People have already been building auth flows that take this password amnesia into consideration. Look at Anthropic. It's just one way of doing auth and I personally hate it.
Personally, I don’t care to share the username to any account, password protected or not.
On a related note I think it is terrible security to have display name be the same as user login name.
Email accounts are the highest common denominator in online authentication. Phones are competitive, but people lose phones. Phone numbers are more common and durable, but the security of phone numbers is leagues below that of a flagship provider email account. It makes sense that so many authentication flows work this way.
When designing a "fantasy football" alternate authentication system for the Internet, start with account recovery: what happens when a user loses your fancy authenticator? If the answer is "they just don't get access anymore" or "a panel of their peers attests to them", your fantasy authentication system also needs a fantasy species of sentient beings to serve as users, because it won't work for humans.
It's an interesting design problem to have panel of peers attest an individual's identity. It could be made fairly seamless if there was a common system in which a suitably distributed authentication secret could be recombined under instruction from the relevant party. Can it be made to work for normal humans? I daresay we have the ingenuity to design something...
Apple’s Recovery Contacts are a similar idea. The main difference is that just one can help you recover your account, but it doesn’t seem too hard from a UX perspective to make 3/5 recovery contacts required to unlock an account.
We could also leverage trusted third parties for this purpose, for example, banks or DMV or Walmart.
However, there needs to be a fiduciary interest by the third-party (eg liability for identity theft, etc) in order to incentivize them to avoid fraud. It is not clear that there would be enough profit involved to offset the liability.
The Decentralized Recovery (DeRec) Alliance has recently launched to solve this very problem. Dr. Leemon Baird gave a talk last year on how this works at a higher level [0]. The alliance is comprised of members from the Algorand, Hedera, Ripple crypto communities but the application of proper DeRec would be certainly applicable anywhere you have any type of secret; in fact I believe you can be a DeRec 'helper' right now. There's a robust primer on the protocol published as well [1], here's a pull-quote:
> Decentralized recovery is a method of safeguarding a user's secret by distributing shares of that secret among multiple helpers, who store their individual share on their local device in order to help the user recover that secret in future. The shares are constructed under a threshold secret-sharing scheme (e.g. Shamir's secret sharing scheme), with a chosen threshold (defaults to half) -- at least three helpers must be present in order to use the protocol. Should the user lose access to their device, they can recover their secret data by retrieving the previously-distributed shares from at least half of their helpers. For successful recovery, the user only needs to recall the identities of half of their helpers and authenticate with them in-person.
Some day someone is going to produce a fantastic heist movie about breaking this kind of scheme - five different characters, each of which need to be scammed in different ways to obtain their piece of a shared secret.
Sadly it's quite possible this will be a dramatized version of a real-world event. We've already seen quite a few messed up crimes to steal keys to steal crypto. Secret sharing just means you need to kidnap a few extra people.
But in fact, in order to kidnap these people you'd also need to know these people, and know they are assigned to be part of the derec network. With DeRec all the helpers don't need to know about each other at all. And you may not know how many helpers a given helper has behind them. It's actually much much more difficult to do the heist-and-interrogate-with-a-pipe-wrench approach if you don't know who to beat up, nor how many of them need to authenticate.
Edit: OT but while I have a glimpse of your attention, kudos in order!! I love datasette and basically everything you write is highly useful to me!
I came up with a similar general approach about 10 years ago, but lacked the time or inclination (and probably knowledge, frankly) so I'm very pleased this is being pursued.
Of course it works. I was aware of such mechanisms appearing in the Chinese social media app WeChat years ago. In fact I would say it's a great fit for any kind of social media app that involves interacting with peers.
However the utility is probably nil if there're no social features to begin with.
Unfortunately, "they just don't get access anymore" is the usual pattern with major email providers like Google, as many people who have had a phone lost or stolen and then been locked out of their accounts forever can attest to.
Government provided digital IDs would solve a lot of this. Yes, they may have their own problems, but outsourcing the action of identifying individuals to the government seems valuable and less prone to "lock outs" like Google and friends.
> Government provided digital IDs would solve a lot of this
A lot of what? It seems like the worst of all worlds, given that ID would not only unlock some highly sensitive things, but also be difficult to change and tremendously revealing.
Nah the government could just give a website a unique id per real user per website, without revealing who the user is. Merely verifying that they are the same person as last time.
It certainly is an alternative we can at least think about.
On one hand, the certs you'd use to login to websites wouldn't even need to include any personal info at all, just a valid signature from a CA that the website knows how to verify. And the certificate wouldn't need to be the same for every website, it could be one you generate for a specific website.
On the other hand, a lot of thought would need to be put into how expiration/renewal and revocation would play into this.
Of course there should be an evaluation of the ways this could go wrong if someone from the gov misuses this CA, and how that compares to someone from your current email provider misusing their permissions.
But if nothing else, something I really want is to just be able to have an email address like `random_id@my_country.my_country_tld`, to at least have an email address where I don't have to worry about being locked out, so that I can give freely to ISP, bank, grocery delivery websites, other local companies, etc. Most of this stuff I wouldn't even mind receiving as postal mail anyway. And if shit hits the fan, I can recover access to this email account by walking to an office and identifying myself.
What I had in mind was more like randomly generated addresses as needed, all of them linked to your (one) mailbox. Like Apple's "Hide My Email", but without needing a "main"/"canonical" email address because it would be unnecessary anyway (because you would be logging in to your mailbox with your own certificate).
But even if that single-address limitation were the case, the kind of places I would give it to already require knowing my national ID number anyway, so the two particular things you mention are already the status quo.
In other words, stuff that is already tied to having a verifiable citizenship.
It has it's pros and cons, maybe more pros if you factor in that the biggest issue isn't authentication really, it's the fact that all of these private companies accrue everyone's sensitive info, which can be abused by any actor, private or public. If data were kept on the client side, and synced to other machines through P2P like WebRTC, then maybe this wouldn't be such a big deal.
Also login.gov isn't a government issued digital ID. It's just a centralised authentication platform for government use, much like using google or apple for authentication.
It supports the usual options for multifactor (TOTP, text, yubikey/other hardware auth/PIV cards) but for most users it probably ends up being SMS. At best TOTP.
The german gov ids actually have a way to issue pseudonymous tokens where websites can only see that you are the same person as last time.
You can't make 2 accounts on the same site if sich things are unwanted.
You can't link accounts across providers.
How it works under the hood?
No specific idea. I wonder if its sound.
How does the government know which token a ID card generated? The ID card itself generates (for each service a different one) and encrypts it. Not even the card reader can read it. It is a encrypted channel between the card and the ID-server for the site/service. The pseudonym function does not identify a person but a card.
The government doesn't know which card a token from a "pseudonym function" belongs to. The government can identify a person when the ID function was used, of course.
Again, it is a random token the card generates internally for each service. It is non transferable! If you get a new ID card, you can't use it login to whatever you used your old card for. (You would need something else... say an email :-) to tie the knot back to the old identity or whatever.) Which makes this function, the pseudonym function, very bad for random accounts (Edit: meaning longer lasting online identities like forums or whatever). I guess eaglemfo didn't knew.
It's more for like "yes, yes, I'm an adult, now give me this pr0n movie which I pay for with my anonym prepaid card" kind of deals.
I read this as tongue-in-cheek at first (since most web sites do their darnedest to track their users, and having a log-on kind of requires this anyway).
A centralized authentication system like this wouldn't need to be a single consistent UUID per person which was then passed around. Presumably you'd have a central login to authenticate you to the system, and then the system could create separate 'id' tokens per web site or whatever that the user logs in to.
I think I've said it before, but I want USPS-provided email. To set one up you'd go to a post office, verify your identity in some way, and set up an email. If you forget your password and want to recover it, you'd have to go back into a post office and verify your identity again.
Germany has PostIdent: you are issued a code, take it to the closest post office, hand them the code (originally this involved printouts) and your ID card and they scan your ID card and enter it into their system where the issuer of the code can then request that info to verify your identity.
This has largely been replaced by videochat for ID card verification where some underpaid person walks you through holding your ID card in front of your smartphone cameras to verify that it's real, not CG, not tampered with and matches your claimed identity.
The critical aspect here is that you don't have to hand your ID card (or a picture of it) to the company that wants to know your identity. The post office or the videochat provider serves as a trusted source of truth.
Initially when I moved to Germany I thought it was a bit of a hassle to have to go to the post office for PostIdent; now I actually miss the elegance and privacy of that system in other countries.
Stuff like national ID, banks, ISP, job search websites, doctor appointments, etc, require[1] having an email address, and it feels wrong using gmail and similar providers for these use cases that are already tied to you having a physical presence in that location anyway.
Could be provided by any local company, really, but postal services are not going to disappear anytime soon and they already have a second way of getting in contact with you if there's any issue (registered mail[2]).
Debit cards are already delivered through postal mail anyway, and there's not many things that are more sensitive than that.
[1]: Well, maybe doctor appointments don't require and only strongly encourage, but that doesn't affect the point too much.
I might have been being more simplistic than I needed to be, because there are other travel methods, but I was more meaning, "Not everyone lives next door to an international hub" (so might need a connecting domestic flight).
Everyone should experience this at least once - it’s eye opening.
I did it involuntarily because I forgot my wallet once, and decided “well, I’ll either get through and in my way, or I’m too late to drive home anyway and will miss” - and it worked fine.
Even crossed back into the USA without my passport a few times. Just additional screening and bitching is all (at least if you’re a US citizen; membership in the Empire has its perks!).
No, thank you. I don't want anybody with a fake ID of me to be able to take control of my email. I want to use my password, I want it strongly encrypted at rest, and I want to be able to reset it remotely any time of day, without waiting for the USPS office to open.
Is a fake ID going to fly at the post office, where they can scan them? Also, I was imagining they'd want more than just an ID.
edit: Also also, they have to go into a physical post office and be observed trying to steal your account.
Given how it's quite possible to steal accounts via social engineering, this seems like an improvement in security, not a reduction.
I don't want a government entity, or really any entity I'm not paying directly for their services, to be the gatekeeper between me and my accounts.
The social engineering attack surface of my account currently consists of a handful of support contacts at my ISP, who have been trained to deal with computer security. If you allow any USPS employee to access your account, you've suddenly increased the potential attack surface by several orders of magnitude.
(1) Your USPS-provided email should neither be mandatory nor the only acceptable email. It could be an extra convenience, and a low-friction way to get a reasonably secure email for first-time / technically unsavvy users.
(2) An entity you're directly paying to may go out of business, sometimes due to circumstances beyond their control. At least state-sponsored entities don't do it so abruptly in most of the "civilized world".
The account recovery process for commercial email providers usually involves you photographing your ID. Presumably the post office, in person, would be far less likely to be fooled.
The french postal services does that and includes a digital wallet and cloud repository.for instance, my paycheck certificates are delivered on this wallet.
Besides, the french administration is providing its own global scheme for online authentication.
Right now it works for all public services, but it is also open to all willing businesses.
It makes it also very easy to control tightly what kind of information is distributed to various services and businesses.
I’m not sure I trust USPS to get all of the ins/outs of email spam/security/ux right. Google has spent a lot of resources to get Gmail to where it is today, starting from scratch (or OSS) seems like a big ask.
Maybe we just ask for an open authentication system instead? Leave the email part to someone else… and maybe the open authentication can plug a crypto app/email/phone backend for recovery once it is setup. Heck, given that’s it’s the USPS, they will probably offer a snail-mail recovery option (for better or worse.)
I don't want a semi-gov't authorized service like this. Because its existence means services would want to mandate it (even if they don't truly need it), and force users to identify themselves directly - may be even across services (by matching their email address, which now must be unique as it is identity-linked).
I personally sign up to all online services with a different email each. I would like to be sure that my identity is hidden behind an alias for all services, so that they cannot be linked together. And if i want multiple accounts (for better or worse), i should be able to achieve that end.
Australia is working on zero knowledge proof. The end service only knows that you are legit/of age/etc (only what it needs) because gov service confirmed it, but does not know who you are
I haven't heard a compelling argument that anything needs to be fixed with email-based auth patterns. It is imperfect but not bad, and every proposed alternative seems to be worse.
The article seems to lean into security and usability concerns.
On the security front: the weak-point is still the human. If you hand over your credentials to someone nefarious, well.. you handed over your credentials to someone nefarious.
Usability isn't convincing me either. One of the great things about email is that it really is the lowest-common denominator, as another commenter mentioned above. (Almost) everyone, from kids to the most tech-inept luddite have some sort of email.
One flaw is I'm pretty sure a lot gmail account is lost forever. Contacting Google to retrieve access would not go well. Related is that if you try to self host email your messages are unlikely to reach anyone.
Self-hosting inbound email is trivial. Anybody will send email to any random domain, they're just not willing to accept it from random sources.
And the latter is what is relevant for password recovery.
I self-host inbound but use established servers for outbound through my ISP and have had no trouble with that setup for a while. Forwarding to people through my domain has gotten a bit more challenging lately but I've got it working well enough to satisfy gmail so far. (The advantage with forwarding is you only have to convince one server to accept it, not everyone in the world, and there's some crypto stuff involved now that involves trusting some keys, not just a domain or IP, which also helps a lot.)
That seems a great compromise. I hadn't registered the distinction in direction. Even without organising the forwarding part there are plenty of organisations that email me password resets that I don't need to send email out to.
> Self-hosting inbound email is trivial. Anybody will send email to any random domain, they're just not willing to accept it from random sources.
