customers. I view 2FA as a way to pass responsability to the customer ("we have very secure systems, so if someone transferred $X out of your account it's surely your fault"). Personally, I feel safer with less security and the bank worrying about fraud than the other way around, so I don't think they're protecting me when they implement this kind of stuff.
Github 2FA is made extra fun because they only offer a single mechanic of replacing it (that I know of), and that's using the recovery codes.
So, they forced me to use 2FA, and I dutifully printed out the recovery codes (don't write down your passwords, that's bad practice, but here's 20 recovery codes that stand between you and losing your account forever, so you know, manage that somehow).
When I bought a new iPhone, apparently none of my stored information got copied over. The apps did, but none of the information for those apps (for example, the TOTP info maintained by the authenticator I used). So, I went to log in to Github, opened up my authenticator app, and it was blank.
Thankfully I had the codes...back at home, in a drawer, guarded by a cat, so I wasn't completely doomed, but it ruined the day to be sure until I could get home and recover it and recalibrate my TOTP app.
Oh, guess who has a photo of their recovery codes on their phone now?
It's the Google Authenticator app's fault. The most popular TOTP app probably, and for a long time, they were saying it's intentionally designed not to let you copy the codes. Now you can, but there are lots of pitfalls and vague documentation. I'm not convinced that TOTP is a user-friendly design to begin with, but it didn't have to be this bad.
I don't fw TOTP now. There are other apps, but I'm done. I'll only use it if the iPhone Keychain has built-in support some day.
Ah yeah, it's hidden away a little cause they don't call it TOTP and you need to manually copy codes into your settings app. Gonna see if I can set it up on Mac cause that's where I'll actually maybe need it.
Set up should be simpler than needing to manually copy codes into your settings app.
When a QR code is present on screen that resolves to a TOTP seed, an additional context menu option should be present to "Add Verification Code in Passwords" or "Set Up Verification Code" or similar.
With a yubikey everything is stored on the key and the phone is just a terminal, so it travels between phones. Now if you lose the key that's another issue :)
But it's a key though. It goes on the keychain.
Unless you don't carry around keys either, in which case yes, that would be very inconvenient indeed.
Also, your Yubikey is probably less likely to be stolen or break, but I figure it's much easier to lose it, which is why you might want to have two, just in case. And that's where it gets really inconvenient.
The problem I've always had with the two yubikey-model (except for cost an inconvenience of course) is that you can't really keep the second key in cold storage, because you need to enroll it to new accounts. That doesn't happen every day, but probably regularly enough that you can't keep in a bank vault or something.
On the other hand, you know the second one works and haven't spontaneously bitrotted.
My nerdy preferred version would have been (pre-passkey) to have a hardware token where the root secret is generated out-of-device and exist on e.g a paper backup or something. Then I could just buy a new hardware token and inject the same token if the device dies.
> But it's a key though. It goes on the keychain. Unless you don't carry around keys either, in which case yes, that would be very inconvenient indeed.
Even if I do have keys, they are safe in my pocket, not sticking out the side of a fragile USB port.
There's then the whole mobile problem -- yubikeys are perhaps fine with my laptop, but how about when I'm using a mobile and my laptop is in my bag, or at home?
And OK, lets say I solve all that. How do I add a second key?
The beauty of SMS for 2FA is that my phone number sticks with me. If my phone is lost or stolen, a new sim card is sent to my home and I have access to all my 2FA authenticaitons. It also ties in well with my phone -- if I get an SMS with a number 123456, it appears as an automatic insert option on the form, no need to go to another app to copy a number and switch back to paste.
TOTP and Yubikeys do not match the usability of SMS.
Even if I do have keys, they are safe in my pocket, not sticking out the side of a fragile USB port.
It's difficult, though not impossible, to break your USB port with a Yubikey due to its shape. It's not a regular USB plug and will come out quite easily.
but how about when I'm using a mobile and my laptop is in my bag, or at home?
USB-C and NFC variants are quite common.
And OK, lets say I solve all that. How do I add a second key?
The same way you add the first--most of the time, you have to scan a QR code. You can scan it more than once.
The beauty of SMS for 2FA is that my phone number sticks with me. If my phone is lost or stolen, a new sim card is sent to my home and I have access to all my 2FA authenticaitons.
I'm not giving you my phone number, and mobile providers are known to send replacement SIM cards to random strangers if they ask nicely.
Two yubikeys sounds ok, but I don't 100% trust that the second one works forever. Anyway, my keychain got ran over by a bus, and luckily the yubikey survived.
What I do is when I receive a QR code to set up TOTP while creating a new account is to take a screenshot of that code and save an encrypted copy of that screenshot. Then it is just part of my ordinary data backed up as part of my normal backups.
If I ever want to set up a TOTP app on a new device it is not hard to decrypt all my saved QR codes, open them all at the same time in Preview on my Mac, select the option to show one page at a time, and then get into a nice rhythm using one hand to scan on the new device and the other to hit "page down" on the Mac keyboard.
If the site also gives a text form of the shared secret from the QR code I save that too. Having the text form around is handy in case I need to login but for some reason don't have the devices where I have the TOTP apps. Given the text form of the code, this command, from the oathtool package, will give the current login code:
$ oathtool --totp -b "secret"
That's if the secret is encoded in base32, which they commonly are. If it is in hex leave off the -b.
If the site doesn't give a text form of the shared secret I read the QR code to get it. If you do that be careful. Some QR code reader apps do the processing server side which you probably don't want...and they don't necessarily make that clear in the description. I had to try a couple of apps from the Mac app store before finding one that did it client side. (Then I found out that Mathematica's BarcodeRecognize function can do it, and deleted the QR code reader app. Now I just open Mathematica, type BarcodeRecognize[], drag and drop an image file that has the QR code between the brackets, and hit shift-return).
> Why use a QR code reader app instead of the built in camera app?
The QR code is on the screen of my desktop Mac. The camera is right above the screen facing me and can't see what is on the screen.
I could read it with the built in camera app on my iPhone or iPad, but that just tells me it is a QR code for the TOTP authenticator app I use and opens that if I tap. I don't see a way to get it to tell me the content of the QR code in text form. Even if it had a way that would be on the phone and I want the text to save it on the Mac.
Oh huh, I switched from AndOTP to Aegis and was able to export from the former and import into the latter. Then on desktop I'm using Authenticator [0], which can import from both.
I spent a little time trying to decide whether GitHub's 2fa was genuinely an extra factor whose compromise (with an uncompromised password) wouldn't weaken security vs a situation where it hadn't been set up at all.
In that case, presumably I could embed the totp key in a bookmarklet in the conveniently-sized 'public bio' field on my profile so I can complete it on whatever device I happen to be using, and effectively opt out?
But I'm really not convinced they aren't fuckwits and wouldn't treat the 'second factor' as an authoritative single factor in some circumstances (e.g. password reset) which wouldn't be unauthenticated if 2fa wasn't set up.
