Passkeys and Modern Authentication

    Signing into my accounts on my children’s devices has turned from a straightforward process to an incredibly frustrating experience. I find myself juggling all kinds of different apps and flows.

This strikes home for me, I'm the main gatekeeper of passwords and service accounts in my home. 2FA and passkeys are so annoying to juggle.

My kids use prepaid numbers, once I changed one and forgot to tell Apple, when I realized that I needed the old number later, it took me a month at least to get it back.

I really like passwords, the security risks are well known and really easy to handle compared to 2FA and all that crap, specially when 99% of your accounts are not sensitive enough to merit anything fancy.

Passwords are a weak authentication mechanism and incur liability. MFA is good, Passkeys are better. One time passwords via email are tolerable, still better than passwords.

(customer identity and access management is a component of my work at a fintech)

It makes sense to keep printed backups of certain keys and passwords in a physically secure location, accessible to the people you trust in case of an emergency.

Security-wise, passkeys are worse than username/password plus WebAuthn as the second factor.

But better than username/password + TOTP, and username/password + WebAuthn had really low uptake.

Username/password + TOTP is still better than username/password + one time email, no? Especially since the latter creates additional dependencies/risks for the user in the form of an email account.

Your fintech is probably not among the 99% accounts GP says don't warrant 'anything fancy'.

IME as a customer/user, financial institutions are some of the worst culprits for doing appalling things in the name of security (theatre) anyway.

Yes, because financial institutions are responsible for losses incurred via account takeover.

And yet no financial institution in Canada supports webauthn hardware tokens - instead choosing to bake their own scheme within their app or use SMS.

If and only if you somehow manage to compromise one secret without compromising the other.

They're about the same. The important factor is phishing resistance (neither TOTP nor email links have that), and an account that has lost its primary email account is 99% of the time already boned. I would use TOTP in preference to email backup, but that's mostly an affectation.

The reality is that TOTP has been obsolete for awhile now. It's a net negative for ordinary users that is kept front-of-mind for everyone because nerds like us are attached to it.

Passwords + OTP (stored in keepass or somewhere) is the win for me.

Everything else is a security theatre and an UX pain.

This is actually the first I've heard of this, re considering TOTP to be not worthwhile. Can you recommend some links to material for me to read to get up to speed with the argument?

This is how I feel as well.

You might even split them so that k out of n trusted people are needed to restore them.

For example https://shamir.securitytools.io/

I’m on proton (family) and put pass on all devices (inc the kids’) so I can quickly share credentials. But still, I agree that some kind of export of private keys is sorely needed.

Basically everything ever written about U2F, WebAuthn, and phishing-proof authentication generally is about the weaknesses of TOTP. The principle component of the problem is phishing.

Yes, I think that's a good idea for high-value secrets. In a family situation it would be a great way to limit elder abuse (unless all your children hate you).

And yet they are still out here offering voiceprint authentication

I use my OTP secret as my account password, best of both worlds for portability!

TOTP is not phishing resistant, passkeys are. Also can screen grab TOTP.

JP Morgan Chase does this, regrettably.

There are sites requiring TOTP to mitigate careless users using dumb passwords, because the sites can't guarantee passwords aren't reused but they can enforce TOTP.

Even for phishing, doesn't it count for something that TOTP prevents asynchronous phishing (collect credentials on a fake site, try them in batches later)?

No, it does not. Everybody agrees that password + TOTP is better than just plain passwords. Everything is better than just plain passwords. But I've personally worked on large, high-stakes projects where TOTP phishing was a continuous problem, and it's really difficult to solve. Since we have options besides TOTP that aren't susceptible to phishing, people shouldn't be pushing TOTP anymore.

that's so insanely unexpected it might actually be secure

let me guess, until last years you had deployed a java applet keypad for users to log in? and today every time I can your recording offer to enroll in voice print?

yeah i will not be taking advice from the majority of people in Fintech on this topic. thank you.

Ill maintain that family management of access control is one of the most broken things on the internet. Not only does 2fa make granting access on other devices a nightmare, but then each developer has its own version of parental controls.

ALL of account permissions, relations to other accounts, and authentication should be an exposed api that rolls up into a single dashboard. I should be able to go into one single control panel to control exactly what accounts are allowed to do what on what devices for all services for all family members. That includes lockouts, auth resets, push of auth to a device I dont have physical access to (kid is on a trip, I need to sign him into something).

I could go on and on and on about all the different ways this paradigm is so broken, it actually breaks our imagination of what it should look like in a functioning world. We are so used to doing it completely wrong, its hard to see right.

> 2FA and passkeys are so annoying to juggle.

Try 1Password Family and store your passkeys in there?

That basically does exist, and it’s called SSO. SSO providers (eg Okta) have a unified dashboard where you can control who can access what, and at what level, and can revoke access any time. It’d be nice if there was a version of that for families that wasn’t insanely expensive.

Anyways, 1Password completely solves this problem for me with me & my wife.

Agreed, my wife even says 1Password is one of the best tech things I’ve set up just because it completely solves sharing passwords and stuff with each other.

Passkeys is not security theatre, and also not a UX pain if you use a password manager. Turns out it’s nice to have a standardized API for submitting a credential to a website rather than relying on browser extensions to hopefully guess the input field is for a password. (Not to mention the multitude of sites that don’t properly handle text being autofilled)

Not theatre, passkeys are a security risk if you need a specific device to access your information and there is no way to extract a passkey.

It doesn’t do anything for pushing authentication remotely or controlling access within apps, such as voice chat in Roblox. Each app has proprietary controls.

It also doesn’t begin to cover notifications. For some reason most services seem to think only one parent is in charge and both don’t need equal access and equal notice.

There are exactly three nice things about passkeys.

1. It forces the use of keys with a reasonable amount of entropy, and the use of a password manager to access them. 2. They will not make it easy to use a key with the wrong site (also true of a good password manager). 3. Uses public/private keypair so key itself is never sent over the wire (even encrypted).

The real question is whether these properties are worth all the costs (enumerated in this article).

What is your current to use at this moment preferred option for a general (not especially sensitive domain like banking) consumer site?