In terms of authentication, this is not entirely true. It's less common these days, but I used to have a lot of trouble with sites rejecting my attempts to create accounts with e-mail addresses from my disposable-e-mail-generator of choice.
Just yesterday I tried to register for a service using one of my own domain names with self hosted email. The confirmation mail arrived, but as soon as I clickes the link I was told that my email address wasn't allowed.....
Not sure what kind of crap some folks are smoking, really.
>Self-hosting inbound email is trivial. Anybody will send email to any random domain, they're just not willing to accept it from random sources.
That is simply not true. I have self-hosted email service and starting about 1.5 yr ago some big email services don't deliver emails to my server anymore. And there are many similar cases reported...
So one can say that even if an independent email service is willing to accept email traffic from any sender it does not guarantee that customers of all other services can have delivered their emails to addresses at the service.
I'm not saying there aren't flaws, I'm saying none of them happen at a rate significant enough to be worth switching to another system (with an entirely new set of flaws).
Login.gov is the US Government’s homegrown solution, which also does it. It’s not one account <-> one citizen though, which you’d probably want in a real government id system.
How about a bank-provided digital id that you get when opening an account by walking into a physical bank location and providing your photo ID? It would tick the "less prone to lock out" problem without placing even more power in government hands.
We have this in Belgium and it’s really not that good. It created a pattern of companies relying on people having an account at certain banks; which when you’re either immigrant or unbanked is unlikely and shuts you out of certain businesses.
It’s been phased out for the government provided login system which is much better but not exactly simple for laypeople to set up. On top of this, integrating with it requires an extensive certification process, it’s not just an open API.
Banking credentials are used a lot in Finland to sign into other services. This means you get phishing emails saying "your medical test results are available" or "you're getting a tax return" where the actual goal is to get into your bank account.
> “We have been working systematically for six months to get residence permit cards, then a personal number, then a Skatteverket national ID card, and finally bank accounts. To our shock, we were just told by ICA Banken that the Skatteverket National ID – the only one available to non-citizens – is not a valid source of identification for BankID.”
BankID causes problems because it isn't designed for the interests of the whole population. For example, it requires proprietary software which only runs on Microsoft Windows, macOS, iOS, or Android, with hardware verification and Google services.
This makes it unacceptable to free software advocates, and to privacy advocates, and to national data sovereignty advocates .. the total population of which is so small as to not affect the banks' commercial interests.
One thing I learned recently is how the US can, with its control over the SWIFT banking network, tell banks in other countries to shut down the account for a local citizen who the US has designated a terrorist. At least that's what I gather from the news I read after two leaders of the biggest neo-nazi group here in Sweden were designated as terrorists by the US.
If the goal is to keep power out of government hands, don't look to highly-regulated banks which are subject to the whims of multiple governments.
My wife works in a city clerk's office. They provide (among other things) vital records services for the city. Like getting birth certificates.
To get a birth certificate, you must provide government photo ID with a name matching that of one of the names on the certificate you're trying to get. So you can get your own, or your child's, but not some random other person's.
Lots of people were born before RealID driver's licenses. Some of them went by names other than the names on their birth certificates, and thus are unable to get new copies of their birth certificates using the government-issued photo ID they currently have. E.g. I've got a grandfather who went by Sam his entire life but was apparently named Harold. His driver's license had Sam as his first name. If he had lost his birth certificate, he would not have been able to obtain a new copy legally using that driver's license! This still happens to people. Also sometimes house fires or similar disasters happen, and people lack the ID needed to get new government-issued ID.
These things can be solved too, but in a more complicated process. Typically some lawyers and a judge need to get involved, get some people to testify that you are this same person, and you will be issued new ID.
> Government provided digital IDs would solve a lot of this. Yes, they may have their own problems, but outsourcing the action of identifying individuals to the government seems valuable and less prone to "lock outs" like Google and friends.
Sadly, the US government goes the other way and contracts out verification (to government websites!) to an invasive private company.
Finland tried to copy it, but the Finnish card (while based on the same technology) is used very little. Finnish banks already had their own OTP solutions, which they started offering for authentication on other web sites, so no-one wanted an extra authenticator on top of that. This of course means that you get phishing emails pretending to be from all sorts of government services, where the goal is to get your banking credentials and take your money.
Since then, mobile phone operators added their own authentication system based on credentials residing on your SIM card <https://mobiilivarmenne.fi/en/>. You prove your identity when getting a mobile phone contract and can then use that to log into many sites.
It does solve a lot of this. Some have gov’t issued IDs, others have a hybrid public/private system where banks issue the ids. But yes, a de facto standard electronic ID is almost unthinkable to not have. How else do you interact with authorities or healthcare? I used e-ID since long before smartphones, I can barely picture what it would be like to log in to handle taxes, benefits medicine recipes or doctors appointments if it worked any other way.
> Government provided digital IDs would solve a lot of this.
Over here in EU, we have something like it - you get an ID card that has two PIN codes that you can use with a card reader and some software to digitally sign documents and such: https://www.eparaksts.lv/en/ (of course, there's also a mobile version)
In addition, there now are services where you can log in to your bank account, confirm payments, or just log in to your government portal account with a two factor app, the account on which is based on your identity: https://www.smart-id.com/
So if I make a payment online with my card, I'll have to authenticate through either a code calculator (physical piece of hardware) or the phone app with codes that I've chosen, to confirm it. Same for logging into various sites, for example, for paying my utilities.
Works pretty well and if I lose my ID card, then I can get a new one, issue new certificates for the apps and continue where I left off (with the old ones being revoked). I might need a backup phone too, though, since not being able to confirm my payments if my phone breaks is pretty stupid (though I guess Revolut/PayPal/whatever still work as expected, unless I only have my OTP codes for those on said phone).
Can you expand what you mean when you say the security of phone numbers is leagues below email? If someone can gain access to someone's phone, it seems like they would gain access to their email as well.
bribe, coerce, and social engineer a phone company employee into transferring the victims phone number to you, or a technical attack to get the system to send the sms messages to a device you control, without ever touching the victim.
As others have mentioned, SIM Swap attacks are very common where the attacker impersonates the victim and convinces the mobile operator to transfer the victim’s phone number (known as MSISDN in telecom parlance) to the attacker’s SIM. If you Google SIM Swap, you will find many instances of it.
From that moment onwards, all the 2nd factor SMS OTP go to the attacker.
There are APIs that are provided by mobile operators via aggregators such as Telesign, Prove, Vonage, Twilio etc. that can be used to check if a SIM Swap has happened recently on that phone number. That API is used by fintech companies and others e.g. when they want to check if a fund transfer is to be allowed or flagged up.
Mobile phones identify themselves to the mobile network through a number called the IMEI. IMEI cloning is not particularly difficult nor does it require exotic equipment. This means that it is relatively easy for an attacker to be able to spoof your phone to a mobile network, for example, to receive SMS messages with one time passwords.
Cloning your IMEI has nothing to do with the data that is on your phone, so if someone clones your IMEI it does not mean that they have access to any of the apps or data that is on your phone.
IMEI or IMSI? I think it is the subscriber identity that is on the SIM that needs to be cloned, not the hardware identifier of the device (ie its the IMSI that matters, not the IMEI).
SIMs and SIM burners can be purchased trivially on the open market, and cloned without too much difficulty. Although, a social engineering attack on the employee at the cellphone store is a superior method since it automatically gives you a "known good" SIM with the operator's keys, etc.
Neither the IMEI nor the IMSI is used for authentication. The IMSI is slightly closer to the truth (while still missing by a mile), but without the per-IMSI authentication key (which is never transmitted over the air interface, whether in plaintext or encrypted), it's useless as well.
That's completely wrong. The IMEI doesn't play any role in GSM/UMTS/LTE/5G authentication (if it's recorded, that's usually for debugging or tracking purposes).
While there are weaknesses, every mobile phone standard since GSM (not sure about the equivalent for the CDMA world) uses cryptographic authentication, many of which have been subsequently broken, but it's just not true that simple knowledge of a bearer token, transmitted over the air interface, grants you sufficient access to receive somebody else's SMS.
Most practical attacks actually focus on either attacking the core network via SS7 (and making it deliver SMS to the attacker instead of the actual recipient) or on breaking the air interface encryption, which requires you to be physically close to the legitimate recipient while they receive the SMS over the air.
You can change your IMEI to mine right now, and absolutely nothing would happen (other than maybe our phone operator getting mildly confused, if we share one and they're tracking IMEIs for whatever reason).
And they're rather irritating to boot. TOTP authentication in something like keypass or 1password is very low friction, working automatically in ideal circumstances. Sms based ones are kludgy
Auth apps are crap - each one pretends to be unique and authoritative.
TOTP secrets are a string, not just a QR code that can only be seen once and never again - the QR code merely encodes that string! That string can be used in multiple places to generate codes. KeepassXC can do it and that can be shared. I've seen loads of organisations and sites with an elderly mobile phone that has the TOTP auth app on it. Normally MS Authenticator.
To add insult to injury, MS Auth can only have one account per email address (id@realm/whatever you want to call it).
PrivacyIdea can do email based TOTP with a PIN. That works well but does involve a two stage login with an email delivery in the middle.
I totally agree with you: the only useful delivery mechanism available is email. PGP was a nice idea and authenticator apps need to have their owner's heads bashed together to get proper interoperability sorted out. Trying to silo people in your "cloud" without interoperability with others is so sad and needy. If you don't have absolute confidence in your offering then you are shit!
A little off-topic from the matter of adoption and usability by the greater masses, but I personally prefer these RFC 6238 TOTPs that I have the choice to take into my own hands, as opposed to internet-required, server-side based like my banking app and Okta.
I have a copy of all my TOTP generators (minus my dev Okta account) in a common authenticator app and an offline copy stored in an offline password manager, further replicated with an encrypted backup service.
I was able to create my offline copy in the first place thanks to a rooted phone to export what I already had up to that point out of the authenticator app.
Of course, the discussion starts to morph when we bring in the "un-phishable" software passkeys.
I thought the Authenticator apps were great until I upgraded my iPhone and the apps lost all of my Authenticator setups. Good thing it wasn’t super critical.
I agree, for personal use cases, RFC standard TOTP that can be backed up and managed by the user is the ideal balance of security and availability.
Enterprise TOTP apps like Okta and MS Authenticator have some enhancements. Push notifications are convenient when you have to access things many times a day. More importantly, push notifications with a number-matching confirmation reduces the chance of TOTP poaching, since the user themselves are interacting with the service requiring auth.
In enterprise environments, there should be a restore process for a lost phone or authenticator. Some kind of backup code with voice/manager approval, or coming into a physical office to reset credentials. This isn't available for regular people/regular retail services except maybe banks, but banks can't even do regular TOTP correctly.
I'm increasingly coming around to the idea that in reality, there's only one factor, at least as far as the Internet is concerned: Something you know. There's different ways of knowing it and various difficulties involved in knowing it, but "something you are" is only every a fancy way of presenting something you know (because if you know it, you can generally forge it with reasonable effort) and "something you have", over the Internet, is just "something you know but is pretty difficult to directly extract".
TOTP was what really kicked me into thinking this way. They tried to make it "something you have". They tried to lock it behind apps and pretended really hard that it wasn't just a particular shared secret... but it is. It's just something you know.
The rule is, if it could be stuck in your password manager, it's a thing you know. That includes even things like Yubikeys, which are things that can be cloned and stuck in a password manager. They're just really, really hard to clone, and that's a valid step up from "a password". I'm not saying that the differences between all these "things you know" are irrelevant; they matter a lot. Having a password + a TOTP is a legitimate step up from having just either one alone. I'm just saying that analyzing things in terms of the other two factors isn't particularly relevant.
I don't think this is right. If there's a shared secret like a TOTP seed, that's in theory a "something you know", but if I don't know it, then who does? The point of "something you have" is that you own a device that "knows" it for you, and you never even need to see or expose the underlying secret, you just copy a token proving that the device you have knows the secret. I think that does count as an additional factor.
Of course if someone is memorizing the TOTP seed and generating the proof on the fly every time, then there's no shift in factor, but no one is doing that. And if they're saving the password on the same device that stores the TOTP code, then we're back to one factor, but now it's just 2x "something you have" at that point.
"that's in theory a "something you know", but if I don't know it, then who does"
An attacker. Your knowledge is much less interesting that the knowledge the server has, which is what the attacker can obtain. Grabbing a TOTP key out of a database is not materially different than a password.
TOTP's different characteristics mean it's harder to intercept, but passwords tend to be stolen nowadays moreso than intercepted, if only because you can intercept only one at a time but can steal the entire database.
The different characteristics mean it can add a bit of utility to a normal password, but I think it's less night-and-day than it was presented as.
Yes, if you don't control the hardware at the user's end, the only factor you can get is "something you know".
All the things around improving web authentication are just about people not having to memorize that something you know and protecting it against eavesdroppers.
> That includes even things like Yubikeys, which are things that can be cloned and stuck in a password manager. They're just really, really hard to clone, and that's a valid step up from "a password".
That's reductionist way past the point of being a useful model of authentication factors.
By that logic, even biometric factors are "something you know", as you can always (with a lot of effort) physically replicate a fingerprint/retina/genome you have a sufficiently high fidelity recording of.
"By that logic, even biometric factors are "something you know","
You clearly mean that as a reduction to absurdity, but, yes, I mean exactly that. Pretty much said so.
