Mastodawn

Lauren Weinstein

BTW, when the Big Tech bros wax poetic about eliminating passwords by requiring passkeys, you can bet they probably don't deal with anyone who doesn't have a phone and whose only access to the Internet is public computers like in libraries. And please don't suggest that someone who may have all their possessions in a shopping cart carry and use a Yubikey (even if USB ports weren't blocked on public computers, as they often are). The Bros often don't have a clue about the real world.

Extreme Electronics 6d ago

@lauren 100% this...

Plus, a lot of companies dont provide a company phone, so do they have to use their personal one, isn't that a hell of a risk ?

beaumains 6d ago

@Extelec @lauren yeah unions need to push back against this (mine is). Seems like a great way to install spyware onto your employees phone.

Extreme Electronics 6d ago

@beaumains @lauren this is one of my concerns, it can link a personal account with a business account, or business to business. The opportunity for tracking and making connections 8s huge.

djdiskmachine 6d ago

@beaumains @Extelec @lauren how about work profile for company apps? Seems like a pretty decent compromise to me. :)

Extreme Electronics 6d ago

@djdiskmachine @beaumains @lauren Could you just carry this tracking device around for us, and Oh, can your company use your car whilst you are at work too ?

FOC of course.

beaumains 6d ago

@djdiskmachine @Extelec @lauren yeah so, one of the big reasons companies want that is so they can wipe their data from your phone when they ditch you for someone cheaper.

The thing is that its my phone, I bought it. That means that I get to decide what it does, including what data remains on it. I root all my phones because I like the control. Companies want to exert more control and ownership over my device than they think that I have. This is unacceptable.

@Extelec @lauren I have work apps on my personal phone and several times in the last year have seriously considered a super cheap Android phone _just for them_.

LovesTha🥧6d ago

@static @Extelec @lauren I don't mind work apps on personal device, but if they want control over that device then it has to be a device they own.

Extreme Electronics 6d ago

@LovesTha @static @lauren and that control is telling you (or forcing you) to put work apps on your personal device, No!.

LovesTha🥧6d ago

@Extelec @static @lauren I mean the mode where your employers IT people have some administrative control over your phone. Teams wouldn't let me sign into the work accounts unless I allowed that. So I didn't sign in.

ferricoxide 6d ago

@lauren

"Works for me" writ large.

Pete Alex Harris🦡🕸️🌲/∞🪐∫6d ago

@lauren
They definitely don't class people below a certain level of income and resources as people they need to know about.

The VHS Wizard 🦝📼🧙6d ago

"The Bros often don't have a clue about the real world."

OR they do, and see this as another lever they can use to scare the crap out of the "living-check-to-check" poverty class to keep motivating them/us into continuing to compromise again and again and never stand up to the oppressive and predatory system

Pteryx the Puzzle Secretary 6d ago

@DrakkenZero @lauren
Or they just want everyone poor to die.

Mark Harris 6d ago

@pteryx @DrakkenZero @lauren No, they just want to keep them poor so that they'll do the shitty jobs for a pittance.

Pteryx the Puzzle Secretary 6d ago

@nzlemming @DrakkenZero @lauren
If that's their intent, then they have a completely deluded assessment of who the poor are and how and why they're poor.

Mark Harris 6d ago

@pteryx @DrakkenZero @lauren Yes.

GhostOnTheHalfShell 6d ago

They want us to live in their fantasy nightmare

🇵🇸 Amanda 6d ago

@lauren @Ashedryden heck, I prefer Yubikeys and *am in tech* and struggle with the UX for indicating I want to use the Yubikey over my OS passkeys. It sucks so bad.

beaumains 6d ago

@Gizmo @lauren @Ashedryden PayPal still says "hardware keys don't work on mobile". My homelab has better mobile 2fa than PayPal smh.

auroroboros 5d ago

see also needing a smartphone app to pay a bus fare

Ben Vidulich 6d ago

@lauren exactly right. After the Australian MyGov team rolled out passkeys they discovered that many folks living in remote parts of Australia don’t have phone coverage and access internet via shared computers at community centres. They weighed giving every Australian a YubiKey as it would be cheaper than sending 2FA codes via SMS. Ultimately, they left passwords as an option.