I'm also not convinced one can even contact anyone at GitHub clueful enough to answer that question authoritatively nowadays rather than reading off a script.
That's another pet peeve of mine with 2FA, which I didn't mention to avoid posting a wall of text: in many cases (no idea if GitHub in particular is one of them), the second factor totally dominates (allowing you to recover the first factor or logging in without it) so it effectively is 1FA, where the factor is almost always your phone. Lose your phone, and you're screwed.
I stopped logging in into GitHub since then. My customers are using Bitbucket right now so the only reasons to log into GitHub would be to search the code of some project or opening an issue to one. Luckily I can search issues without being logged in and about opening issues, I feel a little bad but I don't open them anymore. It was my way to contribute to open source, it's gone because of too much friction.
> Why do I need to activate mandatory 2FA in services like GitHub repositories for hobby projects?
Same reason Microsoft forces Windows updates so aggressively - because if some kind of security breach makes the news, even if it's clearly due to poor user choices (poor password choices and/or security; repeatedly opting out of critical security updates), it's always the vendor/service provider that looks bad.
> Why do I need to activate mandatory 2FA in services like GitHub repositories for hobby projects?
Because your hobby-project can emerge to be the backbone of someone's multibillion dollar-business, or a small gear in a million other projects, and you will get targeted for a supply-chain-attack.
Why should a multi-billion dollar business or a million other projects trust my code simply because GitHub made me 2FA to sign in? I may well decide the next push rewrites half the project in a breaking way on a whim or get an offer for $100k to give control of the project to the bad actor or just decide I don't like big corp anyway and be the bad actor myself.
Turning providing source code into promising you'll follow other's desires on how it should be worked on is a recipe for disaster while simultaneously not really making hobby projects low risk to rely on anyways.
I think it's more about GitHub's image and its self-imposed viewpoint that it needs to keep the software landscape secure. Requiring 2fa drastically reduces the number of ways a repo that is a building block for x% of a country's GDP gets compromised - now the only path is if the author intentionally hands over the repo/their account to a bad actor or e.g. posts their 2fa secrets on the internet for anyone to use.
There are also plenty more ways for it get compromised which don't involve the owner handing over anything - say simply accepting a merge which adds a cool feature while still compromising the other users of the project. Github still gets the same marginal image impact risk because ultimately the security of billions of dollars or X% of a country's GDP isn't protected by requiring a hobby developer to 2FA their afternoon code changes. You can't make them interested in protecting your billions via secure account login. Instead it's done by the billion dollar companies or countries themselves because they are the only ones with resources large enough to protect that much asset in a useful way. All this ignoring the same impact can be had by the author simply having a mistake and not fixing it over holiday vacation, no malicious actors required in the first place.
How should that work? Nobody knows who is using which part from which repo. And it's not just about big business. There are all kind of small communities and little apps, extensions, etc. with some small communities. Most of them don't even make money, but are juicy targets for some small fast money.
Forcing everyone to raise their security and gain awareness about those things is a huge win for everyone, and only a little problem for the individual user. And it seems to be only a phase anyway, as most people & services are moving to more comfortable solutions over time.
By the users of the software I publish noticing the license that states that while I hope this software is useful to them, it is provided with `"NO WARRANTY, NOT EVEN FOR FITNESS OF PURPOSE" and planning accordingly.
If you're an entity that wants to ensure that software you use from a source that you have approximately zero power over (and has explicitly provided NO warranty for that software) is and continues to be fit for purpose, you're going to have to inspect that software at a point in time, determine if it is fit for your purposes, and carefully inspect every future version of that software that you're considering using.
There really are no shortcuts. Requiring one to drink a Confirmation Can to log in doesn't change the math here.
Billion-dollar businesses can pay full-time professionals for support. They can hire staff or contract with a vendor. They can audit the free software they use or, like the good old days, pay for software whose vendors maintain it.
Or they can use hobbyist-written software for free, which is just fine, but don’t expect the hobbyist to support it for free.
Github is an unfortunate choice of example because the replies have fixated on it but there are a large number of sites that impose security cargo-culting to secure things that just don't need it. e.g. Why do I need to make an account with a password to pay a bill?
My password manager autofilling will always be faster than any other option, especially one that requires me to pull out my phone, navigate to my authenticator app, switch to your app (which will only become more time-consuming as more sites require it), then type in the code by hand.
The only thing that can compete with password managers on user experience is just actually remembering they're logged in instead of pointlessly logging them out every single day for no reason.
Passkeys work without a phone, or a second device. Windows Hello/TouchID will verify you almost instantly. There are also browser extensions you can use, like 1Password or Bitwarden, to do the passkey flow for you if your device or OS lacks quick authentication options.
I don't see how Passkeys eliminates the need for 2FA.
Seems to me, and I may not understand it, but it seems to me that Passkeys are more of a way to eliminate having to constantly re-enter you password, but do not eliminate passwords.
For example, if I set up a Passkey, that's bound to a specific machine/browser/phones/whatever. But if I log in from another device, there are no Passkeys, so I just need to use my password. If my lose my machine/browser/phone, I'm in the same boat -- new device, and I need to login. Thus the password.
I don't use any syncing system, I'm not on iCloud, or use apps, or anything like that, so there's no mechanic for distribution of passkeys. Plus that wouldn't work if I wanted to log from my friends laptop, or something like that.
Am I mistaken in how this works? How does enabling Passkeys eliminate 2FA?
My issues with 2FA aren't so much the 2FA part (yea, it's a pain in the neck, "one more step", etc., but, it is what it is). My issue is that if my 2FA is lost, and my recovery codes are lost, I'm toast. There's no other way to recover. No other mechanic, at least for Github.
> I don't use any syncing system, I'm not on iCloud, or use apps, or anything like that, so there's no mechanic for distribution of passkeys. Plus that wouldn't work if I wanted to log from my friends laptop, or something like that.
iOS and Android can also just keep local Passkeys where you scan a QR code, though of course if you don't backup anything anywhere you will always have a redundancy problem with any 2FA mechanism.
Passkeys are supposed to not be a single authenticator either, so you can enroll another Phone or a Yubikey (or also your local TPM, binding to your user account, for convenience), but not all services support that in practice.
While 2FA is everywhere but whether it should be enabled by default or not is very subjective.
Not that long time ago there was a discussion about 23andMe data leak through user accounts that reused emails/passwords on some other compromised site. I was surprised how many people here argued that 23andMe should be responsible for this data breach because it's common knowledge that people reuse passwords all the time and yet 23ndMe didn't make 2FA mandatory until after the leak.
Personally I prefer to have a choice on whether 2FA should be enabled or not but I also understand companies that don't want to be blamed for something that is entirely user's fault so it's much easier for them to make 2FA mandatory, even though with phone apps it's not really 2FA since it's the same device.
>if your phone is stolen with the banking app open, you're screwed
With my one not really as you still have to enter a simple password to do anything - six letters, no dumb requirements for capitals and odd symbols.