It is "reductionist" if you insist the only valid framework is "what have have/know/are", and you view what I'm saying as the intersection of what I'm actually saying and that model. I am claiming the have/know/are is reductionist, and to a large degree outright wrong, because it is focusing on the wrong thing. Look at it the way I'm looking at it and the authentication questions become richer and easier to understand.
Unfortunately, it also means that there's more things that are either hard or impossible than the have/know/are methodology promises, because two of the things that methodology promises effectively don't exist. (Unless you are controlling physical access, and willing to spend a lot of money on hardware and human verification of the correct use of the hardware.) But since I believe that is an accurate reflection of reality, blame reality, not the model.
While the "something you x" model has many limitations (and I practically disagree with some regulatory bodies on what does and does not constitute a "true" expression of one of these factors), I don't think that these limitations refute it in the abstract.
> To add insult to injury, MS Auth can only have one account per email address (id@realm/whatever you want to call it)
When this was discussed [1] on HN a few weeks ago, I don't recall anyone reporting reproducing it. Several people, including me, reported having many accounts in MS Authenticator that have the same email address with no problem.
The otpauth URI that is encoded in a TOTP QR code looks like this:
otpauth://totp/LABEL?parameter_list
The LABEL is supposed to serve as a unique identifier for the account. It has the format "Issuer:Account". The "Account" part is required. The "Issuer" is optional (and the ":" omitted if the issuer is not present).
The parameter list is an & separated list of name=value pairs. It includes the "secret" parameter which gives the TOTP secret. An optional parameter is "issuer", which should match the "issuer" part of the label if that is present.
It sounds like what is happening is that there are some sites who do not include the "issuer" part the the label, and they let the user use a user provided email address as the account name.
If a given user uses two such sites and provides the same email address to both, then there will be a collision. If they also do not include an issuer parameter an authenticator app has no way to know just from the data in the codes that they are from different sites.
> If the answer is "they just don't get access anymore" or "a panel of their peers attests to them", your fantasy authentication system also needs a fantasy species of sentient beings to serve as users, because it won't work for humans.
This has been my single biggest argument against blockchain/cryptocurrency stuff for years: the "lose your key, lose your wallet" thing is fundamentally incompatible with real users.
Humans need to be able to recover from their mistakes.
At which point I gained the problem of having to keep track of all of my microwallets securely, hopefully in a way that survives my phone being lost, a house fire, or my untimely death, leaving the wealth to inheritors. All while, at the same time, not ending up behind a single key that has access to all the information to those micro wallets.
Quickly you end up in a situation that either starts to look like how financial companies keep their most high risk keys, or end up outsourcing the whole thing to something that quickly starts to resemble your bank.
So ultimately it's just like cash: Fine for small amounts. Risky, but maybe livable for somewhat larger accounts, or a giant headache that will probably bite you when you start looking at lifetime savings.
A $1 note being a macro scale physical object enjoys a variety of benefits such as object permanence which provide a baseline level of recoverability. Whereas a wallet key l, being a number, enjoys no such protections.
Of course you may choose to encode your wallet key on paper, metal, or stone granting it properties not unlike a note. However you have now compromised the security of your wallet as well it becomes no mere $1 note, rather it is a note that represents all or a significant fraction of your net worth.
There's no fundamental property of the monetary system that prevents transfers of arbitrary value across international borders. There's just a large number of financial regulators, border guards, etc. who will throw you in jail if you carry a big block of gold across the border or accept a large wire transfer without filling out the necessary forms. In many countries, the laws governing those forms don't yet apply to cryptocurrencies, but I'm skeptical it will remain that way forever.
That's true, and the AML laws for crypto are already becoming more strict, especially in Europe. But in practice, it will be much easier to evade those laws than it is with fiat transfers or moving physical cash/gold.
For the system yes, a dropped coin eventually reenters the market and a burned bill can be reprinted again. Can't say the same about a crypto wallet. For an individual though, in both cases, a lost wallet is a lost wallet.
While an interesting difference to study, the average person is not going to care about the former case. They just don't want to keep their life savings in an asset as easy to loose as their pocket money.
If you drop your wallet in a bar, there's a chance you can recover it by returning to the bar and searching for it, by the bartender or a patron returning it to you based on the address or a number in your wallet, etc. Physical money really is not the same, even for the individual.
Yes, by evolving banks to solve some of the problems of lugging around lots of cash and/or stuffing it in a trunk in your house. And assuming you are known at your bank and/or can (eventually) prove your identity there, you don't have the same "lost wallet" problem being discussed here.
Money occupies physical space, so for most of history there was a pretty low cap on how much you could bring with you at once, which placed a cap on how much a single mistake could cost you.
Currency was traditionally made of precious metals which often gave them a rather high starting point of value. It also made them inflation resistant meaning the real value only grew over time. For instance in the Roman Empire an aureus [1] was worth 25 denarii (prior to inflation) and was about 2cm in size, so roughly the same size as a dime, made of pure gold. And a denarius was worth about a day's wages. So you could comfortably hold decades of wages in a small coin purse. And as inflation ravaged the Empire a single aureus gradually came to be worth thousands of denarii.
This is what transit payment cards in Japan at least do, you can tap to pay most places but there’s a cap of 20k yen you can add to your card, so there’s a cap to how much you can lose.
I love how these cards work in Japan. There’s a bunch of different operators but they all work across the country – for example, if you buy a KITACA in Sapporo, you can use it in Tokyo and Osaka and anywhere else. And of course you can use them in a bunch of places, from all the transit options to vending machines and coin lockers on stations to konbini everywhere and even some restaurants.
Yeah and it sucked which is why we invented better solutions.
What most bitcoin fans seem not to understand is that for the vast majority of people, transactions being reversible by authority figures is desirable.
Yes and people quickly realized that there is an amount they don’t want to carry around. No one carries their life savings and few would even keep it in a safe in their house.
And the notion of credit has been a thing even longer than both money and banks. You don't need to carry money around for every little transaction if people know you're good for it someday in the the future.
Don't you need an idea of credit for money to work at all? You need to be able to trust that the shiny rock you give me today for my wheat will be worth anything tomorrow when I want some of your meat.
I've heard that a lot about cryptocurrency, but aren't there plenty of cryptocurrency users who have never lost their wallet and have good personal opsec?
Maybe the issue is trying to force one solution for everyone.
The issue in not trying to force one solution for everyone becomes a blocker when you intend on making some technology useful and essential to everyone, hence, no one seriously gives a damn about crypto anymore.
Maybe instead of a crypto brokerage holding your wallet, there can be a "key bank" which uses those more expensive methods of attestation and you can use it for recovery if you lose your key up to once per year or something. It would be like having your key written down in a safety deposit box at a local or regional bank.
This is the same problem that you run into with secret zero and commonly discussed in context of HashiCorp Vault. At some point you need to store the unlock keys then you need another repository under RBAC to protect that repository. They say to print out the keys and store them offline on paper but how many own a Class 5 safe ?
> These safes are certified for classified use and they are safe.
The website says "10 minutes against forced entry". That's not safe.
No safe is safe against a state level actor. No safe is safe against "hit you with a crowbar until you open the safe".
Whatever secrets you have, it's better to hide them than to put them in such a conspicuous place. The only reason one should use a safe is as a plausible decoy...
Yea but you have multiple pieces of the secret to restart your Vault instance. Now you need to go to everyone’s office or home to get this secret to restore it.
I am referring to Shamir algorithm that Vault uses
Maybe the key bank could hold your digital money as well. Then we wouldn’t need a blockchain and your transactions could be instant, free, private and reversible.
Collaborative custody multisig providers have been in business for years. Recently even Block (CashApp etc) has introduced a product with this feature.
By geographically distributing your signing devices you improve both security and reliability. One of those keys can be hosted by a third party to be used for recovery, without providing them any ability to touch your funds without your involvement.
> This has been my single biggest argument against blockchain/cryptocurrency stuff for years: the "lose your key, lose your wallet" thing is fundamentally incompatible with real users.
This would make currency fundamentally incompatible with real users. Reality says otherwise.
Currency in the real world has many, many backups. For example, if I forgot the PIN number to a very old bank account that I later find a long lost relative recently put hundreds of thousands of dollars into when they passed away, I have other avenues to recover access. They might be annoying or require work (getting an affidavit, multiple forms of ID, etc) but it's not irrevocable in the way that a strict definition of bitcoin is.
It's a lot harder for the average person to lose 1 million dollars in cash than in Bitcoin because humans naturally understand the exchange of physical objects.
If I have a duffel bag of money, it is obvious that physical possession of the bills means I can access its value. Anything negating that possession would cost me my money. I should probably keep it away from open flames and water; but it's not going to spontaneously combust. A thief would need to physically take the money in the duffel bag for me to lose the value.
Meanwhile if I store Bitcoin on a USB drive the drive might randomly fail and I lose all my money (because I'm actually storing a key to access it) even though I still have the USB stick. The solution is to back up my key in multiple places simultaneously, which doesn't make sense to most people (how can money be in two places at once?)
If I plug the USB stick into the wrong computer, someone can steal all my money (because they can find out what the key is) without me ever losing the USB stick.
Virtually every human on Earth understands the notions of object permanence and that objects can be exchanged for other objects. This is intuitive from evolution and actual monkeys can comprehend physical currency.[1] I don't see how cryptocurrency can be on that level.
In reality I've found a lost wallet and helped return it to its owner. At least twice, actually. Both times because there was an identifying name in the wallet.
Then there's the time as a kid when we found $60 on the floor at a department store, and turned it over to lost&found. I remember it because the store had a policy that if cash hadn't been claimed for a month, then the person who turned it in got it. Which we did.
> the "lose your key, lose your wallet" thing is fundamentally incompatible with real users.
You're allowed to store your key at the bank if this is an issue for you. It's less secure than memorizing it, but obviously equally as secure as your bank account is.
I don't understand why this was downvoted. In case it's not clear: (S)he's saying to split the key into multiple shares that can be used to reconstruct the key if you have a large enough quorum. Then store each share in a different place. As long as you don't lose too many of the shares, you'll be fine. And one baddie is NOT enough to get the key.
Either shuffling those keys stored in N different deposit boxes is overly complicated for a normal person, or it is not overly complicated for a moderately dedicated baddie either
Unless the "baddie" in this case is the government, why would it be easy for anyone to obtain access to multiple secrets stored in multiple boxes/banks?
Multisig is a pretty common setup for crypto and there is software that makes it easier.
"Mom, I already told you: you have to generate a key pair, split the private key into three parts using Shamir' secret sharing algorithm, then give each part to three banks. Whenever you want to use it, you have to go collect it from each of those banks---but DON'T write it down anywhere---and perform your transaction"
And to think the conversation started with an observation that people can't even remember one password.
I agree, there's miles of runway remaining for improving the UX. I actually think it'd be neat if a crypto had this (and a few other things) as a baked-in feature. i.e. In order to create a wallet in the first place, you need to identify e.g. 5 trusted friends who'll serve as recovery partners. Maybe it's initially tied to the same invite mechanic used to join the ecosystem. Could be done in a privacy-preserving (and to some degree anonymity-preserving) fashion. The right UI could make this even simpler than recovering a Gmail account. Everyone would just have it set up, and these conversations about losing your keys would be a relic of the past.
"soerxpso" said "store your key at the bank", but you are saying "two or N places". So it sounds like 1 bank is less secure for your key then 1 bank is for your money, because you need two or more banks for your key, while 1 bank for your money is sufficient. Correct?
I stay away from everything crypto but I don't see the difference. In both cases if they didn't make it right you'd go to the courts and make your case that they are at fault and owe you compensation.
They're just different things. The FDIC insurance is for if the bank itself goes insolvent and they literally don't have enough money to cover their depositors' balances anymore. There's no reason a safe deposit box would be affected.
Probably varies from bank to bank, but in my experience you have to specifically buy separate insurance if you want the content of your deposit box insured. The big problem from the bank's point of view is that, unlike your bank account, the bank doesn't know what you have in the box and thus has no idea what to insure it for and no way to verify any claim.
More importantly the bank doesn't profit more from something more valuable being in your safety deposit box so it doesn't make economic sense for them to be the one insuring it.
Yes, they are different things. A safe deposit box wouldn't be affected by the banks insolvency.
A safe deposit box may be affected by other things and if those things happen they don't have to "make it right", if you go to the courts and make your case you may find that they are not at fault and you are not owed any compensation.
I might be mistaken, but are not several "traditional" banks offering crypto wallets for customers? Is there a realistic chance this kind of bank is going to steal their customers' crypto and going (at least, next to criminal investigations) bankrupt over it?
Sure, they could. Would that be any different from how a bank could steal funds from a traditional deposit account?
By making a bank the custodian of your crypto wallet, you're placing your trust in them and should have similar legal recourse you would have had with a fiat deposit.
I am not sure if you are objecting. Definitely you need to trust your bank if you are going store your crypto with them. I just do not see any large traditional bank stealing their customers' crypto and hoping to get away with it.
As far as I know all the cases of stolen crypto have been newly founded companies with their only business being your crypto. That is quite unlike the other kind of bank.
Are you referring to a physical lockbox? Because if so, that is certainly not as secure as your bank account, because criminals could not drain your bank account by breaking into a bank, nor could your account’s funds be lost if the physical location were destroyed by a flood or other disaster.