Thwartedagain 6d ago

@ben @lauren Thanks for the info, that is very intriguing. Great to hear it was considered. Maybe it was the ongoing expectation and cost it would have had on providing Yubikeys, even when people lost or (surprisingly) damaged theirs. I have had 2 for about 5 years and they are great.

I didn't know they had made it an option ... the demand is still showing on my account ... so thanks for that.

And it's too damn easy to lose a small object like a YubiKey ... hell people can even lose a large TV Remote :) then one is locked out and it's very hard to get anything back from MyGov ...

Lauren Weinstein 6d ago

@ben Many public computers have blocked their USB ports for security reasons, which renders the keys unusable anyway.

Ben Vidulich 6d ago

@lauren Private settings too. My employer provides software in healthcare and many auth options aren’t suitable because practice staff share locked-down computers.

Todd Knarr 6d ago

@ben @lauren And the idea of using TOTP authenticator apps for 2FA codes never occurred to them...

Ben Vidulich 6d ago

@tknarr @lauren I’m sure they considered it but TOTP enrolment is more complex and assumes everyone has a phone.

No single solution is going to accommodate everyone’s needs or threat model, whether it’s passkeys or anything else.

rainynight65 6d ago

@ben @lauren But when you log into MyGov right now and see your 'security review', it literally tells you that you should turn off your password as a security measure. It'll be one of the first things you see after logging in.

Ben Vidulich 6d ago

@rainynight65 @lauren People with the ability to use passkeys _should_ use them. Apparently a micro-phishing kit for a fake MyGov site costs $30 on the dark web and passkeys are completely effective against these.

The point is we shouldn’t leave behind folks that can’t use passkeys or other smartphone-demanding tech. MyGov allows users to ignore the ‘security review’ recommendations to accomodate diverse needs.

Lauren Weinstein 6d ago

@ben @rainynight65 And how many of those people who have those "diverse needs" do you think understand enough about these systems to know the risks they'd be taking in accepting passkeys. Keep in mind that most people know just BARELY enough about how any of these systems work to do the tasks they need, and no more than that.

Ben Vidulich 6d ago

@lauren @rainynight65 So far I’ve been discussing the physical ability to access a phone and/or carry a security key.

As for users who barely understand these systems, passkeys were designed so that users only need to know how to unlock their phone — still an assumption, I know — but I think a poor job has been done with making that clear.

And I get that some folk won’t understand how that’s different from being asked to remember a separate password. Especially after a decade of being told to use different passwords for different systems.

JackGangi 6d ago

@lauren while I was on vacation I tried to log into Google via passkey (to follow peoples map pins.) It didn't accept it (??) Every time I entered the password it knocked me back to the screen to enter the passkey. Lather, Rinse, Repeat.

My own fault for enabling a technology I didn't fully understand at the time.

ideaPDish 6d ago

@jackgangi @lauren

Even worse that google ignored you as a .probably normal user without domain specific knowledge, ie how passkey works and doesn't work. They ought to know better. Now they want to force a feature?!

I'd say shame on them, except I think these days, they don't care. By they, I mean c-suite. If I didn't know better, I'd think it is an exit strategy,... First replace or reduce all the users. .

@jackgangi @lauren

This.

This is why I have refused to even attempt to set up pass keys so far.

William O'Connell 6d ago

@lauren I think the current design/implementation of passkeys pretty bad, but I also recognize that phishing is the #1 cyber threat facing most people so I'm generally supportive of movement away from passwords and towards phishing-resistant authentication. Am I a big tech bro?