There is something to be said for simple passwords that people can actually remember. They don't work in situations where hackers can try loads of attempts electronically but where you have to type them if they are quite good really.
2FA can also be a way to get more private data, like phone numbers, out of users; which will be used for things having nothing to do with security or helping the user. Facebook did exactly this and I'm sure other companies have as well.
2FA increases risk of the account owner losing access to their account. There are a huge amount of posts online from people livid about getting locked out of their account because of some mundane reason like their phone breaking. That risk rarely seems to be considered by the crowd pushing 2FA everywhere and anywhere, probably because it happens most often to non-techies.
Things that seem easy or obvious to folks working in tech are often a huge hurdle for regular users, who make up the majority of users for many products. Many tech companies could do a much better job of considering the needs of their users, rather than building what the devs and product managers personally think is cool.
I understand the frustration with login systems, but why is the title "Passwordless: A Different Kind of Hell" if it doesn't talk about passwordless authentication, like passkeys, magic links, and biometrics?
Biometrics are a convenience feature, not a security feature.
Fingerprints are trivial to lift and replicate. Face unlocks can be fooled by pictures, or in some cases, get false positives from people that just look enough like you (which is common in some Asian countries). Even if it requires you to blink, new AI tools will easily generate a video of you looking around and blinking.
But the worst part about it all, is that biometrics are a password you can't change without surgery.
I really REALLY wish "biometrics" would stop coming up as a solution to security.
Agree with the insights in your comment about biometrics != security, but I'd like to take a moment to nitpick a slight inaccuracy-- Asian faces don't actually look similar to each other, but they do look similar to a person/model that has been trained mostly on white faces. If the facial recognition model had been trained predominantly on Asian faces, then white faces would look similar to each other instead.
Reminder that the outputs of AI don't reflect some deeper truth about reality, just an extrapolation of the training data. Garbage in, garbage out.
I think this should be “more similar than other groups” rather than simply “similar”. Even then I think it’s possible that some groups have more loci with higher diversity for facial features. That’s not even getting to epigenetic and environmental elements.
I think the deeper truth is in your final paragraph: facial similarity is in the eye of the beholder.
biometrics are used in combination with a specific device. same as a PIN (you can't withdraw money from an ATM with just a PIN, you need the chipped card + your PIN)
i can't go up to just any computer and log into my bank with my face
you would have to possess my phone and then deepfake me
i am comfortable with this security posture because the convenience of face id allows me to use long random passwords with frequent rollover which I never have to type
if i lose my phone I can remotely disable it
this is all much less of a crime to me than any service that allows password reset over SMS which is a much more well trodden vulnerability.
Low security is security too. Biometrics can useful when used for appropriate applications. They're very useful in applications where authentication would be otherwise be omitted or undermined due to usability concerns. They can also be used in conjunction with other authentication methods to complement the flaws of other authentication methods, like passphrase or token, which can be shared more easily.
Like with many things pertaining to security, there are no universal solutions without first defining the problem.
Say for instance, you have an access control system where you want to solve the issue of credentials being intentionally shared. Biometrics are a great solution for this; tokens and passphrases are not. You need different tools for different problems.
I was confused as well. It seems to me that by lowering the experience complexity, while not really changing security, by the author's own logic the experience stars would go up a notch.
Instead they just mention it in passing with a "only time will tell" comment
I was curious about that as well. Since most services implement an email based Forgot Password feature, and 2FA tokens are also often email based, why isn't magic links the default approach now? Seems to be just as secure as password+2FA but easier to use (and probably to implement, as well).
By the title, I thought the article would explore some of the downsides of this approach that I might be missing.
Magic links are not the default as it gives your login process the speed and reliability of email delivery and most login processes are aiming for better than a p95 of about 5 minutes.
I think the industry, to some extent, already have reconsidered the session length, see [0] by Auth0 for example (even if it's obv. a PR piece). Nowadays my gut assumption when I use a service with really short sessions is that their security practices are probably questionable.
I recently argued, as the cybersecurity guy™, with a vendor that we can't ask regular users to reauthenticate every 15 minutes. They insisted raising it would be to insecure and instead suggested to make MFA optional as it would make the login process smoother…
The thing that I find super frustrating about these short sessions is the lack of risk it's mitigating.
If it's expiring in a few minutes, presumably you're trying to protect against two things: (1) Session hijacking and (2) Unlocked computer.
Session hijacking is somewhat preventable via other means (eg: IP address tracking), but more importantly, in what case can a session be hijacked only 15 minutes later?
Someone walking away from an unlocked computer is an impossible problem for a app/site to solve. If an attacker has access to the PC, they can install malware that sniffs all traffic or passwords, and if the user saves their password(s) on their PC all of those are compromised anyway. This is a responsibility of the person responsible for the computer -- eg, the user and/or the IT admin.
When sessions/passwords expire in a time measured in days, I can't help but think they are basically saying "it's okay for an attacker to have access to this system for 89 days... but not 90!" The only valid argument I've ever heard for this is an attacker might be doing offline cracks of passwords -- but there's so many other fails involved there that I can't see how blindly expiring them is at all useful by comparison. Not to mention rotated passwords are very predictable[1] so it's unlikely to even mitigate the attack.
For very short sessions that is likely true. But I think there is a middle ground where devices are lost or stolen, or data is accidentally leaked. If it is a sophisticated targeted attack you have already lost. But maybe someone just threw out an old PC that they haven't used in years and the disk isn't encrypted.
For my service I ended up doing something in between. Sessions last for 14 days, but they are automatically renewed indefinitely. So as long as you access the service every 14 days your session will never expire. This way lost or leaked credentials aren't a risk forever. But in most cases users rarely if ever need to log in again. I may play with the exact timeframes, or maybe significantly extend the validity if the user is logged in via the same IP or similar heuristics. But I like that after some definite period old creds are no longer live.
> where devices are lost or stolen, or data is accidentally leaked
> someone just threw out an old PC that they haven't used in years and the disk isn't encrypted.
These are scenarios where I think expiration doesn't help at all. I assume your reaction is not just "oh well, the compromised sessions on that device will expire in 70-ish days so we can just ignore it" but instead you immediately consider everything on the device compromised and kill all sessions, rotate all account passwords, etc.
If it takes you a day or two to notice this event happened, expiration doesn't help: long expiration hasn't happened yet, and with a short expiration, you still don't know and can't assume it protected anything. In fact, the safe thing is to assume the session was accessed within minutes of the incident.
> For my service I ended up doing something in between. Sessions last for 14 days, but they are automatically renewed indefinitely.
This is a pretty rational approach, but of course the time frame depends on your users and how they user your system. Auth0 has a good rationale behind their approach[1]:
> You can configure session limits with up to 100 days of inactivity (idle timeout) and up to one year in total duration (absolute timeout).
> The motivation behind the 100-day idle timeout cap is to cover one quarter plus a few days, which provides wiggle room for people who log in to do end-of-quarter reports.