Even if you are referring to digital storage managed by the bank, presumably competently enough to avoid data loss, if that data is exfiltrated your wallet will be drained. It would be very difficult for a hacker to irreversibly drain your bank account (given the type and terms of the account, but will apply to most savings accounts), due to the protection and delay systems in place meant to catch fraudulent or unauthorized activity. Note that this definition of “unauthorized” actually means “not authorized by the human being who owns this account”, instead of the crypto definition of “not authorized by someone who knows the correct secret”.
>> If the answer is "they just don't get access anymore" or "a panel of their peers attests to them", your fantasy authentication system also needs a fantasy species of sentient beings to serve as users, because it won't work for humans.
>This has been my single biggest argument against fiat currency stuff for years: the "lose your money, lose your money" thing is fundamentally incompatible with real users. Humans need to be able to recover from their mistakes.
And yet, for the very longest time, it was the default position for humans.
For at least 12,000 years, humans have been getting very good at holding on to physical things.
Digital things, not so much. I'm a professional in the field, yet I've lost digital data in the past few years. Normal users who work in other fields? Lost cause.
Yes obviously if your money is completely burned then it's gone, but that is generally pretty unlikely to happen. Losing your digital key is many orders of magnitude more likely to happen in my opinion. And there is - by design - absolutely no way to get it back. That makes using blockchain for anything serious completely untenable in my opinion.
It doesn't need to be completely burned to be gone:
"No redemption will be made when (...) Fragments and remnants presented which represent 50% or less of a note are identifiable as United States currency but the method of destruction and supporting evidence do not satisfy the Treasury that the missing portion has been totally destroyed"
Accidentally burning money is a very low probably event. Forgetting passwords or any type of memorized secret is the most likely default outcome, and chance only increases with time passing.
> [...] the "lose your key, lose your wallet" thing is fundamentally incompatible with real users. Humans need to be able to recover from their mistakes.
Maybe it's my memory playing tricks, or I've only seen the good articles, but I believe nearly every single article about setting up a self-managed crypto wallet had stressed out the importance of having a backup. Serious ones had even explained the 3-2-1 rule. Then the hype came, with it came scams and pumps-and-dumps and NFTs and whatever, and crypto became a clusterfuck that a lot of people didn't want to touch. Yuck.
That's probably the one thing cryptocurrency communities undeniably got right. Quite unlike the Passkeys, where I've yet to see any official or semi-official demo site that even has a flow for adding a second token (some actual sites do, but not the demos).
We should start teaching basic backup strategies in schools. It's not some advanced rocket science, and it's a knowledge that's useful to anyone who deals with information (that is, literally anyone participating in the modern society).
Also, this user unfriendliness is extremely temporary, because computers and Internet are new (at the scale of societies), and there are plenty of folks who had only started to use them later in their lives. After you lose some file or account (ideally, as a kid, so it's not something serious) you start to understand the old adage about those whose do backups and those who don't do them _yet_.
How many forms of backup survive "the government threw you in prison for years?" Even Gmail will refuse to authenticate a correct password with "we couldn't verify it was you" if you never binded your account to a phone and just got out of prison 3 years later.
Uh, well, in context of crypto - your (self-owned) crypto wallet totally would work.
As for email... Sure, I guess it depends on the service and their policies. But here's an anecdote. A few years ago, I've managed to log in in to a completely forgotten 10+ years old email account, finding its password in an old backup. It worked. ¯\(ツ)/¯
If an user cannot log in with a valid credentials, without brute-forcing them, after some years of absence, it's absolutely the service's fault. Of course, in the modern world, customer issues mean nothing so anything goes. But -quoting GP post - when designing a "fantasy football" alternate authentication system for the Internet, this probably shouldn't be a thing.
i think you’re sidestepping the parent’s point: if it depends on users doing the right thing every time, it’s not compatible with the real world.
yes, the advice about wallets is “make a backup”. the advice about passwords is “don’t reuse them”, yet the VAST majority of users use the same password for banking, email, and their phone provider. so what do you think the chances are that your average user makes a backup of their wallet AND remember where it is in three years?
> I believe nearly every single article about setting up a self-managed crypto wallet had stressed out the importance of having a backup. Serious ones had even explained the 3-2-1 rule.
Yes, this is why it is incompatible with widespread adoption. Most people do not want to do this, and in fact could not do so effectively without learning and thinking a good deal more about computers and risk scenarios, which they don’t want to do and will not do.
You are correct that it is a solution. However, it is not a solution that will ever be adopted on a wide scale.
Yes, and I think that's not because they don't want to do it but because:
1) they don't know that they should do this;
2) they don't know why should they do this;
2) they don't know how to do this;
3) because even the systems marketed as current state-of-art (Passkeys) are poorly designed and don't even allow to have proper 3-2-1 backups conveniently (can't enroll a device sitting in a safe, it must be physically brought online which beats the whole point of offsite backups).
Design it to make backups and failover secure yet easy, available out-of-box, and explicitly recommending best practices to follow - and everyone will do it as a no-brainer, at least for anything they care about.
Until recently no one told people to not reuse passwords. Even today most password-based signup forms just ask for password and maybe tell the requirements (length, characters) but extremely rarely they explain anything about uniqueness, randomness or anything else. No surprise it sucks hard in practice, when nearly everyone ignores the education aspect.
People aren't stupid. At least in general. They're just blissfully unaware about a lot of things, especially the older generations. What is impossible in real world is designing a fantasy football nanny authentication system to "safeguard" them, without making a lot of undesirable sacrifices. We manage to explain people to not poke with scissors into electrical outlets (and make it hard to do so accidentally) - we can manage similar stuff with computers too.
> We manage to explain people to not poke with scissors into electrical outlets (and make it hard to do so accidentally) - we can manage similar stuff with computers too.
I don't think this is a good analogy, because the example is simply warning people of a thing not to do. It takes no effort. Maintaining backups does take effort. This is more like getting people to pick up a new chore, just like how many people see interacting with their bank and financial services as a chore.
Many people who work in IT (or are into computers as a hobby) discount the effort it takes, because there is a lot less friction between them and computers than for the average person.
> even the systems marketed as current state-of-art (Passkeys) are poorly designed and don't even allow to have proper 3-2-1 backups conveniently (can't enroll a device sitting in a safe, it must be physically brought online which beats the whole point of offsite backups).
Design it to make backups and failover secure yet easy, available out-of-box, and explicitly recommending best practices to follow - and everyone will do it as a no-brainer, at least for anything they care about.
People have been saying this for a long time. "We just need a better system!" The system doesn't exist because people don't want a system that requires effort. It requires effort to protect a secret that, if leaked or lost, would irreversibly result in your financial ruin. It requires a lot less ongoing effort (to a non computer savvy person) to use financial institutions to store their money securely.
People will choose the system that safeguards them and makes sacrifices that many computer security and freedom oriented people will find undesirable. This is demonstrated by the choices that people have repeatedly made.
I strongly disagree, but I feel that the conversation would be pointless fight of beliefs, unless I actually design and showcase a solution that would be simple yet secure (and I don't want anything that takes effort) - but that will take me a while to work on.
The idea is that user shouldn't have any friction, besides meeting minimal requirements: 1) being capable of reading (or otherwise accessing the text) and comprehending simple instructions; and 2) having certain minimally required hardware or software installed.
I'm sure this is doable and every primitive to build this already exists and vetted by competent people. I'm sure it's possible for a layman non-technical person with normal cognitive capabilities to have a safe authentication solution (which is very different from data backups) with full ownership of their identities and credentials.
Sure there are people that cannot read or cannot comprehend things. A lot of people. I've seen way too many folks who had simple and clear ELI5-grade instructions with zero technical jargon - and nonetheless had failed to follow them because "computers hard". In some case it's the fault of UI or UX, but I strongly believe in most cases it's just learned helplessness - "computers are not my thing and they're hard" and brain shuts off instead of even trying to read. The only solutions are to 1) make them actually interested in achieving their goals (worked for my dad - man went from "I don't know and don't understand [and 'I don't want to' in the tone], order this for me" to suddenly figuring it all out and placing online orders in just a few minutes as soon as he actually needed something when I wasn't around to help), and 2) make sure they have all materials accessible, well structured and covering as many possible scenarios as possible so it's all there the moment they snap out of their learned helplessness. Nothing else works as it is fundamentally impossible to design anything that would work even if people don't read and don't think.
I have some sketches in my mind, specifically focusing on use by laypeople without making compromises about fundamentals (like what is identity - a lot of modern auth perverts this concept badly). I'll give it a try someday, actually drawing it all and writing notes on the inner workings. Wish there'd be a ten of me and we'd have 240 hours a day... Sorry.
> This is demonstrated by the choices that people have repeatedly made.
I'm afraid this is a very bad attitude to follow. The choices people had repeatedly made got us in quite a bad place. Just look at the poster child - IoT - it's a complete disaster. Online auth is in a very similar poor and messed up state, it just less visible.
I think we may be passing as ships in the night a little bit - that is, I thought we were talking about cryptocurrency wallets, and the merits of a system with authentication relying entirely on cryptographic secrets.
I wish you luck in your development of such a system. I don't disagree with anything you said about learned helplessness, and I think it can be fruitful to push individuals or groups to overcome it, but I think trying to do that to the general populace is like trying to change the wind.
People's bank accounts are irreversibly hacked, emptied, frozen, seized, blocked, impounded, garnished on a daily basis. That you haven't encountered it yet, doesn't mean it's not happening.
People should have a choice which system suits them more.
Not reusing passwords at all is pretty impractical. If you really want to depend on a single password manager then you have some other issues. Usually I have settled for rotating, compartmentalized password modules which allows me to somewhat rather than fully contain a compromised password. And if your modular password has three slots (term taken from linguistics) then you can compose passwords which reuse parts, are memorizable, and not automatically reusable on other services.
The problem though is that since one has a number of passwords which may be different but closely related, a human may be able to infer a few possible passwords from a few compromised ones. In other words it still dramatically shrinks the key space an attacker might want to try to brute force. Preventing re-use is then a problem for 2fa regimes.
For my part I won't use passwords I cannot memorize and keep memorized in relation to the web site.
With current currencies you don't have an option, you HAVE to give your money to banks and accept its consequences, like losing privacy, risk of have it frozen, etc.
With cryptocurrencies at least you have an option, you can leave it at a custodial wallet that can manage some of the security for you or you can have a non-custodial wallet.
If the answer is "they just don't get access anymore" or "a panel of their peers attests to them", your fantasy authentication system also needs a fantasy species of sentient beings to serve as users, because it won't work for humans.
It won't work for 99.99% of services, but it can work if your service is huge. WeChat uses a mechanism like this, and it works well.
Maybe we should support logging in with an OTP to email for many more systems than we do currently? Combined with conditional access and MFA its actually not bad.
No password to remember and supports this "pattern"
I've seen a couple of enterprise/corporate services switch to the "OTP via email" pattern (usually as mandatory 2FA), and I hate it, because there's no way for me to autofill that email OTP, unlike for e.g. WebAuthN or TOTP.
>Phone numbers are more common and durable, but the security of phone numbers is leagues below that of a flagship provider email account.
With the - "we banned your account for no reason, and you have no way to appeal and we don't even tell you why we banned you" flagship provider email account caveat.
Everything is vulnerable. Lost my email when email provider (openmailbox.org) closed, with no chance of recovery. And with it lost a 28-years old domain.
People have lost Gmail accounts over some YouTube comment.
Lost my phone couple of times and was able to restore authy from backup ok.
As long as the email account is secure, and the throw-away one-time passwords are good, you have the frequent-rotation passwords security advocates dream about. Indeed, hand them a secure password they have to use (and forget).
I just made it an option in the "I don't have a password" form that instead of setting a password it just logs them in. So they don't even see / have a password to remember.
> whether we can take advantage of people’s tendencies towards learned behaviour like this
See, thoughts like that turn into billion dollar valuations at Series B for, among other things, a login button that emails you a login link, taking advantage of people's tendencies towards behavior like this:
You posit a good question but it would be interesting to take a step further and discuss some potential alternatives, or expand on why "email is authentication" is/isn't the best option there is.
I’ll be hyperbolic and say the login flow is identical.
A) Go to website, click through a password manager to copy and paste an arbitrary string of characters, receive TOTP request sent to your email to confirm your identity.
Or
B) Go to website, click forgot my password. Receive link to login. Enter an arbitrary string of characters.
In many instances, login flow B is actually quicker and seldom slower.
Clicking the “remember me” checkbox has no effect.
People who don't use something which integrates with the browser. People who run into the (uncommon but noticeable) edge cases where the password manager decides to not auto fill the password.
When it doesn’t work I get. I run into that from time to time.
But I don’t think normal users want ones that don’t sync or integrate with the browser. I believe you can turn both off for Safari but that defeats the whole purpose in my mind.
I suppose the reason is because the Bitwarden option is cross platform and I don't want to sync two password managers.
However when using Bitwarden the recent guidance is to turn off autofill[1] but even with it enabled it sometimes breaks hence my “seldom” caveat.
I am heavily biased to prefer passkeys but as with magiclinks before them saw the rollout was badly botched. Specifically with regards to supporting multiple keys and revocation[2][3]. The standard supports correct implementation but don't require it; meaning most current rollouts are half baked and will remain that way.
Ctrl-C and Ctrl-V work consistently on Windows + Linux. For Android, almost same experience with KeePassDroid that shows notifications to Ctrl-C the user and the password.
I do! And way more than I would like, because for some reason it's "modern" to have a login flow that first requests your email, and then you have to click next for it to request your password...