@williamoconnell @lauren would love to hear any feedback you have re: "design/implementation of passkeys pretty bad"

William O'Connell 5d ago

@timcappalli @lauren Turns out I had a lot to say, so I'm linking a PDF. Mostly it's about the UX, not the details of the protocol/crypto which I'm sure are fine. Though as a web developer I do remember thinking the APIs were a little confusing last time I looked, since there are a lot of different options/features to think through.

PDF:
https://will-o.co/bXmaDYVJfg.pdf

@williamoconnell @lauren thanks for the thoughtful feedback. I will respond when I get back from vacation!

DarthWombat 5d ago

@williamoconnell @lauren

Passkeys will do little-to-nothing to stop phishing, because phishers have at their disposal (1) an essentially-infinite supply of domains in ~1000 junk gTLDs (2) an essentially infinite supply of hosting thanks to providers who do NO due diligence (3) an essentially infinite supply of email accounts thanks to large email providers who also do NO due diligence (more)

DarthWombat 5d ago

@williamoconnell @lauren

(4) clueless corporations who send email messages with HTML/typography/graphics/links...thus training their customers that any message that looks like it's authentic IS authentic and that they should follow the links (5) increasingly-dumbed-down email UIs that conceal important information by default AND mark obviously fake messages from not-really-your-bank.xyz as "authentic" because they pass DKIM just as readily as real messages from really-your-bank.com.

William O'Connell 5d ago

@DarthWombat @lauren That's why passkeys are useful, they are immune to all of that. If your bank is example.com, example.net cannot compromise your account. Even if you're 100% convinced that example.net is your real bank, your passkey for example.com will not work there. This has been tested in the real world, it has stopped some very sophisticated phishing attempts.

https://blog.cloudflare.com/2022-07-sms-phishing-attacks/

The mechanics of a sophisticated phishing scam and how we stopped it

Yesterday, August 8, 2022, Twilio shared that they’d been compromised by a targeted phishing attack. Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflare’s employees.

The Cloudflare Blog

Lauren Weinstein 5d ago

@williamoconnell @DarthWombat Passkeys, even in the best possible imagined form and deployment model, are worse than useless in the absence of robust account recovery systems and protocols, because the risk of account lockouts can be far higher with passkeys than with traditional authentication mechanisms, especially for nontechnical users with only a single device. And passkeys are essentially worthless for users who depend on public computers (which often don't even permit USB devices to be attached) for their Internet access, many of whom don't have smartphones (or often any phone at all).

These users are disadvantaged enough by legacy authentication models, passkeys put them at even greater risk of total account lockout. Combined with atrocious account recovery systems such as those at #Google, and it's a slap in the face to these users who are the ones always getting the shaft from the Big Tech Bros.

William O'Connell 5d ago

@lauren @DarthWombat I don't think users should be forced to use passkeys as their only authentication method, to be clear. And I agree that Google, etc. could do more to help homeless/phone-less people use their services. But I think basically every organization could do more to help people in that situation? IMO it's more about incentives than "tech bros".

Web authentication for someone that has no possessions and can't remember their password (no one can) is a tough problem.

Lauren Weinstein 5d ago

@williamoconnell @DarthWombat In the first instance, it's a tough problem because many of these firms DON'T CARE ABOUT THESE USERS. And when queried directly, will tell you (in effect) that they just don't consider that cohort worth bothering with.

William O'Connell 5d ago

@lauren @DarthWombat Companies don't care about anything, they're machines that generate profit for their owners. Homeless Gmail users probably aren't that profitable. If there are services that homeless people need from Google, either the law needs to force Google to serve those users, or some other not-for-profit entity needs to be created to serve them. But I think an effective solution would have to be based on biometrics, which people have a lot of reservations about.

William O'Connell 5d ago

@lauren @DarthWombat In the meantime if you know specific people who have this problem, I think Proton will give you free password-based email without needing a phone.

Lauren Weinstein 5d ago

@williamoconnell @DarthWombat I don't recommend Proton for any purpose to anyone.