Some of it depends on regulations and usage context. When I worked in healthcare, sessions were always short-lived. This may have been regulation-driven, but it's also based on the fact that often this software is being used on shared machines or in areas where unauthorized users are present (such as in patient rooms). While users are trained (very well, in my experience) to lock machines whenever they're unattended, short session lengths provide an additional layer of protection.
I saw a demo like 15 or 20 years ago of a Sun thin client that used smart cards. You put your card in to any terminal, and nearly instantly your desktop session was live. Remove the card and it instantly disappears and locks.
That type of thing seems ideally suited to healthcare use, and we have such better devices now than whatever cards were used way back then. Amazing it's still Windows PCs deployed and secured with passwords.
A previous employer (regional healthcare system) did exactly that: staff used their badges (along with another authentication factor, IIRC) to pull up their VDI instance on any client. This was just being rolled out ~8 years ago.
What gets me is that gmail login lasts...seemingly forever. And for most users, if their e-mail account were to get compromised, it's game over for everything they use, since so many services allow you to reset a password and possibly even remove 2FA with just e-mail verification.
What's even the attack scenario? Someone stealing a session token/cookie? If they can steal an expired one somehow, then there are good odds they could steal a current one, so the short session doesn't matter THAT much. I suppose another scenario is someone not logging out of their accounts on a public computer, but the type of person to do that likely uses "Password123!" as a password anyways.
> ... since so many services allow you to reset a password and possibly even remove 2FA with just e-mail verification.
What is insane is that so many services allows to reset password and even 2FA without requiring any cooldown. The level of fail here is plain staggering. I don't really have words.
There are proper services out there who shall go out of their way to try to contact you, for example for 72 hours, before allowing any reset to happen. Some are going to say: "Wait, what!?, 72 hours!? I need to reset my 2FA NOW". They don't realize though that what they're really saying is: "I want bad guys to be able to reset my password/2FA instantly and log me out of everything they can in a split second". It's convenience vs security, once again.
As a sidenote I've read about a DB (in the EU) about SIM cards saying when they were swapped. And as a bank, you can check that DB and decide, for example, to refuse to let anyone change any setting if the SIM was swapped less than a week ago.
We need more people to think a bit about potential solutions instead of crying "but it's not convenient" and "bad guys shall find a way anyway".
A problem which has made the news repeatedly is services where an e.g. password reset doesn't reset / invalidate the session key. How many cases of ridiculously short session expiry are masking cases where the service is unable to actually manage to invalidate a session key in conjunction with said password reset?
Something that often gets overlooked in these discussions is the impact of all this on older people and people with intellectual disabilities. Managing all of this is annoying to an average person, but can literally be impossible for an older person with a memory disorder. It creates a lot of additional vulnerability for them, because they now need to trust someone to help them manage their accounts. It also puts a heavier burden on people in customer service who have to deal with often irate older customers who are having trouble managing their accounts.
This is getting exceptionally bad, where places like the SSA are moving to "online-only" for basically everything, and the ability to go to a local office and have someone help you is getting rarer and rarer.
And even if you can get in-person with someone, the new "secure" systems may block them from being able to help, anyway.
I very much wish more people considered the various types of users and contexts that use their system. Many seem to be moving towards a "magic link" solution, which can be convenient but is also predicated on the user's phone or email which leaves users with a single point of failure and little additional protection or recourse if it is exploited.
While I understand the burden on organizations to protect user data, the user should have say as well. A one-size fits all solution almost always leaves users on the lower slopes of the bell curve vulnerable or frustrated.
Weird post. It's a good history of authentication, including offline and online, and I like the ratings.
But the title seems like pure click bait, as the author didn't spend more than 2 sentences on passkeys/Webauthn (which is the typical tech for passwordless solutions nowadays).
I have my own issues with Webauthn usability and was expecting a deeper dive into that.
That larger problem, of course, is that security and ease of use are in tension. Always were, always will be.
I just opened a ticket with notion on mobile and plan on switching because I can’t use it for simple notes. This is the amount of steps it takes to login and you have to do it all the time:
* unlock your phone
* tap notion
* you're logged out - avoid the big login with x sso buttons, scan for and click the little text that's black on black labeled "login here with email"
* type my email out (no autofill)
* tap submit
* exit app, open mail
* find the notion email, usually it's right there other times, you must refresh constantly, sometimes it takes whole minutes because it's email
* highlight as much of the password as you are able but not all of it because you can't due to the dashes
* adjust highlighted text while holding down long enough to pop up the copy context window or memorize a cute phrase with dashes and type it out without making a mistake, 3 taps a dash (x4) because mobile keyboard layering
* hit copy, exit app, open notion
* press and hold in the textbox for the paste window or type it out
* finally hit paste and submit
* remember what you were trying to do quickly
Now add slow or glitchy(5g+) internet and it doesn’t work.
Even if you wanted to tie yourself permanently to an sso provider, a lot of the time, they too require re auth. If you have 2fa on (as you should) that's as many steps. The push for sso is also incredibly annoying. I’ve nearly deplatformed very intentionally.
Notion does a lot of funky things like refuse to build and offline mode which exacerbates this.
One other thing I don’t like about “passwordless” is biometric as a security feature instead of it as a convenience. 1Password removed passcode unlock on mobile in favor of faceid. Which if you don’t use it results in entering your full long password every time you use it, even if you just used it. Apparently I wasn’t the only one that complained because they restored the feature shortly after removing it. I unlock my friends phones while they are driving with faceid all the time. Too easy, not secure enough for the app that has most of my secrets.
Use 2fa, local passcodes that require reauth occasionally, and assume you are running on a locked device, if logging in from a new place maybe 3fa like Coinbase.
This is the main problem - I want the ability to say "this app should be authenticated whenever my phone is unlocked" - I trust that the timeouts on my phone will protect me from the unlikely "grab" attack, and I can remotely lock it anyway.
I do NOT want to have to sign in a billion times a day, even if it's relatively quickly with FaceID or similar.
Note that all uses of the password before the computer were not for personal security, but organizational security. If the enemy infiltrated without the use of the password, it could mean the downfall of an empire.
Today we use passwords largely for personal security. Yet when companies choose what methods of authentication/authorization they offer, they don't care what the user wants. They pick methods that will make their own jobs easier, rather than giving the user more convenience. The user has no agency today; it's just take what they give you and be thankful for it.
As a result, the tech landscape is full of wildly varying authn+z methods. Inconsistent password policies, inconsistent challenge methods (when they exist), inconsistent use (and types) of MFA, inconsistent use of hacker-prevention methods, the occasional use of single sign-on for only a few identity providers, "magic login email links", nearly non-existent use of client-side keys, etc etc. Almost every site you login to today will have a different system. Passkeys aren't much better, because it too is just a hodge-podge of different standards, not all of which need to be supported.
We need more consistency for the methods that exist. There should be a standard for challenge questions, a standard for hacker-detection, a standard for password policies, a standard for MFA, etc. That way it will be a little less haphazard how everyone implements them, and it will be easier to prevent security bugs by following the guidelines for implementing the standard.