Not even gonna go into detail about all the other cases like websites that have such bad field identification that the password manager has no clue where to put the username/email or 99% of sites that don't have autocomplete="one-time-code" on the 2FA field so now you have to copy paste the 2fa.
Plus all the android buggyness where the auto-complete from the password manager just doesn't show up at all so you have to switch apps and copy/paste the credentials manually... when it works (and doesn't clear the fields as you swap between apps... I swear built-in chrome windows is a mistake).
Keepassxc's desktop browser extension allows you to specify the username and password boxes. Even if they are on separate pages. It's really a painless 15 second process.
I have to do it on my bank's website every few months.
> And way more than I would like, because for some reason it's "modern" to have a login flow that first requests your email, and then you have to click next for it to request your password...
There's a reason for that, and it's not because of 'trendy', it's because the backend will examine the email address and decide which password authentication mechanism the user chose: FB/Google/etc, or authenticator app, or plain old password, or some third-party SSO provider, etc.
Me, every time another site annoyingly breaks autofill, sometimes even intentionally ("Password managers not allowed! Make sure to memorize your password, but still use at least 5 special characters and include at least 3 titles of ABBA songs!!").
I’d prefer my passwords, foundational identity documents, and other sensitive information are as separate as possible from the place where I execute untrusted remote code a bazillion times a day. Making it programmatically available is the opposite of separate.
my wife chooses not to let chrome remember her passwords because she thinks it's lazy and insecure: everyone uses chrome, how will chrome know not to give her password to someone else?
TOTP is not really something that would be sent to your email. The entire point of TOTP is that you can generate the auth code yourself, from the current time and a pre-shared secret.
Some apps enforce this flow, e.g. there is no way to log in with a password. I hate this.
Because of the developers of these apps assuming that E-mail guarantees instant delivery (it doesn't), I can't use greylisting, which reduced spam very significantly.
Too many don't actually verify the identity. I often get emails lying in the footer with something like "you are receiving these emails because you signed up" - no I didn't, someone else did, and you didn't check. But fast onboarding is king, right?
And then the unsubscribe, close account, or basic support is all locked behind the login, or it's an international phone call. As far as I know, even if it's my email it's not legally my account so signing in would be illegal.
At this point why not just pass a one-time url link to your email address, and have it be a single click to login? Have it expire within 10 mins if not used, and be one-time use disposable. Still, anyone who has the link initially should be able to login with your account - but it's only accessible from your email.
Obliterates all sense of security beyond the email account itself, but that's where we're at anyway. Do the same pattern with a message to your phone "click to authenticate login: www.someurl.com?p=134234535" and you've got 2FA without any dumb "enter this code".
Yep, I really hate when I have to go to email to get a verification code or click link to verify. I have a password keeper and 2fa for a reason. I hate the wait.
Oh I dont mean do it instead of passwords (if you remember them), but just as an alternative to the Forget Password or Authenticate dialogs using security codes. Should just be a "LOGIN HERE" mashable button
I'm coding up a webapp with this exact login process - the issue I've found is on mobile phones - apps like gmail won't let you copy the link into a browser without a preview. The preview consumes the link. (next.js auth)
It's a bit annoying, since I don't want to login into the gmail in-app browser, I want to login on my regular browser.
Don’t forget some people have antivirus scanners that will load up every link when the email is opened, so you can’t have the link expire after 1 visit.
This is I think why unsubscribe links now have a single button saying “Unsubscribe” or similar when you press them. Likewise anything interesting should require a 2nd user action after loading the page.
Yes easy mistake to make. But this goes back to HTTP basics: a GET request shouldn’t mutate state. Either don’t consume the link (ie allow reuse), have a user confirm action with POST, send a code instead. There are many alternatives.
Personal favorite? Send a 6-digit code with ~1h expiry, exchange for a refresh token and keep the session for a long time. If you have really high value irreversible actions then you can just confirm with a new code.
Also works if mail client is on a different device.
Pleas don’t force this login method. It is extremely annoying for anyone with a non-standard email setup (often for security reasons), and is slow as all hell.
I'd argue at this point that magic links are more secure:
1. Nearly every online service needs some sort of "forgot password" flow, and often times that flows boils down to what is essentially a magic link like TFA is about.
2. The vast majority of users these days use either personal email accounts from one of the big providers (Google, Yahoo, MS), or they use corporate accounts often through a hosted solution. 9 times out of 10 I'd bet the email provider has better security than whatever rinky dink website you may be creating an account on.
Emailing magic links is essentially "poor man's SSO". It makes much more sense IMO to have super secure email accounts (e.g. ideally with passkeys) and then just use magic links for everything else.
Learning how to password effectively is something that comes up in B2B in many non trivial software.
Magic link is effectively passwordless login, behind a facade outsourced to a third party provider.
Passwords are much more actual consent, than clicking on a link in an email account that might be open on a screen or device... not always.
SSO is technically easier than poor man's sso, it's just one click once logged in. Magic links make me switch a screen to make it easier for the developers of Magic Link to not implement SSO.
Fingerprints are a username, not a username+password. It's super convenient, but well established not secure.
Face-ID logins are more a username, should not be a username+password - selling it as secure is not ideal, but it is super convenient.
SMS verifications too, are a little weak, since SMS' generally are like post cards. But they are very convenient. Until someone does something to get malware into your phone, or your phone number itself which seems to happen so often.
Now, magic links are very convenient. And definitely can remove friction to you know, get a user onboarding to the point of adoption.
Agreed with OP, the security is basically nonexistent anyway due to Forgot Password flow making email the authority regardless. Sure, add a user/pass flow in addition for convenience and added security (i.e. delay the 3 minutes it takes to do a reset), but any real security would have to remove Forgot Password altogether or seriously delay turnaround time.
Please never do this short amount of time. Email isn't reliable time-wise for delivery. You have systems like Postgrey (one of the basic spam protections for email servers) and deliberately pretends the email server is offline for emails from new servers until they server retries a set number of times.
Not to mention if your email ends up in a corporate quarantine until you can request it released.
I use a web service which does this. It's mildly annoying having to switch apps/tabs just to login, but hey at least it's not another password to remember.
Base password plus company name or initials. One password mutated into infinite variations that are easy to remember. This has been working fine for me for at least 15 years.
You'll be surprised how many diceware passwords you're able to remember.
It can go two ways depending on your preferences: use a shorter passphrase generated from a large dictionary; a good one can be obtained from 1password:
A lot of sites do this, annoyingly. I hate when my internet experience is degraded because the bottom pentile of users can't figure out how to do something.
Yes, why must the majority suffer because a few dumb dumbs can’t remember their passwords? We need to subsidizing stupidity or else we will get more stupidity.
I hate this with a passion and many sites use it like anthropic and clipdrop, I stopped buying credits on Clipdrop because logging in was so annoying. My email is on my phone and I want to access the site on my laptop. This adds so much friction and turns a 5 second task with one to two clicks into a longer than a minute task with many clicks. I emailed anthropic about this and they did added a login with google option but just let us use an email and password please.
WELL FUCK YOU TOO! - jk, I agree. Password option should be there still for saving sessions and avoiding this crap beyond the first registration (if you remember password), but I just meant this should be the baseline expectation of login flow. Oneclick google/facebook/etc too, despite those being an extra level of corporate data hell
At that point you might as well go all in on single sign on. 95% of all users are going to be on gmail, outlook or apple anyway. Better to have a "sign in with google" button rather than "send a link to your (g)mail". They can track you either way.
Agreed. Do password login option too if you remember it - all work - but point being just make it a giant "LOGIN HERE" button that just does the thing as mindlessly as possible.
I despise magic links. The rare few times I have to log back into Notion or Slack, I want to rip my hair out because of how annoying of a system it is.
Please, for the love of god, just let me use my username/email and password. Have the magic link for the dummies that don't use a password manager if you have to, just let me do the username + password way.
Beyond the valid reasons in the sibling comment (e.g. not accessing personal email on a work device), it is also a security risk. Access to your email is typically sufficient to gain access to everything else. I use an email for accounts that syncs with my phone only, and I lock it down tight.
Hah this blew up. tbf I meant instead of any Forgot Password or Send Authentication Code or whatever mess - if you can remember your password, do that to save more time.
Still, the loop to hit up email is so fundamental now the rest are secondary options - these Magic Links should just be the primary base-level expectation. It's annoying when services don't even get this right though and return you to the site with either:
- a new form to enter the one-time code they just sent (just put it in the link)
- a new form to enter a new password (who cares, make that optional to the actual sign in, to save time next login)
- (worst offense): they don't even actually sign you in after those forms and you have to re-enter everything
Login should be "do you have an email address? Okay great you're in". Because there is nothing beyond that from a security perspective these days.
Identity is tricky. Proving who you are depends on a certain level of trust. Whether it's through email, devices, phones, or, in more advanced settings, some sort of digital certificate; you won't have much options.
Unless you're in Germany using a service provided by the Vogons, you might end up getting a letter containing an activation PIN via snail mail or worst having to visit the post office to show your passport.
The second component of this, for people that doesn’t care to do good track of their passwords, is that their email passwords are usually memorable in the wrong way. So both your mail and all the dependent services are all held together with the same weak clip.
Double factor improved a bit this, or at least made it harder to break into this to some of the players, and simplified the process for some others.
Email passwords is interesting one. As my feeling with something like gmail is that you insert it approximately once or twice per device... Which leads to weird dynamic that you have to recall it way too rarely for actually to remember it properly...
> The second component of this, for people that doesn’t care to do good track of their passwords, is that their email passwords are usually memorable in the wrong way. So both your mail and all the dependent services are all held together with the same weak clip.
The point is that they are already tied together because most sites allow password reset (or account recovery) via email.
It doesn't matter how securely your sign-on is designed, what identification token you are using (username, biometrics), what authentication mechanism is in place (passwords, MFA, yubikey, etc) if all an attacker has to do is type in the targets email and click 'forgot password'.
If your site allows password resets or account recovery via email, then the users account is still only as secure as their email password anyway. Adding yubikeys, MFA, authenticator apps, etc into the mix doesn't move the security needle a single bit at all.
The problem is just that despite all the advantages it would bring, people won't pay for auth as a service, where your identity is tied to accounts outside of an email address, and you (say) get a browser/phone notification to log in when you log in with MyAuthProvider and it's quick. They'd rather go through the email route, which is the same thing but slower and goes via Google.
I swear the McDonald’s app for the U.S. works like this on purpose. I’m prompted for my email then thus send me a link. They never ask me to set up a password.
> When I ask people why they do this, they either don’t have an answer, or respond with “huh, I never thought about why”. And that’s interesting to me.
I do this because I don't care enough about the particular account or use it frequently enough to manage put more effort into it.
Exactly, that should be obvious but it's just that they don't care enough.
My mother used to do that, until I teach her about bitwarden and it has completely changed her thought process. It's just that having to remember every password is impossible and they don't know about password manager.
Interestingly enough, that is the login flow Figma is using with my account. I provide my email address, and get an email that contains a linkt to log me in.
I remember having seen this idea at other places before. I don't really like it, because for me, using a password manager makes everything already quite convenient.
> I don't really like it, because for me, using a password manager makes everything already quite convenient.
How many people do you think use password managers? 1 in a 100? 1 in a thousand? Looking at the user counts for all the major password managers combined, the number looks more like 1 in a few dozen million.
We're a demographic that is smaller than the demographic of blind users. As a group, we're not even a rounding error. It makes no sense to optimise our group's workflow when the resources could be diverted towards making a better product.
After all, it's not like they lock out password-manager users completely.
I’ve seen sites that cut out the forgotten password step, or passwords entirely… email is the authentication.
1. Type in email address
2. Get sent and email with code
3. Enter code to login
While I can understand why someone might do this, as someone with multiple emails I kind of hate it. I had to add it to my password manager with the email and a note, so I remember which one to use and it’s not missing a password.
Keepassxc (and its browser extension) can do this easily. You just have to one time define that the website only takes a username field. After that it will autofill the correct email in the field.
Friction. When the username is an email address, 100% of people logging in have an email address. Telling someone they need to setup TOTP, especially if they have never done so before, is going to be a bridge too far for something they may only use once or twice.
One site I remember using this email code login was a small online store. If I was prompted to setup TOTP to buy something, I would have probably not bought anything. If my mom was prompted for that, she’d end up calling me, and I’d have to try to walk her through the whole thing… then I’d keep getting calls the next 5 times she’s had to login.
If the site gives directions on what to do, they will probably only be written targeting a single authenticator app. For people who don’t yet know that the apps are generic (in most cases), this can lead to a user having 3 sites setup in 3 different apps. It can become a mess very quickly.
I get this a lot because I use Mullvad 99%of the time. I hate it, but I put up with it because I don’t have much choice. I guess they’re flagging the “popular” ip address that I’m using.
We offered it on a site with a "guest login" where people redeem vouchers but might not want to make an account. So I think that's one valid use case. We need to associate the voucher with the email, so we need to ensure they own it by clicking the link, in case of support hassles down the line for lost vouchers. And if they make the account later they can see their old ones from before.
That’s the reason I can understand why they do it. It’s less information they are holding on to, and they effectively outsource authentication to the email provider.
> I’ve seen sites that cut out the forgotten password step, or passwords entirely… email is the authentication.
I do this with a B2B SaaS: an individual user would log in maybe once of twice every six months. Have passwordless logins means:
1. No added pressure on the user to remember a password for a service they use rarely.
2. Easier onboarding for companies, as they upload a CSV of all their users and their users can get to work immediately without being prompted to create a password, double-check it, confirm it, adhere to the rules, etc.
