Lauren WeinsteinBTW, when the Big Tech bros wax poetic about eliminating passwords by requiring passkeys, you can bet they probably don't deal with anyone who doesn't have a phone and whose only access to the Internet is public computers like in libraries. And please don't suggest that someone who may have all their possessions in a shopping cart carry and use a Yubikey (even if USB ports weren't blocked on public computers, as they often are). The Bros often don't have a clue about the real world.
William O'Connell@lauren I think the current design/implementation of passkeys pretty bad, but I also recognize that phishing is the #1 cyber threat facing most people so I'm generally supportive of movement away from passwords and towards phishing-resistant authentication. Am I a big tech bro?
DarthWombatPasskeys will do little-to-nothing to stop phishing, because phishers have at their disposal (1) an essentially-infinite supply of domains in ~1000 junk gTLDs (2) an essentially infinite supply of hosting thanks to providers who do NO due diligence (3) an essentially infinite supply of email accounts thanks to large email providers who also do NO due diligence (more)
(4) clueless corporations who send email messages with HTML/typography/graphics/links...thus training their customers that any message that looks like it's authentic IS authentic and that they should follow the links (5) increasingly-dumbed-down email UIs that conceal important information by default AND mark obviously fake messages from not-really-your-bank.xyz as "authentic" because they pass DKIM just as readily as real messages from really-your-bank.com.
@DarthWombat @lauren That's why passkeys are useful, they are immune to all of that. If your bank is example.com, example.net cannot compromise your account. Even if you're 100% convinced that example.net is your real bank, your passkey for example.com will not work there. This has been tested in the real world, it has stopped some very sophisticated phishing attempts.
The mechanics of a sophisticated phishing scam and how we stopped it
Yesterday, August 8, 2022, Twilio shared that they’d been compromised by a targeted phishing attack. Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflare’s employees.
@williamoconnell @DarthWombat Passkeys, even in the best possible imagined form and deployment model, are worse than useless in the absence of robust account recovery systems and protocols, because the risk of account lockouts can be far higher with passkeys than with traditional authentication mechanisms, especially for nontechnical users with only a single device. And passkeys are essentially worthless for users who depend on public computers (which often don't even permit USB devices to be attached) for their Internet access, many of whom don't have smartphones (or often any phone at all).
These users are disadvantaged enough by legacy authentication models, passkeys put them at even greater risk of total account lockout. Combined with atrocious account recovery systems such as those at #Google, and it's a slap in the face to these users who are the ones always getting the shaft from the Big Tech Bros.
@lauren @DarthWombat I don't think users should be forced to use passkeys as their only authentication method, to be clear. And I agree that Google, etc. could do more to help homeless/phone-less people use their services. But I think basically every organization could do more to help people in that situation? IMO it's more about incentives than "tech bros".
Web authentication for someone that has no possessions and can't remember their password (no one can) is a tough problem.
@williamoconnell @DarthWombat In the first instance, it's a tough problem because many of these firms DON'T CARE ABOUT THESE USERS. And when queried directly, will tell you (in effect) that they just don't consider that cohort worth bothering with.
@lauren @DarthWombat Companies don't care about anything, they're machines that generate profit for their owners. Homeless Gmail users probably aren't that profitable. If there are services that homeless people need from Google, either the law needs to force Google to serve those users, or some other not-for-profit entity needs to be created to serve them. But I think an effective solution would have to be based on biometrics, which people have a lot of reservations about.
@lauren @DarthWombat In the meantime if you know specific people who have this problem, I think Proton will give you free password-based email without needing a phone.
@williamoconnell @DarthWombat I don't recommend Proton for any purpose to anyone.
Katharina Buholzer@lauren @williamoconnell @DarthWombat Proton (A Swiss provider) claims to have the strongest privacy due to the Swiss Privacy Laws (which are weaker than EU Law).
Why not Proton:
@lauren @williamoconnell @DarthWombat Why not Proton:
@katharina_buholzer @williamoconnell @DarthWombat I stand by my statement. Feel free to use them if you wish, of course.
@williamoconnell @DarthWombat Not only reservations due to legal and privacy concerns, but many people have phones that do not have biometric capabilities of any kind -- no camera, no fingerprint sensor, as their only phone device. And of course, many have no phones at all.
@lauren When I say biometrics what I mean is something like Amazon One where the hardware is public (in a library or a convenience store or something). So in this imagined scenario you wouldn't have to own anything, you'd scan your palm at the library computer and your email would automatically open. Obviously there are privacy concerns there, but it's the only thing I can think of that doesn't require you to remember anything or posses anything.
@williamoconnell Anything that requires adding new equipment to the often old computers available in these locations, especially given their typical lack of any budget for upgrades and lack of personnel to make significant changes, will generally be a total nonstarter. Also, many of the persons who rely on these systems already have major privacy concerns and would likely be extremely reluctant to use biometrics for access. With all due respect, I don't feel you're being realistic about this situation for these users.
@lauren It seems like you're expecting a perfect solution that works for 100% of people with no downsides, and you don't want it to cost any money to implement. I don't think I'm the one being unrealistic.
@williamoconnell Where did I say 100% about anything? Or no downsides? Don't put words in my mouth, please. What I AM saying, and have said for many years, is that Google (as my example for now) ignores an entire significant cohort of vulnerable users, and rejects common sense changes that could significantly IMPROVE (not make perfect!) the situation for them. THAT'S what I said.
@williamoconnell And if you've read even my recent posts here, I've noted that my specific proposals to Google about this have included COST NEUTRAL means to implement. That means they pay for themselves, not that they are cost free. Again, please do not put words in my mouth.
@lauren This is your first post I've ever seen on this platform, I have no idea what solutions you may have proposed aside from "passwords with no backup" which I don't think is workable for the vast majority of users. The main issue I took with your post was the implication that Google's authentication strategy comes from developers who "don't have a clue about the real world", which I don't think is true at all.
@williamoconnell I suggest you do a bit of research and peruse my public writings on Internet related topics, which stretch back to early ARPANET days when I was at the first site on ARPANET (thence Internet) at UCLA. Or at least my blog, which also goes back many years. Or my mailing lists, one of which goes back more than 30 years continuously. Then get back to me. Thanks.
slash@lauren I've done some searches, and don't see this anywhere, but I have a memory of your name being attached to the Full Disclosure Mailing List. Wikipedia only mentions two people as running it. Maybe you just posted there? Or, and I'm at that age, perhaps my memory is playing tricks on me.
BTW, I don't know much about bikes, but I'm guessing that's a Harley Fat Boy? And are the "ape hangers" comfortable?
@agreeable_landfall Hi. No, that's not a list I've ever dealt with. The bike is a Shovelhead. The apes can be comfortable or not, depending.