But I also think more should be done to advocate for what the user wants. If the user wants to use a regular password, let them enable it. If the user wants to disable MFA, let them disable it. If they want to opt-out of the multi-layered hacker-detecting challenge-questions, let them opt-out. This is, after all, their personal security, not the security of the entire company selling them some service or product. A person should be able to decide their personal security level.
Alas, we don't really have much choice in what current companies give us. But if we voice our opinions loud enough, maybe new companies will give us the agency we want, and maybe that tiny competitive edge will prompt other companies to match them.
OAuth2/OIDC isn't enough. There's many cases where they're not an option at all; outside of (internet-connected) browser flows, you need more solutions. They add a ton of complexity and are difficult to implement correctly. They don't support other protocols. The implementation of each is specific to the provider ("scopes" is application-specific, etc). You aren't guaranteed to get all the functionality (grant types), assuming all parties have implemented them. And it doesn't provide a standard for MFA, challenges, recovery, secret storage, secure login to the IdP, etc. It really only covers a single use-case. When people do implement that use-case, they often do so improperly, leading to gaping security holes.
So we need more standards. But those standards need to come in three varieties: 1) new standards, 2) simpler designs, 3) guidelines for implementations. There are solutions that exist today, that have no standard. There are "standard" designs today, but they're overcomplicated. And we need better guides on how to implement standards so that users (and developers) have an easier time using the solutions.
It's comical, some site only allowed auth via Twitter, and I signed up for Twitter via a burner Google account. I get redirected like 30 times logging in and asked about my favorite celebrities along the way.
A nice little read! Fun to have a short trip through history, there.
I'm a little disappointed that it didn't talk about passwordless logins, at all, though. I'm thinking of implementing one, and I was hoping this would give me some food for thought! Ah well.
I find myself wondering, how much collective time is being lost these days to authentication? I mean, if you have to authenticate using your phone, you have to dig it out of your pocket, sign into the phone, read the text message or use the authenticator app, type in the code...
And how much time is being wasted on authentication when they don't accept valid credential because you cleared your cookies or changed IP or whatever?
We have all been using physical keys for our homes and cars our whole lives. Physical U2F keys for digital authentication are basically the same level of convenience and actually very very secure: no shared secrets, not copyable, not forgeable, not vulnerable to phishing, etc. I don’t know why we haven’t all jumped on this solution to digital authentication
I can get any proficient locksmith to open my front door with valid photo ID. In a pinch I can get in using a brick, a window, and a good throw. The police might turn up or they might not.
With 2FA, a lot of times I’m going to go through endless technical support, or I will be told it’s simply “not possible” for me to regain access to my accounts.
There’s a third tier here, which is 2FA at work. If I lose a 2FA token I can usually get the IT or security team to let me back into the system because they’re physically present and know who I am.
I have like 2 or 3 physical keys. I have accounts on hundreds of websites. Sure, you can use the same key on every website but you better not lose it. So now you need to register multiple keys on every website. Also if you lose one you need to go back to every single site and add your replacement. (I hope you remember every site you have signed into.)
So "not copyable" is actually a huge downside for convenience. Such a downside that even though I have a collection of U2F keys I only use them in a handful of accounts. The maintenance cost is just far too high.
To resolve this you would probably need something like cross-signing. So I can say "I know that you only trust key A, but I lost it a few years ago. However I have an attestation from key A saying that key B is mine as well. Here is a signature from key B". However this is effectively equivalent to copying keys. So it basically defeats that point.
Well for one, security keys have arbitrary limits. The latest yubikey can store up to 25 FIDO2 credentials for password-free logins, two OTP credentials, 32 OATH credentials for one-time passwords (when paired with the Yubico Authenticator), and an unlimited number of U2F credentials [1].
Theoretically it's a good solution, but practically it's an enormous task to migrate all existing digital infrastructure into a new hardware security paradigm.
Oh, this was disappointingly light on substance. It's an interesting musing on the history of passwords and the (very real) frustrations of modern authentication.
I thought it would have more depth though into the current state of various authentication schemes, in particular passwordless, which isn't actually mentioned at all. I find passwordless to be slightly less bumpy than various 2FA but still a genuine pain in the ass, to have to open up email in a second tab, wait for the email to come through, and then often follow a dubious link.
I have an iPhone that fell, and its fingerprint reader doesn’t work any longer. It simply cannot recognise my fingers, or it does recognise the finger once in like 50 attempts. I was unable to trace what I did and how much I pushed that sensor. I turned the biometrics off and use passwords instead. It’s less convenient, but I’m not planning to upgrade the phone for that very reason either. So I’m stuck with this for a while. I cannot imagine how passkeys are going to work in this scenario.
This, and also brand dependency, is what makes my worried about passkeys. If I got the idea correctly. It hashes my fingerprint data, but what if my fingerprint changes? I have that very often on my iPad that it stops seeing my thumbs as the correct thing. I assume that happens due to some manual work I may do. And my thumb becomes different to the sensor. I hack that with my pinky finger, for some reason it’s more reliable. But what if something happens to the sensor and it stops being reliable.
What are my options then? What are my options if I’m about to change my smartphone brand? What are my options if I’m on my PC that has no sensors for any biometrics?
Interesting that the article picks Notion as its example. For me too it seems like I am initially NEVER logged in no matter how often I login to Notion.
If the author is reading this, sorry but I spaced out when you started going into the history of passwords.
When you say passwordless in this day and age my thoughts go straight to hw keys.
And speaking of hw keys I started using one alongside my gpg password for my personal password manager a year ago.
After 1 year I removed the hw key from the list of keys.
My experience is that it's more of a hassle to reach for a hw key every time I need to view a password, than it is to just enter a very long passphrase.
I'm of course special to be able to remember multiple very long passphrases, but as long as I do it's much more convenient.
Then it also got me thinking, what if I had gone 100% hw key and lost the key? Then my passwords are lost forever. It's much harder to lose the passphrase in my head.
What really annoys me lately is websites which require me to verify my login by email, but which also allow me to change my password by email without knowing the old password. It seems to be an attempt at "2FA" but it ends up being 1FA, and even less secure than if they'd just accept my password on its own.
A friend of mine recently got caught in a loop where he wanted to interact with an account that he hadn't used in a long time, which was registered under an email he hadn't used in a long time, which had a recovery email set which he also hadn't used in a long time. He had the passwords written down for all three, but account A refused to let him in without an email verification (but would let him in without a password, if only he could access the email), and email A wouldn't let him in without proving he had access to email B, which wouldn't let him in without proving he had access to email A. A person who wandered into a logged-in computer with access to email B could theoretically have done anything they wanted to all 3 accounts, password or not, but the rightful owner was forbidden from using any of them, despite knowing all the passwords.