I don't like using links in emails, as they get 'clicked' by many phone apps when previewing, by corporate virus scanners, etc.
I have stopped giving websites money because the friction of using magic links was too much and I found alternatives that didn’t involve such a dumb login system.
My theory is if you can’t make a proper login system you’re skills probably aren’t good enough to deliver on what you’re promising. Magic links have turned from an annoyance to a filter for me.
"My theory is if you can’t make a proper login system you’re skills probably aren’t good enough to deliver on what you’re promising."
Using that logic, I wouldn't trust most websites I visit. Even FAANG companies with their billions can't do certain things properly. Even something reallly basic like focus the 2FA box when you ask for the code, don't make me have to click on it! Don't stop people pasting passwords, don't limit how long the password can be (within reason) don't say they can't use arbitrary characters like a - because "SQL Injection" and don't invent riduculous hurdles like adding random digits from a secret word as well as your password. If you are going to do that, just ask for two passwords or tell people if you choose stupid passwords, you will be hacked!
I like the password strength meter that doesn't block passwords that it has mistakenly decided are weak (20 random alpnanumerics) but instead estimates how quickly it could be hacked. People don't understand entropy but might understand "hacked in 5 minutes", they also don't want to be told that your password has to be at least 100 characters long with uppers, lowers, numbers, specials, klingon etc. If your system is that susceptible you are doing it wrong.
I would say a huge proportion of non-technical consumers do not use a password manager. By only offering password signup and not magic links/codes, I am probably making life harder for the vast majority of consumers.
Even if I offer both options, I would guess that I’d see more drop off during my signup flow by asking for a password as well as verifying their email. Not to mention the code is way simpler without dealing with passwords and multiple login flows for email.
I'm surprised we don't have a standardized, cross-browser, simple, email-based authentication system.
Basically something like this:
1. Website generates random string as challenge, sends to Browser, invokes API via JS on the client side.
2. Browser asks user to select the email to use, allows adding a new one.
3. Browser sends its auth token and challenge string to Browser Maker, Browser Maker verifies that the auth string is valid, signs email address and challenge with its public key, transmits signature back to Browser.
4. Browser sends data back to Website, Website verifies that the signature matches and that Vendor is trusted, lets user in.
As an extra precaution against Vendor being hacked, Email providers could implement support for the system. Compliant providers would handle the email verification flow themselves, informing Browser maker when done and sending an extra certificate. Websites would then refuse to accept any logins where Email Provider indicated support (via DNS records) but its certificate wasn't included.
This would also make the system usable in small (and therefore untrusted) browsers, as long as the email provider implemented support.
It would even improve privacy, Browser Maker and Email Provider would only ever see the random challenge string, which would make it impossible to track the websites you visit.
THe idea isn't hard to implement, we've had the tech to do it since the 90's (US restrictions on crypto notwithstanding). What we have instead is a mess of passwords that nobody can remember and proprietary authentication flows with horrible developer experience, terrible privacy issues and spotty website support.
I wish sites would acknowledge the need for a nerd mode that gets rid of all the stuff that annoys nerds and is essentially password or lockout, no resets. Enable reset methods or 2fa at your own whim.
For the rest you can do weird stuff that doesn't work on nerds.
Well, yeah, “magic link” is a thing and one of the easiest form of authentication supported by many providers, like Supabase, Vercel and libraries like Next Auth.
Another great side effect is that your backend doesn’t have to store user passwords which means removal of a lot of compliance headaches.
I am one of those people who always clicks "forgot password", and sorry but it's actually fine. I type a long, completely nonsense sequence of words and characters for my new password, then ctrl-c to copy, then log in with that password, and then promptly forget it.
It cannot be more secure to store it in a password manager than not to store it at all. The email recovery path exists in either case, so that part is a wash.
Any strong 2 factor authentication without the kind of high touch processes that a bank can afford is a corporate suicide pact. 10% or so of your users will be permanently locked out each year and once you get past the early explosive early growth phase that turns into a near steady state instead you get radioactive decay.
452 comments
[ 4.4 ms ] story [ 334 ms ] threadWhen designing a "fantasy football" alternate authentication system for the Internet, start with account recovery: what happens when a user loses your fancy authenticator? If the answer is "they just don't get access anymore" or "a panel of their peers attests to them", your fantasy authentication system also needs a fantasy species of sentient beings to serve as users, because it won't work for humans.
https://support.apple.com/en-us/102641
However, there needs to be a fiduciary interest by the third-party (eg liability for identity theft, etc) in order to incentivize them to avoid fraud. It is not clear that there would be enough profit involved to offset the liability.
> Decentralized recovery is a method of safeguarding a user's secret by distributing shares of that secret among multiple helpers, who store their individual share on their local device in order to help the user recover that secret in future. The shares are constructed under a threshold secret-sharing scheme (e.g. Shamir's secret sharing scheme), with a chosen threshold (defaults to half) -- at least three helpers must be present in order to use the protocol. Should the user lose access to their device, they can recover their secret data by retrieving the previously-distributed shares from at least half of their helpers. For successful recovery, the user only needs to recall the identities of half of their helpers and authenticate with them in-person.
[0]: https://www.youtube.com/watch?v=AcF4abPoveM
[1]: https://github.com/derecalliance/protocol/blob/main/protocol...
Sadly it's quite possible this will be a dramatized version of a real-world event. We've already seen quite a few messed up crimes to steal keys to steal crypto. Secret sharing just means you need to kidnap a few extra people.
Edit: OT but while I have a glimpse of your attention, kudos in order!! I love datasette and basically everything you write is highly useful to me!
However the utility is probably nil if there're no social features to begin with.
A lot of what? It seems like the worst of all worlds, given that ID would not only unlock some highly sensitive things, but also be difficult to change and tremendously revealing.
On one hand, the certs you'd use to login to websites wouldn't even need to include any personal info at all, just a valid signature from a CA that the website knows how to verify. And the certificate wouldn't need to be the same for every website, it could be one you generate for a specific website.
On the other hand, a lot of thought would need to be put into how expiration/renewal and revocation would play into this.
Of course there should be an evaluation of the ways this could go wrong if someone from the gov misuses this CA, and how that compares to someone from your current email provider misusing their permissions.
But if nothing else, something I really want is to just be able to have an email address like `random_id@my_country.my_country_tld`, to at least have an email address where I don't have to worry about being locked out, so that I can give freely to ISP, bank, grocery delivery websites, other local companies, etc. Most of this stuff I wouldn't even mind receiving as postal mail anyway. And if shit hits the fan, I can recover access to this email account by walking to an office and identifying myself.
But even if that single-address limitation were the case, the kind of places I would give it to already require knowing my national ID number anyway, so the two particular things you mention are already the status quo.
In other words, stuff that is already tied to having a verifiable citizenship.
It has it's pros and cons, maybe more pros if you factor in that the biggest issue isn't authentication really, it's the fact that all of these private companies accrue everyone's sensitive info, which can be abused by any actor, private or public. If data were kept on the client side, and synced to other machines through P2P like WebRTC, then maybe this wouldn't be such a big deal.
It supports the usual options for multifactor (TOTP, text, yubikey/other hardware auth/PIV cards) but for most users it probably ends up being SMS. At best TOTP.
wanting a Yubikey or similar,
and/or being able to use basic tools to make a key,
would also help.
But I'll take the government-led method as a Plan B, if it works.
Oh man, that sounds like a terrible idea privacy wise. Every website would make use of it to track it's user.
How it works under the hood? No specific idea. I wonder if its sound.
Again, it is a random token the card generates internally for each service. It is non transferable! If you get a new ID card, you can't use it login to whatever you used your old card for. (You would need something else... say an email :-) to tie the knot back to the old identity or whatever.) Which makes this function, the pseudonym function, very bad for random accounts (Edit: meaning longer lasting online identities like forums or whatever). I guess eaglemfo didn't knew.
It's more for like "yes, yes, I'm an adult, now give me this pr0n movie which I pay for with my anonym prepaid card" kind of deals.
A centralized authentication system like this wouldn't need to be a single consistent UUID per person which was then passed around. Presumably you'd have a central login to authenticate you to the system, and then the system could create separate 'id' tokens per web site or whatever that the user logs in to.
Identity is relatively solved, there are just lots of sacrifices made in security in the name of convenience.
Fingerprints as consent to login, Facial recognition as consent to login... seems more like a username, than a password, or a username+password.
This has largely been replaced by videochat for ID card verification where some underpaid person walks you through holding your ID card in front of your smartphone cameras to verify that it's real, not CG, not tampered with and matches your claimed identity.
The critical aspect here is that you don't have to hand your ID card (or a picture of it) to the company that wants to know your identity. The post office or the videochat provider serves as a trusted source of truth.
https://www.deutschepost.de/en/p/postident/geschaeftskunden/...
Stuff like national ID, banks, ISP, job search websites, doctor appointments, etc, require[1] having an email address, and it feels wrong using gmail and similar providers for these use cases that are already tied to you having a physical presence in that location anyway.
Could be provided by any local company, really, but postal services are not going to disappear anytime soon and they already have a second way of getting in contact with you if there's any issue (registered mail[2]).
Debit cards are already delivered through postal mail anyway, and there's not many things that are more sensitive than that.
[1]: Well, maybe doctor appointments don't require and only strongly encourage, but that doesn't affect the point too much.
[2]: https://en.wikipedia.org/wiki/Registered_mail
It’s a government in-person KYC.
I also don't really want to have to carry my green card around everywhere. Just one more thing that can be lost.
To travel internationally, a passport is required (not drivers licenses).
Assuming that this time the deadline doesn't get pushed back at the last minute again like has kept happening so far.
Those without acceptable identification may complete an identity verification process and face additional screening. https://www.tsa.gov/travel/security-screening/identification
I did it involuntarily because I forgot my wallet once, and decided “well, I’ll either get through and in my way, or I’m too late to drive home anyway and will miss” - and it worked fine.
Even crossed back into the USA without my passport a few times. Just additional screening and bitching is all (at least if you’re a US citizen; membership in the Empire has its perks!).
edit: Also also, they have to go into a physical post office and be observed trying to steal your account. Given how it's quite possible to steal accounts via social engineering, this seems like an improvement in security, not a reduction.
The social engineering attack surface of my account currently consists of a handful of support contacts at my ISP, who have been trained to deal with computer security. If you allow any USPS employee to access your account, you've suddenly increased the potential attack surface by several orders of magnitude.
(2) An entity you're directly paying to may go out of business, sometimes due to circumstances beyond their control. At least state-sponsored entities don't do it so abruptly in most of the "civilized world".
Besides, the french administration is providing its own global scheme for online authentication.
Right now it works for all public services, but it is also open to all willing businesses.
It makes it also very easy to control tightly what kind of information is distributed to various services and businesses.
https://FranceConnect.gouv.fr/ is the online auth provided by the administration.
Maybe we just ask for an open authentication system instead? Leave the email part to someone else… and maybe the open authentication can plug a crypto app/email/phone backend for recovery once it is setup. Heck, given that’s it’s the USPS, they will probably offer a snail-mail recovery option (for better or worse.)
I personally sign up to all online services with a different email each. I would like to be sure that my identity is hidden behind an alias for all services, so that they cannot be linked together. And if i want multiple accounts (for better or worse), i should be able to achieve that end.
The article seems to lean into security and usability concerns.
On the security front: the weak-point is still the human. If you hand over your credentials to someone nefarious, well.. you handed over your credentials to someone nefarious.
Usability isn't convincing me either. One of the great things about email is that it really is the lowest-common denominator, as another commenter mentioned above. (Almost) everyone, from kids to the most tech-inept luddite have some sort of email.
Self-hosting inbound email is trivial. Anybody will send email to any random domain, they're just not willing to accept it from random sources.
And the latter is what is relevant for password recovery.
I self-host inbound but use established servers for outbound through my ISP and have had no trouble with that setup for a while. Forwarding to people through my domain has gotten a bit more challenging lately but I've got it working well enough to satisfy gmail so far. (The advantage with forwarding is you only have to convince one server to accept it, not everyone in the world, and there's some crypto stuff involved now that involves trusting some keys, not just a domain or IP, which also helps a lot.)
In terms of authentication, this is not entirely true. It's less common these days, but I used to have a lot of trouble with sites rejecting my attempts to create accounts with e-mail addresses from my disposable-e-mail-generator of choice.
Well, I suspect those are more specifically blacklisted.
Not sure what kind of crap some folks are smoking, really.
That is simply not true. I have self-hosted email service and starting about 1.5 yr ago some big email services don't deliver emails to my server anymore. And there are many similar cases reported...
So one can say that even if an independent email service is willing to accept email traffic from any sender it does not guarantee that customers of all other services can have delivered their emails to addresses at the service.
It’s been phased out for the government provided login system which is much better but not exactly simple for laypeople to set up. On top of this, integrating with it requires an extensive certification process, it’s not just an open API.
Quoting "Foreign citizens in Sweden blocked from BankID after several banks roll out new rules" https://www.thelocal.se/20220117/foreign-citizens-in-sweden-...
> “We have been working systematically for six months to get residence permit cards, then a personal number, then a Skatteverket national ID card, and finally bank accounts. To our shock, we were just told by ICA Banken that the Skatteverket National ID – the only one available to non-citizens – is not a valid source of identification for BankID.”
BankID causes problems because it isn't designed for the interests of the whole population. For example, it requires proprietary software which only runs on Microsoft Windows, macOS, iOS, or Android, with hardware verification and Google services.
