Lauren WeinsteinBTW, when the Big Tech bros wax poetic about eliminating passwords by requiring passkeys, you can bet they probably don't deal with anyone who doesn't have a phone and whose only access to the Internet is public computers like in libraries. And please don't suggest that someone who may have all their possessions in a shopping cart carry and use a Yubikey (even if USB ports weren't blocked on public computers, as they often are). The Bros often don't have a clue about the real world.
William O'Connell@lauren I think the current design/implementation of passkeys pretty bad, but I also recognize that phishing is the #1 cyber threat facing most people so I'm generally supportive of movement away from passwords and towards phishing-resistant authentication. Am I a big tech bro?
DarthWombatPasskeys will do little-to-nothing to stop phishing, because phishers have at their disposal (1) an essentially-infinite supply of domains in ~1000 junk gTLDs (2) an essentially infinite supply of hosting thanks to providers who do NO due diligence (3) an essentially infinite supply of email accounts thanks to large email providers who also do NO due diligence (more)
(4) clueless corporations who send email messages with HTML/typography/graphics/links...thus training their customers that any message that looks like it's authentic IS authentic and that they should follow the links (5) increasingly-dumbed-down email UIs that conceal important information by default AND mark obviously fake messages from not-really-your-bank.xyz as "authentic" because they pass DKIM just as readily as real messages from really-your-bank.com.
@DarthWombat @lauren That's why passkeys are useful, they are immune to all of that. If your bank is example.com, example.net cannot compromise your account. Even if you're 100% convinced that example.net is your real bank, your passkey for example.com will not work there. This has been tested in the real world, it has stopped some very sophisticated phishing attempts.
The mechanics of a sophisticated phishing scam and how we stopped it
Yesterday, August 8, 2022, Twilio shared that they’d been compromised by a targeted phishing attack. Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflare’s employees.
@williamoconnell @DarthWombat Passkeys, even in the best possible imagined form and deployment model, are worse than useless in the absence of robust account recovery systems and protocols, because the risk of account lockouts can be far higher with passkeys than with traditional authentication mechanisms, especially for nontechnical users with only a single device. And passkeys are essentially worthless for users who depend on public computers (which often don't even permit USB devices to be attached) for their Internet access, many of whom don't have smartphones (or often any phone at all).
These users are disadvantaged enough by legacy authentication models, passkeys put them at even greater risk of total account lockout. Combined with atrocious account recovery systems such as those at #Google, and it's a slap in the face to these users who are the ones always getting the shaft from the Big Tech Bros.
@lauren @DarthWombat I don't think users should be forced to use passkeys as their only authentication method, to be clear. And I agree that Google, etc. could do more to help homeless/phone-less people use their services. But I think basically every organization could do more to help people in that situation? IMO it's more about incentives than "tech bros".
Web authentication for someone that has no possessions and can't remember their password (no one can) is a tough problem.
@williamoconnell @DarthWombat In the first instance, it's a tough problem because many of these firms DON'T CARE ABOUT THESE USERS. And when queried directly, will tell you (in effect) that they just don't consider that cohort worth bothering with.
@lauren @DarthWombat Companies don't care about anything, they're machines that generate profit for their owners. Homeless Gmail users probably aren't that profitable. If there are services that homeless people need from Google, either the law needs to force Google to serve those users, or some other not-for-profit entity needs to be created to serve them. But I think an effective solution would have to be based on biometrics, which people have a lot of reservations about.
@lauren @DarthWombat In the meantime if you know specific people who have this problem, I think Proton will give you free password-based email without needing a phone.
@williamoconnell @DarthWombat I don't recommend Proton for any purpose to anyone.
Katharina Buholzer@lauren @williamoconnell @DarthWombat Proton (A Swiss provider) claims to have the strongest privacy due to the Swiss Privacy Laws (which are weaker than EU Law).
Why not Proton:
@lauren @williamoconnell @DarthWombat Why not Proton:
