Most active commenters
  • tptacek(4)

←back to thread

Passkeys and Modern Authentication

(lucumr.pocoo.org)
184 points Bogdanp | 12 comments | 02 Sep 25 13:47 UTC | HN request time: 3.91s | source | bottom
Show context
juancn ◴[02 Sep 25 17:27 UTC] No.45106230[source]

    Signing into my accounts on my children’s devices has turned from a straightforward process to an incredibly frustrating experience. I find myself juggling all kinds of different apps and flows.
This strikes home for me, I'm the main gatekeeper of passwords and service accounts in my home. 2FA and passkeys are so annoying to juggle.

My kids use prepaid numbers, once I changed one and forgot to tell Apple, when I realized that I needed the old number later, it took me a month at least to get it back.

I really like passwords, the security risks are well known and really easy to handle compared to 2FA and all that crap, specially when 99% of your accounts are not sensitive enough to merit anything fancy.

replies(5): >>45106514 #>>45106530 #>>45107602 #>>45108644 #>>45112401 #
toomuchtodo ◴[02 Sep 25 17:44 UTC] No.45106514[source]
Passwords are a weak authentication mechanism and incur liability. MFA is good, Passkeys are better. One time passwords via email are tolerable, still better than passwords.

(customer identity and access management is a component of my work at a fintech)

replies(3): >>45106589 #>>45106861 #>>45111579 #
1. cuu508 ◴[02 Sep 25 17:49 UTC] No.45106589[source]
Security-wise, passkeys are worse than username/password plus WebAuthn as the second factor.
replies(3): >>45106627 #>>45106628 #>>45107082 #
2. tptacek ◴[02 Sep 25 17:52 UTC] No.45106627[source]
But better than username/password + TOTP, and username/password + WebAuthn had really low uptake.
replies(1): >>45106820 #
3. ◴[02 Sep 25 17:53 UTC] No.45106628[source]
4. AlexandrB ◴[02 Sep 25 18:05 UTC] No.45106820[source]
Username/password + TOTP is still better than username/password + one time email, no? Especially since the latter creates additional dependencies/risks for the user in the form of an email account.
replies(1): >>45107244 #
5. kriops ◴[02 Sep 25 18:26 UTC] No.45107082[source]
If and only if you somehow manage to compromise one secret without compromising the other.
6. tptacek ◴[02 Sep 25 18:39 UTC] No.45107244{3}[source]
They're about the same. The important factor is phishing resistance (neither TOTP nor email links have that), and an account that has lost its primary email account is 99% of the time already boned. I would use TOTP in preference to email backup, but that's mostly an affectation.

The reality is that TOTP has been obsolete for awhile now. It's a net negative for ordinary users that is kept front-of-mind for everyone because nerds like us are attached to it.

replies(1): >>45107792 #
7. jrochkind1 ◴[02 Sep 25 19:21 UTC] No.45107792{4}[source]
This is actually the first I've heard of this, re considering TOTP to be not worthwhile. Can you recommend some links to material for me to read to get up to speed with the argument?
replies(2): >>45108696 #>>45110030 #
8. tptacek ◴[02 Sep 25 20:37 UTC] No.45108696{5}[source]
Basically everything ever written about U2F, WebAuthn, and phishing-proof authentication generally is about the weaknesses of TOTP. The principle component of the problem is phishing.
replies(1): >>45110677 #
9. esseph ◴[02 Sep 25 22:39 UTC] No.45110030{5}[source]
TOTP is not phishing resistant, passkeys are. Also can screen grab TOTP.
10. harshreality ◴[02 Sep 25 23:59 UTC] No.45110677{6}[source]
There are sites requiring TOTP to mitigate careless users using dumb passwords, because the sites can't guarantee passwords aren't reused but they can enforce TOTP.

Even for phishing, doesn't it count for something that TOTP prevents asynchronous phishing (collect credentials on a fake site, try them in batches later)?

replies(1): >>45110750 #
11. tptacek ◴[03 Sep 25 00:09 UTC] No.45110750{7}[source]
No, it does not. Everybody agrees that password + TOTP is better than just plain passwords. Everything is better than just plain passwords. But I've personally worked on large, high-stakes projects where TOTP phishing was a continuous problem, and it's really difficult to solve. Since we have options besides TOTP that aren't susceptible to phishing, people shouldn't be pushing TOTP anymore.
replies(1): >>45117895 #
12. jrochkind1 ◴[03 Sep 25 16:44 UTC] No.45117895{8}[source]
What is your current to use at this moment preferred option for a general (not especially sensitive domain like banking) consumer site?