I miss the days of, "You have a password, and we'll assume anyone with that password is you. Don't get phished." It's actually pretty easy not to get phished, and sometimes downright impossible to go through the hoops that all of these new anti-phishing measures require.
A service I stumbled into recently which I think does it right is Mullvad. They've taken it a step further and done away with usernames, too. They just give you a long numerical code and tell you that if you lose it, you're screwed. It feels much more respectful to the user.
My main issue with Holochain and agent-based systems is that I am the agent, but the system is built around my singular device being the agent. Now the work on linking my devices and convincing other "agents" in the system that these collections of keys represents "me" is forced back onto me.
In other words, agent-device-based identity is a crappy experience for some mixture of end-users and/or devs. Either the user has to manage muiltiple identities, or the devs have to build an ad-hoc identity systems on top of the agent-device-based system.
I think PGP got about halfway there, but falls short in a lot of ways.
Yes, you'll have many machine Agents that are grouped under your personal agency.
In Holochain, a standard service named "DeepKey" (https://github.com/holochain/deepkey, still under development) is tasked with managing groups of "Agent" keys.
On creation of a new Holochain Agent (associated with some Holochain application or piece of hardware), you'll associate it with your Deepkey keyset. Later, you can discard (or recover agency over a lost private key for) an Agent ID.
But at no time should "randos on the internet" be responsible for the agency of your data. That's just crazy -- no matter how "easy" they make it, they simply don't care (evidence would suggest) as much as I do about my data.
Key fob and the recovery method works for vehicles because it also requires physical access and knowing where that specific car is. It’s very easy for somebody to steal a specific car, even high end luxury car without after market mods if they can get to it.
This doesn’t work for the internet because anyone can access the target from anywhere.
We already do this to a degree with trusted CA centralization and there are recorded incidents (pretty frequently) of major breaches and state actors posing as various entities.
The stakes are also different, stealing a car is hard to do when it has physical security and has physical consequences. It’s also not worth a whole lot after because it’s hot. Stealing somebody’s identity is worth a whole lot more, hard to if even possible recover from and can be done remotely from anywhere.
I think centralization around brokers is a terrible idea. Look at Equifax, the audit after revealed it was only a matter of time before somebody utilized the multiple gaping completely negligent holes they had. The resulting fine for leaking every man, woman, and child’s ssn, birthdate, address, and drivers license was the equivalent of a few dollars to them.
In some of the Holochain prototypes I've built, certain state changes are more critical than others.
For some, you might allow "what you know" security (ie. the agent knows your private key).
For other, you might demand "what you know + what you have" security (ie. the agent knows your private key and has provable access to your device). I used various proof of knowledge constructs, such as the ability to read "Private" Holochain entry data (that only exist on-device, and not in the DHT), and demonstrate this by providing the hash or PKI signature of the private data (which is published to the DHT, in an entry provably before the private data being proven was written). There are other ways.
For yet others, you might want that, plus "who you know" security, in which case we do all of the above, and ask some previously defined Agents to also sign the transaction before it is allowed to be written to the Agent's source-chain.
So, the requirement for logical, physical or relational levels of security are available to Holochain / Holo hApps. This is higher security than is available for physical devices like cars, and is even better than provided by devices like Apple iPhone and Watch -- because you retain control over releasing the lock (if you forget your password and lose access to your email address, your Apple device is locked, forever).
I mean, either those services need your data or they don't. I don't see how requiring you to upload or decrypt your data every time you want to use a service would be feasible for most things.
If they "need it", they can be granted access to it (or a personally encrypted copy of it unique to them). Of course they can (and likely will) mis-manage even this data; Zero-Knowledge Proofs and Homomorphic Encryption should be used instead, where possible.
Remember, Public data written by an Agent are written to the DHT and are persistenly available, so "upload and decrypt" isn't really usually a thing in Holochain hApps.
So, if they want to make some non-repudiable claim under the auspices of "my account" (ie. claim agency on my behalf over some change of state, such as a "post" under my name, ...), then they can bloody well get me to sign such a state change with my private key. And, make all such data publicly available so that I (by my sole decision) can cease to use their service and take my data elsewhere.
Remember -- these are "randos on the internet" holding your data. Hundreds, or possibly even thousands of them including all the partners they sell your harvested data to, who are evidently incompetent in managing/securing it, and certainly don't care a whit about you and the sanctity of your data.
My biggest pet-peeve is when they just ask for your email address, then on the next page inform you they've emailed you a one-time login code, and then you need to hunt for the link in small text along the lines of "Log in with a password instead".
Lots of people having lots of issues in the comments, I can't be the only one that has no problems with this.
I use bitwarden, it has my passwords and my TOTP codes in there, I have this on my phone and on my computers, everything auto fills. Other than that, I also have a hardware key for some services, all I need to do is click the hardware key when prompted. Some services only have email 2FA, but that's quite easy as well, I just get a notification and copy the code from there.
Doing a chain of 3 2FAs for 3 different services takes seconds.
For improved security this is easy, I'm not sure what everyone is on about.
Is this another case of complaining just for the sake of it?
Why would you use a passkey manager that required a phone and BT? that's nuts.. 1password and Safari both handle syncing passkeys between all your devices - no device swapping needed.
Our VPN login used to be type your password, then accept the push notification from Duo. Now we decided push is insecure, so you now have to type "<your password>,<Pin from Duo>" as your password.
The starred-out password field plus my blank keycaps are a real test of my touch-typing ability.
McDonald's, Taco Bell, and Dominos apps seem to be the best, everything else ends up in login hell (though I suspect I have two McDonald's and Taco Bell accounts from before they added Apple login).
Some are literally so bad I just won't use them anymore.
All most of these things need is basic authentication, set some long-lived whatever it is based on the Secure Enclave, and if then don't allow seeing the charge method or changing the delivery address without requiring some second factor. You don't need full bank-level security for a burrito (amusingly enough, my bank security is more based on normal things than the burritos are).
This is why I run passwordless on my most high value/important services and use my password manager to hold passwords for all the end point services like ebay and other low / risk low expectations sites.
for me its about lowering the price to use a service. (as in mental price not dollar value)
I'm currently unable to log in to my Amazon account on new devices because I accidentally deleted the MFA for it. I've submitted my government ID to their recovery form multiple times. No response. Phone customer support said they couldn't do anything. Any ideas?
SMS-based 2FA is still vulnerable to phishing, but U2F is not. This has been solved for a while now, but I guess it's still a hassle for most folks to use them.
I got my whole family Yubikeys a while back, and it seems to be going pretty well.
How do you backup access? The one thing that's stopped me from pulling the trigger on U2F is if that device is lost, stolen, or broken then I'm hosed, right?
With standard 2FA, I have backup devices and codes that I can start restart from scratch if my phone is ever lost/stolen/broken.
Backup codes and (in my case) backup keys. In the corporate world, the backup codes can be generated and shared on-demand, or U2F temporarily disabled if ID can be verified another way.
Write down your backup codes. Register a second key if possible. Google accounts are set up to prompt phones, too. In some cases we still have SMS 2FA enabled.