This makes it unacceptable to free software advocates, and to privacy advocates, and to national data sovereignty advocates .. the total population of which is so small as to not affect the banks' commercial interests.
One thing I learned recently is how the US can, with its control over the SWIFT banking network, tell banks in other countries to shut down the account for a local citizen who the US has designated a terrorist. At least that's what I gather from the news I read after two leaders of the biggest neo-nazi group here in Sweden were designated as terrorists by the US.
If the goal is to keep power out of government hands, don't look to highly-regulated banks which are subject to the whims of multiple governments.
To get a birth certificate, you must provide government photo ID with a name matching that of one of the names on the certificate you're trying to get. So you can get your own, or your child's, but not some random other person's.
Lots of people were born before RealID driver's licenses. Some of them went by names other than the names on their birth certificates, and thus are unable to get new copies of their birth certificates using the government-issued photo ID they currently have. E.g. I've got a grandfather who went by Sam his entire life but was apparently named Harold. His driver's license had Sam as his first name. If he had lost his birth certificate, he would not have been able to obtain a new copy legally using that driver's license! This still happens to people. Also sometimes house fires or similar disasters happen, and people lack the ID needed to get new government-issued ID.
It's not exactly a government service, but Clear is trusted by the government enough to allow their customers to bypass the airport screenings.
Sadly, the US government goes the other way and contracts out verification (to government websites!) to an invasive private company.
Finland tried to copy it, but the Finnish card (while based on the same technology) is used very little. Finnish banks already had their own OTP solutions, which they started offering for authentication on other web sites, so no-one wanted an extra authenticator on top of that. This of course means that you get phishing emails pretending to be from all sorts of government services, where the goal is to get your banking credentials and take your money.
Since then, mobile phone operators added their own authentication system based on credentials residing on your SIM card <https://mobiilivarmenne.fi/en/>. You prove your identity when getting a mobile phone contract and can then use that to log into many sites.
Not so much in the US though. They have no national registry of what citizens actually exist.
Over here in EU, we have something like it - you get an ID card that has two PIN codes that you can use with a card reader and some software to digitally sign documents and such: https://www.eparaksts.lv/en/ (of course, there's also a mobile version)
In addition, there now are services where you can log in to your bank account, confirm payments, or just log in to your government portal account with a two factor app, the account on which is based on your identity: https://www.smart-id.com/
So if I make a payment online with my card, I'll have to authenticate through either a code calculator (physical piece of hardware) or the phone app with codes that I've chosen, to confirm it. Same for logging into various sites, for example, for paying my utilities.
Works pretty well and if I lose my ID card, then I can get a new one, issue new certificates for the apps and continue where I left off (with the old ones being revoked). I might need a backup phone too, though, since not being able to confirm my payments if my phone breaks is pretty stupid (though I guess Revolut/PayPal/whatever still work as expected, unless I only have my OTP codes for those on said phone).
From that moment onwards, all the 2nd factor SMS OTP go to the attacker.
There are APIs that are provided by mobile operators via aggregators such as Telesign, Prove, Vonage, Twilio etc. that can be used to check if a SIM Swap has happened recently on that phone number. That API is used by fintech companies and others e.g. when they want to check if a fund transfer is to be allowed or flagged up.
Cloning your IMEI has nothing to do with the data that is on your phone, so if someone clones your IMEI it does not mean that they have access to any of the apps or data that is on your phone.
SIMs and SIM burners can be purchased trivially on the open market, and cloned without too much difficulty. Although, a social engineering attack on the employee at the cellphone store is a superior method since it automatically gives you a "known good" SIM with the operator's keys, etc.
While there are weaknesses, every mobile phone standard since GSM (not sure about the equivalent for the CDMA world) uses cryptographic authentication, many of which have been subsequently broken, but it's just not true that simple knowledge of a bearer token, transmitted over the air interface, grants you sufficient access to receive somebody else's SMS.
Most practical attacks actually focus on either attacking the core network via SS7 (and making it deliver SMS to the attacker instead of the actual recipient) or on breaking the air interface encryption, which requires you to be physically close to the legitimate recipient while they receive the SMS over the air.
You can change your IMEI to mine right now, and absolutely nothing would happen (other than maybe our phone operator getting mildly confused, if we share one and they're tracking IMEIs for whatever reason).
SMS are as secure as a letter compared to a postcard.
TOTP secrets are a string, not just a QR code that can only be seen once and never again - the QR code merely encodes that string! That string can be used in multiple places to generate codes. KeepassXC can do it and that can be shared. I've seen loads of organisations and sites with an elderly mobile phone that has the TOTP auth app on it. Normally MS Authenticator.
To add insult to injury, MS Auth can only have one account per email address (id@realm/whatever you want to call it).
PrivacyIdea can do email based TOTP with a PIN. That works well but does involve a two stage login with an email delivery in the middle.
I totally agree with you: the only useful delivery mechanism available is email. PGP was a nice idea and authenticator apps need to have their owner's heads bashed together to get proper interoperability sorted out. Trying to silo people in your "cloud" without interoperability with others is so sad and needy. If you don't have absolute confidence in your offering then you are shit!
I have a copy of all my TOTP generators (minus my dev Okta account) in a common authenticator app and an offline copy stored in an offline password manager, further replicated with an encrypted backup service.
I was able to create my offline copy in the first place thanks to a rooted phone to export what I already had up to that point out of the authenticator app.
Of course, the discussion starts to morph when we bring in the "un-phishable" software passkeys.
Enterprise TOTP apps like Okta and MS Authenticator have some enhancements. Push notifications are convenient when you have to access things many times a day. More importantly, push notifications with a number-matching confirmation reduces the chance of TOTP poaching, since the user themselves are interacting with the service requiring auth.
In enterprise environments, there should be a restore process for a lost phone or authenticator. Some kind of backup code with voice/manager approval, or coming into a physical office to reset credentials. This isn't available for regular people/regular retail services except maybe banks, but banks can't even do regular TOTP correctly.
TOTP was what really kicked me into thinking this way. They tried to make it "something you have". They tried to lock it behind apps and pretended really hard that it wasn't just a particular shared secret... but it is. It's just something you know.
The rule is, if it could be stuck in your password manager, it's a thing you know. That includes even things like Yubikeys, which are things that can be cloned and stuck in a password manager. They're just really, really hard to clone, and that's a valid step up from "a password". I'm not saying that the differences between all these "things you know" are irrelevant; they matter a lot. Having a password + a TOTP is a legitimate step up from having just either one alone. I'm just saying that analyzing things in terms of the other two factors isn't particularly relevant.
Of course if someone is memorizing the TOTP seed and generating the proof on the fly every time, then there's no shift in factor, but no one is doing that. And if they're saving the password on the same device that stores the TOTP code, then we're back to one factor, but now it's just 2x "something you have" at that point.
An attacker. Your knowledge is much less interesting that the knowledge the server has, which is what the attacker can obtain. Grabbing a TOTP key out of a database is not materially different than a password.
TOTP's different characteristics mean it's harder to intercept, but passwords tend to be stolen nowadays moreso than intercepted, if only because you can intercept only one at a time but can steal the entire database.
The different characteristics mean it can add a bit of utility to a normal password, but I think it's less night-and-day than it was presented as.
All the things around improving web authentication are just about people not having to memorize that something you know and protecting it against eavesdroppers.
That's reductionist way past the point of being a useful model of authentication factors.
By that logic, even biometric factors are "something you know", as you can always (with a lot of effort) physically replicate a fingerprint/retina/genome you have a sufficiently high fidelity recording of.
You clearly mean that as a reduction to absurdity, but, yes, I mean exactly that. Pretty much said so.
It is "reductionist" if you insist the only valid framework is "what have have/know/are", and you view what I'm saying as the intersection of what I'm actually saying and that model. I am claiming the have/know/are is reductionist, and to a large degree outright wrong, because it is focusing on the wrong thing. Look at it the way I'm looking at it and the authentication questions become richer and easier to understand.
Unfortunately, it also means that there's more things that are either hard or impossible than the have/know/are methodology promises, because two of the things that methodology promises effectively don't exist. (Unless you are controlling physical access, and willing to spend a lot of money on hardware and human verification of the correct use of the hardware.) But since I believe that is an accurate reflection of reality, blame reality, not the model.
While the "something you x" model has many limitations (and I practically disagree with some regulatory bodies on what does and does not constitute a "true" expression of one of these factors), I don't think that these limitations refute it in the abstract.
When this was discussed [1] on HN a few weeks ago, I don't recall anyone reporting reproducing it. Several people, including me, reported having many accounts in MS Authenticator that have the same email address with no problem.
The otpauth URI that is encoded in a TOTP QR code looks like this:
otpauth://totp/LABEL?parameter_list
The LABEL is supposed to serve as a unique identifier for the account. It has the format "Issuer:Account". The "Account" part is required. The "Issuer" is optional (and the ":" omitted if the issuer is not present).
The parameter list is an & separated list of name=value pairs. It includes the "secret" parameter which gives the TOTP secret. An optional parameter is "issuer", which should match the "issuer" part of the label if that is present.
It sounds like what is happening is that there are some sites who do not include the "issuer" part the the label, and they let the user use a user provided email address as the account name.
If a given user uses two such sites and provides the same email address to both, then there will be a collision. If they also do not include an issuer parameter an authenticator app has no way to know just from the data in the codes that they are from different sites.
[1] https://news.ycombinator.com/item?id=41275846
This has been my single biggest argument against blockchain/cryptocurrency stuff for years: the "lose your key, lose your wallet" thing is fundamentally incompatible with real users.
Humans need to be able to recover from their mistakes.
Quickly you end up in a situation that either starts to look like how financial companies keep their most high risk keys, or end up outsourcing the whole thing to something that quickly starts to resemble your bank.
So ultimately it's just like cash: Fine for small amounts. Risky, but maybe livable for somewhat larger accounts, or a giant headache that will probably bite you when you start looking at lifetime savings.
If I lose $1 note. It’s gone. If I recover it, then it’s no longer lost.
Of course you may choose to encode your wallet key on paper, metal, or stone granting it properties not unlike a note. However you have now compromised the security of your wallet as well it becomes no mere $1 note, rather it is a note that represents all or a significant fraction of your net worth.
But you’re reinventing money with extra steps.
But you gain some desirable properties over traditional money.
Without crypto, you don't have frictionless and permissionless transfers of arbitrary value across international borders.
Eg, if you shard a key into three pieces and each person carries one through security, did anyone actually transport the money through?
While an interesting difference to study, the average person is not going to care about the former case. They just don't want to keep their life savings in an asset as easy to loose as their pocket money.
Bring to where ? Are you mapping the crypto wallet concept to the physical wallet concept as a mobile storage concept ?
All your money is the limit, however you store it.
you didnt need to bring a case of cash to buy anything before the 20th century
[1] - https://en.wikipedia.org/wiki/Aureus
(Of course it’s a bit more complicated: https://commons.wikimedia.org/wiki/File:ICCard_Connection_en... – but still impressive nonetheless!)
What most bitcoin fans seem not to understand is that for the vast majority of people, transactions being reversible by authority figures is desirable.
Yeah, but if I lose the physical 100$ I am carrying, that doesn't prevent me from accessing the rest of my cash stored elsewhere.
I've never lost access to the rest of my cash stored elsewhere.
Maybe the issue is trying to force one solution for everyone.
https://www.norfolksafe.com/
Ideally, you connect Vault to a HSM if you need that kind of security that’s being described. HSMs are electronic safes
The website says "10 minutes against forced entry". That's not safe.
No safe is safe against a state level actor. No safe is safe against "hit you with a crowbar until you open the safe".
Whatever secrets you have, it's better to hide them than to put them in such a conspicuous place. The only reason one should use a safe is as a plausible decoy...
If you have state level actors physically breaking into your facilities then we might be at war
I am referring to Shamir algorithm that Vault uses
By geographically distributing your signing devices you improve both security and reliability. One of those keys can be hosted by a third party to be used for recovery, without providing them any ability to touch your funds without your involvement.
This would make currency fundamentally incompatible with real users. Reality says otherwise.
If I have a duffel bag of money, it is obvious that physical possession of the bills means I can access its value. Anything negating that possession would cost me my money. I should probably keep it away from open flames and water; but it's not going to spontaneously combust. A thief would need to physically take the money in the duffel bag for me to lose the value.
Meanwhile if I store Bitcoin on a USB drive the drive might randomly fail and I lose all my money (because I'm actually storing a key to access it) even though I still have the USB stick. The solution is to back up my key in multiple places simultaneously, which doesn't make sense to most people (how can money be in two places at once?)
If I plug the USB stick into the wrong computer, someone can steal all my money (because they can find out what the key is) without me ever losing the USB stick.
Virtually every human on Earth understands the notions of object permanence and that objects can be exchanged for other objects. This is intuitive from evolution and actual monkeys can comprehend physical currency.[1] I don't see how cryptocurrency can be on that level.
[1]. https://www.zmescience.com/research/how-scientists-tught-mon...
In reality I've found a lost wallet and helped return it to its owner. At least twice, actually. Both times because there was an identifying name in the wallet.
Then there's the time as a kid when we found $60 on the floor at a department store, and turned it over to lost&found. I remember it because the store had a policy that if cash hadn't been claimed for a month, then the person who turned it in got it. Which we did.
You're allowed to store your key at the bank if this is an issue for you. It's less secure than memorizing it, but obviously equally as secure as your bank account is.