Katharina Buholzer 5d ago

@lauren @williamoconnell @DarthWombat Proton (A Swiss provider) claims to have the strongest privacy due to the Swiss Privacy Laws (which are weaker than EU Law).

Why not Proton:

https://www.derstandard.at/story/2000129455059/protonmail-unter-starker-kritik-klimaaktivist-nach-herausgabe-von-ip-adresse

Protonmail unter starker Kritik: Klimaaktivist nach Herausgabe von IP-Adresse verhaftet

Der Schweizer Anbieter wirbt damit, von Haus aus keine IP-Adressen zu sammeln. Auf richterliche Anordnung wurde nun aber gezielt ein Nutzer überwacht

DER STANDARD

Katharina Buholzer 5d ago

@lauren @williamoconnell @DarthWombat Why not Proton:

https://www.republik.ch/2021/05/26/fischzuege-des-ueberwachungs-staats

Fischzüge des Überwachungsstaats

Der Datenhunger der Schweizer Sicherheitsbehörden nimmt stetig zu – und dürfte mit dem neuen Anti-Terror-Gesetz weiter wachsen. Zum Leidwesen von Firmen wie etwa Threema.

Republik

Katharina Buholzer 5d ago

@lauren @williamoconnell @DarthWombat Why not Proton:

https://www.republik.ch/2024/01/15/die-irrwege-der-ueberwacher

Die Irrwege der Überwacher

Überwachungsbehörden hassen Verschlüsselungen – das hat Folgen für uns alle. Die Serie zum Schweizer Überwachungsstaat, Teil 2.

Republik

Katharina Buholzer 5d ago

@lauren @williamoconnell @DarthWombat Why not Proton:

https://www.republik.ch/2025/06/12/bab-beat-jans-schwache-antwort-der-staenderat-will-die-regeln-fuer-waffenexporte-lockern-und-svp-glarner-verbreitet-einmal-mehr-fake-news

Die wichtigsten News aus der Schweizer Politik

Beat Jans’ schwache Antwort, der Ständerat will die Regeln für Waffenexporte lockern – und SVP-Glarner verbreitet einmal mehr Fake News.

Republik

Lauren Weinstein 5d ago

@katharina_buholzer @williamoconnell @DarthWombat I stand by my statement. Feel free to use them if you wish, of course.

Lauren Weinstein 5d ago

@williamoconnell @DarthWombat Not only reservations due to legal and privacy concerns, but many people have phones that do not have biometric capabilities of any kind -- no camera, no fingerprint sensor, as their only phone device. And of course, many have no phones at all.

William O'Connell 5d ago

@lauren When I say biometrics what I mean is something like Amazon One where the hardware is public (in a library or a convenience store or something). So in this imagined scenario you wouldn't have to own anything, you'd scan your palm at the library computer and your email would automatically open. Obviously there are privacy concerns there, but it's the only thing I can think of that doesn't require you to remember anything or posses anything.

Lauren Weinstein 5d ago

@williamoconnell Anything that requires adding new equipment to the often old computers available in these locations, especially given their typical lack of any budget for upgrades and lack of personnel to make significant changes, will generally be a total nonstarter. Also, many of the persons who rely on these systems already have major privacy concerns and would likely be extremely reluctant to use biometrics for access. With all due respect, I don't feel you're being realistic about this situation for these users.

William O'Connell 5d ago

@lauren It seems like you're expecting a perfect solution that works for 100% of people with no downsides, and you don't want it to cost any money to implement. I don't think I'm the one being unrealistic.

Lauren Weinstein 5d ago

@williamoconnell Where did I say 100% about anything? Or no downsides? Don't put words in my mouth, please. What I AM saying, and have said for many years, is that Google (as my example for now) ignores an entire significant cohort of vulnerable users, and rejects common sense changes that could significantly IMPROVE (not make perfect!) the situation for them. THAT'S what I said.