The reason this happens is because of bad actors. This is why we can’t have nice things. Walk around and pay attention next time and you will notice all the little things that are shitty because of bad actors like thieves.
I came to this realisation not too long ago as well. It's saddening to imagine how much better the world in general would be if it weren't for criminals.
Generations before mine talk about their childhood as a wonderful time. Not having to lock their bikes up when going into a shop. Not having security cameras watching their every move. Not having barriers everywhere to prevent theft. My local supermarket introduced receipt scanners a few months ago that block you from exiting. They treat you as a thief by default.
I wish I could live in a high trust society. It sounds like in some parts of world (Japan for example) there are still elements of that.
Its not really so easy to peg the blame solely on the existence criminals. For one thing what makes a person a criminal changes over time as we redefine what is illegal and what technically illegal acts are given priority enough to enforce.
More importantly though, generations past also often lived in smaller communities then we have today. When your world is smaller and you are only a degree or two of separation away from everyone, people often feel more bound to a certain standard of behavior. Stealing a bike in NYC today is one thing, stealing a bike in a town where you probably know whose bike it is and someone will recognize it if you ever actually ride it is very different.
The larger we grow societal centers and the more we expand the boundaries of our own world, the more we break societal bonds and need laws to enforce rules that are more easily broken when your victim is just another random person living there.
Bear in mind that the security/surveillance sector of the economy (including police) are heavily incentivized to exaggerate the risks of crime, as are politicians who want to appeal to a certain sort of voter. There's a lot of money to be made out of running a police state.
I agree! And I think we could if we had very harsh punishments. We are way too lenient on crime.
Steal? Life in jail.
Litter? Year long sentence.
Assault? Life in jail.
Criminals are going to commit crime and there is absolutely no evidence that rehabilitation works for those kinds of crime. We need to keep them away from society and change our culture to be entirely intolerant of crime.
Thieves and other "bad actors" are often a consequence of deeper underlying problems. People don't tend to steal that much when they are economically comfortable. OTOH with no legal resort to get sustinence, you're guaranteed to get people to resort to illegal means.
I'm rather baffled how educated adult human beings keep on analyzing the world using moralistic fairytale level concepts like "bad actors" or "evildoers" as if there are some inherently tainted souls doing bad things just because they are bad.
In my, probably biased, assesment this is especially prevalent in the US public discourse.
I know the GP used "thieves" as a comparison, but I think it took the conversation here a different direction than intended.
You can justify some thievery due to social problems - stealing for food is one thing.
But if you eliminate "fairytale concepts" like "bad actors", how do you explain the people constantly attacking managed services and trying to gain access to other people's accounts? These surely aren't the guy on the street looking for their next meal.
If what you are claiming is true then the welfare state of Sweden wouldn’t experience almost any crime at all because no one in Sweden suffers from food insecurity.
The educated middle class can afford to hold the most out of touch abstract theories because they don’t need to suffer the consequences.
>Thieves and other "bad actors" are often a consequence of deeper underlying problems. People don't tend to steal that much when they are economically comfortable.
As time goes on I believe this less and less. I don't even think it's supported by the data. Spain or Sweden have way more thefts per capita than, say, Poland. Am I to believe a poor person is better of in Poland than in Spain or Sweden? They literally freeze to death sometimes.
I'm Spanish, I remember visiting Helsinki and finding toys in a wooden trunk in a small park for children. My first thought was "How is nobody stealing these?" and the second, immediate thought was how utterly sad the first one was. Am I to believe it's poverty pushing people to steal children's toys?
I think social cohesion is a factor often ignored, which is amazing in a way because it gets alluded to all the time, "They are tourists, who cares?", "Yeah but that guy is rich", "it's a supermarket", "They have insurance", "they are non-gypsies". Any of these has an implied "I don't care about that person because...". And this generates a feedback loop. It's harder to care about other people and have sympathy for them when you don't trust anyone not to steal your stuff if you leave it unattended for five minutes.
In retrospect, I do think those toys got "stolen" frequently, just because children grab stuff all the time and I'm sure it ended up lost more than once, but there must be an insistence to trust your fellow man, to trust that if a good is lost there must be a good reason. I don't think we have that trust anymore.
I'm from Helsinki and very much think it's safe because of relative lack of poverty, equality, relatively good opportunities regardless of background and social safety net that can be mostly trusted on. The social cohesion is the product of this.
We aren't some master race with pure souls. Finland was a shithole until about after WW2 after which the society was deliberately built to not be a shithole.
Both things can be (and are) true. There are deeper underlying problems which give thieves incentives to steal. Thieves are also acting badly (thus, are bad actors) when they steal.
This looks like a ridiculous strawman's argument. For example, there's a large difference between stealing food from a produce stand (which I would certainly do if the alternative was to starve) and "carjacking people."
I agree with the OP - as a society, we should look more at aligning incentives rather than instilling morals.
Another huge area this comes up is the war on drugs - if you're caught with drugs, we slap you with a felony that ensures you can't get a real job... pushing you right back to drugs.
>if you're caught with drugs, we slap you with a felony that ensures you can't get a real job... pushing you right back to drugs.
I could say the same thing for any sort of crime. If you're an accountant, and you get put in jail for embezzling, that conviction is going to prevent you from getting another job as an accountant.
While there have been a few controversies about jobs that the law excludes felons from, in a lot of cases there's nothing preventing you from hiring a felony drug criminal. If you personally are fine with drugs and you think that committing the crime doesn't make him a danger to your business, go ahead and hire him. If you won't, it isn't the conviction that's keeping him from being hired, it's the crime; the conviction just lets you know that he committed a crime.
Your last paragraph and comment down-thread I think discounts both the many ways the legal system and drug use are entangled, and the reality of how job hiring works.
It has been my anecdotal observation that it is more common for small, local businesses to "look past" prior convictions when hiring and be more willing to take chances on their neighbors.
Large corporations with big HR and legal departments typically have a dimmer view of things however.
Right or wrong, it is harder to get a job with a past conviction. Without a job, it is difficult to earn a living, feed and house yourself and your family. When people are desperate and unable to survive through legal means, they resort to whatever it takes to survival. It's human nature.
If you believe that privately consuming drugs doesn't reflect negatively on someone, you can hire them. If you don't hire them and nobody else hires them either, the drug use is keeping them from being hired. It's misleading to claim that the conviction keeps them from being hired rather than the drug use.
> It's misleading to claim that the conviction keeps them from being hired rather than the drug use.
If I'm understanding you correctly, you're arguing that a drug user is less employable (perhaps because you believe drug users are untrustworthy or unreliable), and this is the reason they aren't hired.
But a conviction for a drug crime years ago does not mean someone is a drug user today. It is the conviction, not drug use, keeping them from being hired. A drug test would make more sense if you want to determine whether someone is a current drug user.
And besides, without the conviction you may be unaware of their drug use. If someone has a drug habit, but nobody can tell, what exactly is the problem? There are plenty of "functioning alcoholics" in the workforce.
