Authenticating to a website, 2010: Type in username and password
Authenticating to a website, 2024:
- Type in username
- Look up 20-character password in password keeper
- wait
- Prompt for 2FA token
- Dig out phone
- Unlock phone
- Scroll through 50 services to find 2FA token for website
- Type in 2FA token
- Success
- Receive email alerting you to the fact you've logged in
- Six weeks later: receive email telling you service had been compromised eight weeks ago and you must change password.
@jzb In 2010, if a service was breached, the passwords were probably stored in plaintext and you could just credential stuff another service with it. Since there was no 2fa, you'd get in all those accounts. Bruteforcing an individual user was extremely possible too, and once you got the hit, you're in, nothing else needed. Try that now with a service like Google and you'd know it's close to impossible.
Anyways, passkeys are the future for frictionless secure authentication. Once more services adopt this, login should become easy & convenient once again, except secure this time! :)
Joe Brockmeier (@jzb)
skull