That's nonsense. If you have a private drug habit and don't get caught, that won't come up on a background check. Lots of people consume recreationally without being addicts or messing up the rest of their lives. A conviction (sometimes just an arrest record) that comes up on a background check will automatically put applicants in the reject pile in many jobs. This is such a common problem some US states (eg California) have passed laws to prevent employers demanding this information of applicants.
I think the original commentor used thieves as an example of a general problem. There are other ways to arrive at the same outcome. Mistakes Greed, ambition, sociopathic tendencies lead to the same overly complex rules and regulations. There will always be a small minority of people that break the social contract . People who share a password without knowing any better may not be evildoers,but the outcome of their actions is the same.
But they don’t steal food they steal TVs and power tools or cars. It’s a lifestyle not a survival mechanism. When I was poor I stole food so I wouldn’t go hungry. I never stole money or robbed people… those are just lame excuses that allow them to keep committing crime.
People don't steal cars and bikes to buy food, they do it because they're selfish and want a shortcut to get the things they want. In any first world country there are ways to get food without resorting to taking other peoples' possessions that they worked hard for.
There are many people out there having a really hard time who would never even think about stealing because they were raised with a functioning moral compass.
It’s a matter of degree. We often put people in the position where they need to do some pretty terrible, degrading work just to eat. In my view as the alternatives you have get worse, it gets less morally questionable to steal. Furthermore, I think it should largely be evaluated by the harm it does to others, e.g. stealing a car from a sheltered rich person who can afford an uber in an emergency does them much less harm than from a poor person, who may not be able to get to work and put food on the table. Im not even saying it’s fine to steal the rich person’s car, just relatively okay. Thieves are definitely selfish, but so is everyone else in our free market system. We consider it a virtue when the right people do it.
Look, most of the time I agree that like, fuck thieves. I just also agree think that the underlying issues are inequality, alienation, and other socioeconomic shit, and that condemning thieves morally is counterproductive because it distracts from the useful changes to prevent them from becoming thieves.
> Thieves are definitely selfish, but so is everyone else in our free market system.
In a free market, all transactions are voluntary. "Selfishness" just means that you only agree to a transaction if it benefits you. But the other party will only agree if it benefits them, so it's a win-win.
Thievery, OTOH, is not voluntary for the victim, and is, at best, a win-lose. Not at all the same as a free market transaction.
I don't know how I'm supposed to have any sympathy for thieves when myself and my family have been victims of multiple thefts totalling tens of thousands of pounds over the past years. I comforted my mum while she bawled her eyes out for hours when her car was stolen off of our driveway at the crack of dawn. Fuck thieves.
One a thief always a thief, there's a reason it was punished so severely throughout history.
Theft has the highest recidivism rate too[1]. You can never trust someone who has stolen again, thieves are the scum of the earth and only hurt good people.
Both can be true: thieves are scum and modern society exacerbates the problem.
Sure, we should punish crime but never solving the root problem and taking a "hardline" approach towards the symptoms feels good. But, it puts us in a perpetual state of law enforcement and anxiety about crime.
Healthcare should be universal and require almost no paperwork from the patient. Our current system is too bloated and either requires a job with good insurance or weeks/months of research into your options.
Agencies like the DEA should be abolished and possession/use of drugs should not equal prison time or anything on your record. Of course, things like driving impaired are still punished because you're endangering others.
College should not be expensive or put you into debt for decades. In the US, we need a general cultural shift away from hyper individualism and unregulated capitalism.
Sweden has universal healthcare and education is free, but still Sweden suffers from massive crime wave.
Sweden's welfare state is a left wing dream come true, however the bad news for the left is that it empirically disproves every left wing idea about crime and society.
In a society that considers most rich people "bad actors" or "evildoers" (i.e. they'd never be that rich if this was a fair game), that's pretty erm… rich of you to say.
I think it's the people who pick bad passwords that are making login flows worse. Bad actors are the reason we have passwords in the first place, yes, but authentication still shouldn't be as bad an experience as it is today. As it turns out, after thirty years of internet access, people just suck at picking a good password.
When I generate random passwords, people complain that they're unreadable. When I ask them why the password they need to enter once every two years would need to be readable, they just shrug. When I bring up the ability to save passwords to their devices using a password manager or their browser, they say they're "not into IT" and ignore any advice beyond that. Then they change their passwords to Welcome2024!, and that's why we have to make things more complicated. I don't care about most random accounts, but the Welcom2024! people are the ones safeguarding personal data, medical information, and so much more, and if they don't care, you have to force them to use computers responsibly.
Most websites would be perfectly fine with just a username and a randomly generated password. Even eBay or banks, if we're talking about <€100 worth of transactions/day. 2FA is a workaround only very few, very important services should actually need.
However, in real life, we can't do that, because when the Welcome2024! people get their accounts taken over, their digital wallets drained, their credit cards emptied out, and their life ruined by people on another continent, it's always the websites' fault. People love to say "Google/eBay/PayPal/my bank should've prevented this" but when these services take steps to prevent that stuff, they get mad that everything gets so complicated.
Bad actors will always cause things to be worse, but the general apathy the general public has to digital safety is the reason why it's _this_ bad.
This happens because people won’t use a password manager and insist that “monkey123” is their super-secret unguessable password. The solution is to force them to use some kind of credential store (SMS 2FA, passkeys), because they can’t be entrusted to just hit the “generate secure password & save” prompt in the browser.
2FA is more than defending against bad passwords but also compromised passwords (e.g. you accidentally share it in a public forum) and phishing attacks. It's very unlikely a bad actor has access to both factors.
Could you elaborate on your concern? My understanding of how most biometric auth works is that it functions a lot like passwords in that your features get translated into a non-reversible hash that should be meaningless to any other biometric auth system.
Yeah, assuming that my biometric auth is relatively strong, stays on my device, and is a device-specific hashed representation I have a hard time finding fault. I believe most modern phone's biometrics fit that criteria.
What do you think would happen if it didn’t stay on your device? Just trying to understand if there’s an attack vector I’m missing. What could one do with that information given how it is encoded?
First I had to log into ebay - no problem, got my password manager right here, as soon as I unlock my phone with my fingerprint. Now I'll just key in my 12 character, randomly generated password with mixed case letters, numbers and symbols.
Then ebay decided they wanted to send me a code by SMS. I'd never enabled that security option, but whatever. I can do that, quick fingerprint to unlock the phone then key in the code.
Then I chose to pay with paypal, requiring a second password. And a 2FA code, this time from a TOTP app. For some reason paypal ask for TOTP every time. Easy enough, quick fingerprint auth then just key in the code.
Then I told paypal I wanted to pay by card, as I always do. They redirected me to my bank, who asked me to use their mobile app to authorise the payment with my fingerprint. After unlocking my phone with my fingerprint, naturally.
Clearly, the days when businesses thought online shopping ought to be low-friction are long gone.