Multisig is a pretty common setup for crypto and there is software that makes it easier.
And to think the conversation started with an observation that people can't even remember one password.
A safe deposit box may be affected by other things and if those things happen they don't have to "make it right", if you go to the courts and make your case you may find that they are not at fault and you are not owed any compensation.
There is a long history here of once trusted institutions turning out to be fraudulent.
By making a bank the custodian of your crypto wallet, you're placing your trust in them and should have similar legal recourse you would have had with a fiat deposit.
As far as I know all the cases of stolen crypto have been newly founded companies with their only business being your crypto. That is quite unlike the other kind of bank.
Even if you are referring to digital storage managed by the bank, presumably competently enough to avoid data loss, if that data is exfiltrated your wallet will be drained. It would be very difficult for a hacker to irreversibly drain your bank account (given the type and terms of the account, but will apply to most savings accounts), due to the protection and delay systems in place meant to catch fraudulent or unauthorized activity. Note that this definition of “unauthorized” actually means “not authorized by the human being who owns this account”, instead of the crypto definition of “not authorized by someone who knows the correct secret”.
>This has been my single biggest argument against fiat currency stuff for years: the "lose your money, lose your money" thing is fundamentally incompatible with real users. Humans need to be able to recover from their mistakes.
And yet, for the very longest time, it was the default position for humans.
Humans have been unable to recover from mistakes since day zero
Digital things, not so much. I'm a professional in the field, yet I've lost digital data in the past few years. Normal users who work in other fields? Lost cause.
Yes obviously if your money is completely burned then it's gone, but that is generally pretty unlikely to happen. Losing your digital key is many orders of magnitude more likely to happen in my opinion. And there is - by design - absolutely no way to get it back. That makes using blockchain for anything serious completely untenable in my opinion.
"No redemption will be made when (...) Fragments and remnants presented which represent 50% or less of a note are identifiable as United States currency but the method of destruction and supporting evidence do not satisfy the Treasury that the missing portion has been totally destroyed"
Not that unlikely, in my opinion.
Which is (one reason) why most people use a bank account and don't hide their money in big bundle of cash under their pillow?
Maybe it's my memory playing tricks, or I've only seen the good articles, but I believe nearly every single article about setting up a self-managed crypto wallet had stressed out the importance of having a backup. Serious ones had even explained the 3-2-1 rule. Then the hype came, with it came scams and pumps-and-dumps and NFTs and whatever, and crypto became a clusterfuck that a lot of people didn't want to touch. Yuck.
That's probably the one thing cryptocurrency communities undeniably got right. Quite unlike the Passkeys, where I've yet to see any official or semi-official demo site that even has a flow for adding a second token (some actual sites do, but not the demos).
We should start teaching basic backup strategies in schools. It's not some advanced rocket science, and it's a knowledge that's useful to anyone who deals with information (that is, literally anyone participating in the modern society).
Also, this user unfriendliness is extremely temporary, because computers and Internet are new (at the scale of societies), and there are plenty of folks who had only started to use them later in their lives. After you lose some file or account (ideally, as a kid, so it's not something serious) you start to understand the old adage about those whose do backups and those who don't do them _yet_.
As for email... Sure, I guess it depends on the service and their policies. But here's an anecdote. A few years ago, I've managed to log in in to a completely forgotten 10+ years old email account, finding its password in an old backup. It worked. ¯\(ツ)/¯
If an user cannot log in with a valid credentials, without brute-forcing them, after some years of absence, it's absolutely the service's fault. Of course, in the modern world, customer issues mean nothing so anything goes. But -quoting GP post - when designing a "fantasy football" alternate authentication system for the Internet, this probably shouldn't be a thing.
yes, the advice about wallets is “make a backup”. the advice about passwords is “don’t reuse them”, yet the VAST majority of users use the same password for banking, email, and their phone provider. so what do you think the chances are that your average user makes a backup of their wallet AND remember where it is in three years?
pretty much zero.
Yes, this is why it is incompatible with widespread adoption. Most people do not want to do this, and in fact could not do so effectively without learning and thinking a good deal more about computers and risk scenarios, which they don’t want to do and will not do.
You are correct that it is a solution. However, it is not a solution that will ever be adopted on a wide scale.
Yes, and I think that's not because they don't want to do it but because:
1) they don't know that they should do this; 2) they don't know why should they do this; 2) they don't know how to do this; 3) because even the systems marketed as current state-of-art (Passkeys) are poorly designed and don't even allow to have proper 3-2-1 backups conveniently (can't enroll a device sitting in a safe, it must be physically brought online which beats the whole point of offsite backups).
Design it to make backups and failover secure yet easy, available out-of-box, and explicitly recommending best practices to follow - and everyone will do it as a no-brainer, at least for anything they care about.
Until recently no one told people to not reuse passwords. Even today most password-based signup forms just ask for password and maybe tell the requirements (length, characters) but extremely rarely they explain anything about uniqueness, randomness or anything else. No surprise it sucks hard in practice, when nearly everyone ignores the education aspect.
People aren't stupid. At least in general. They're just blissfully unaware about a lot of things, especially the older generations. What is impossible in real world is designing a fantasy football nanny authentication system to "safeguard" them, without making a lot of undesirable sacrifices. We manage to explain people to not poke with scissors into electrical outlets (and make it hard to do so accidentally) - we can manage similar stuff with computers too.
I don't think this is a good analogy, because the example is simply warning people of a thing not to do. It takes no effort. Maintaining backups does take effort. This is more like getting people to pick up a new chore, just like how many people see interacting with their bank and financial services as a chore.
Many people who work in IT (or are into computers as a hobby) discount the effort it takes, because there is a lot less friction between them and computers than for the average person.
> even the systems marketed as current state-of-art (Passkeys) are poorly designed and don't even allow to have proper 3-2-1 backups conveniently (can't enroll a device sitting in a safe, it must be physically brought online which beats the whole point of offsite backups). Design it to make backups and failover secure yet easy, available out-of-box, and explicitly recommending best practices to follow - and everyone will do it as a no-brainer, at least for anything they care about.
People have been saying this for a long time. "We just need a better system!" The system doesn't exist because people don't want a system that requires effort. It requires effort to protect a secret that, if leaked or lost, would irreversibly result in your financial ruin. It requires a lot less ongoing effort (to a non computer savvy person) to use financial institutions to store their money securely.
People will choose the system that safeguards them and makes sacrifices that many computer security and freedom oriented people will find undesirable. This is demonstrated by the choices that people have repeatedly made.
The idea is that user shouldn't have any friction, besides meeting minimal requirements: 1) being capable of reading (or otherwise accessing the text) and comprehending simple instructions; and 2) having certain minimally required hardware or software installed.
I'm sure this is doable and every primitive to build this already exists and vetted by competent people. I'm sure it's possible for a layman non-technical person with normal cognitive capabilities to have a safe authentication solution (which is very different from data backups) with full ownership of their identities and credentials.
Sure there are people that cannot read or cannot comprehend things. A lot of people. I've seen way too many folks who had simple and clear ELI5-grade instructions with zero technical jargon - and nonetheless had failed to follow them because "computers hard". In some case it's the fault of UI or UX, but I strongly believe in most cases it's just learned helplessness - "computers are not my thing and they're hard" and brain shuts off instead of even trying to read. The only solutions are to 1) make them actually interested in achieving their goals (worked for my dad - man went from "I don't know and don't understand [and 'I don't want to' in the tone], order this for me" to suddenly figuring it all out and placing online orders in just a few minutes as soon as he actually needed something when I wasn't around to help), and 2) make sure they have all materials accessible, well structured and covering as many possible scenarios as possible so it's all there the moment they snap out of their learned helplessness. Nothing else works as it is fundamentally impossible to design anything that would work even if people don't read and don't think.
I have some sketches in my mind, specifically focusing on use by laypeople without making compromises about fundamentals (like what is identity - a lot of modern auth perverts this concept badly). I'll give it a try someday, actually drawing it all and writing notes on the inner workings. Wish there'd be a ten of me and we'd have 240 hours a day... Sorry.
> This is demonstrated by the choices that people have repeatedly made.
I'm afraid this is a very bad attitude to follow. The choices people had repeatedly made got us in quite a bad place. Just look at the poster child - IoT - it's a complete disaster. Online auth is in a very similar poor and messed up state, it just less visible.
I wish you luck in your development of such a system. I don't disagree with anything you said about learned helplessness, and I think it can be fruitful to push individuals or groups to overcome it, but I think trying to do that to the general populace is like trying to change the wind.
People should have a choice which system suits them more.
This is simply about what choice the majority of people have made, and likely will continue to make.
Possible disapproval by fine HN community.
https://news.ycombinator.com/item?id=41173227
The problem though is that since one has a number of passwords which may be different but closely related, a human may be able to infer a few possible passwords from a few compromised ones. In other words it still dramatically shrinks the key space an attacker might want to try to brute force. Preventing re-use is then a problem for 2fa regimes.
For my part I won't use passwords I cannot memorize and keep memorized in relation to the web site.
With cryptocurrencies at least you have an option, you can leave it at a custodial wallet that can manage some of the security for you or you can have a non-custodial wallet.
No password to remember and supports this "pattern"
I've seen a couple of enterprise/corporate services switch to the "OTP via email" pattern (usually as mandatory 2FA), and I hate it, because there's no way for me to autofill that email OTP, unlike for e.g. WebAuthN or TOTP.
With the - "we banned your account for no reason, and you have no way to appeal and we don't even tell you why we banned you" flagship provider email account caveat.
People have lost Gmail accounts over some YouTube comment.
Lost my phone couple of times and was able to restore authy from backup ok.
Except when the service throws you back to the login page to authenticate with a fresh password you just typed in the reset form.
Doesn’t this answer the question? I would have preferred to read and discuss what they believe to be better alternatives.
See, thoughts like that turn into billion dollar valuations at Series B for, among other things, a login button that emails you a login link, taking advantage of people's tendencies towards behavior like this:
https://stytch.com/products/email-magic-links
https://stytch.com/blog/announcing-series-b/
(Or maybe turn into Tell HN posts on common SaaS vulns, like https://news.ycombinator.com/item?id=33162854, but point is lots of companies offer this including most SaaS-y IdPs, search: passwordless email magic link, it's not new: https://auth0.com/blog/auth0-passwordless-email-authenticati... ...)
A) Go to website, click through a password manager to copy and paste an arbitrary string of characters, receive TOTP request sent to your email to confirm your identity.
Or
B) Go to website, click forgot my password. Receive link to login. Enter an arbitrary string of characters.
In many instances, login flow B is actually quicker and seldom slower.
Clicking the “remember me” checkbox has no effect.
Here’s my workflow, and I consider it superior to both of the above.
Go to site, Safari offers to autofill, give TouchID/FaceID, get asked for a 2 factor code.
Sent via SMS/email? Safari offers to autofill for me. TOTP style? Safari offers to autofill for me.
Easy peasy.
Passkeys are even easier as there is no second step and waiting for SMS/email.
People who don't use something which integrates with the browser. People who run into the (uncommon but noticeable) edge cases where the password manager decides to not auto fill the password.
But I don’t think normal users want ones that don’t sync or integrate with the browser. I believe you can turn both off for Safari but that defeats the whole purpose in my mind.
I suppose the reason is because the Bitwarden option is cross platform and I don't want to sync two password managers.
However when using Bitwarden the recent guidance is to turn off autofill[1] but even with it enabled it sometimes breaks hence my “seldom” caveat.
I am heavily biased to prefer passkeys but as with magiclinks before them saw the rollout was badly botched. Specifically with regards to supporting multiple keys and revocation[2][3]. The standard supports correct implementation but don't require it; meaning most current rollouts are half baked and will remain that way.
[1] https://flashpoint.io/blog/bitwarden-password-pilfering/
[2] ie: https://www.reddit.com/r/yubikey/comments/14h0d7y/single_key...
[3] https://news.ycombinator.com/item?id=40165998
Me. I don't know of any other LAN-only method that works consistently across my various desktop and mobile devices.
I do! And way more than I would like, because for some reason it's "modern" to have a login flow that first requests your email, and then you have to click next for it to request your password...
Not even gonna go into detail about all the other cases like websites that have such bad field identification that the password manager has no clue where to put the username/email or 99% of sites that don't have autocomplete="one-time-code" on the 2FA field so now you have to copy paste the 2fa.
Plus all the android buggyness where the auto-complete from the password manager just doesn't show up at all so you have to switch apps and copy/paste the credentials manually... when it works (and doesn't clear the fields as you swap between apps... I swear built-in chrome windows is a mistake).
I have to do it on my bank's website every few months.
There's a reason for that, and it's not because of 'trendy', it's because the backend will examine the email address and decide which password authentication mechanism the user chose: FB/Google/etc, or authenticator app, or plain old password, or some third-party SSO provider, etc.
I do.
I’d prefer my passwords, foundational identity documents, and other sensitive information are as separate as possible from the place where I execute untrusted remote code a bazillion times a day. Making it programmatically available is the opposite of separate.
> In many instances, login flow B is actually quicker and seldom slower.
And B) can be accessed whereever I have email and doesn't need either an app or my phone which may or may not be on my person.
Because of the developers of these apps assuming that E-mail guarantees instant delivery (it doesn't), I can't use greylisting, which reduced spam very significantly.
An email ties a user to a domain, the domain issues a user for them. If too many users from a domain are malicious, the website can block the domain.
It's a matter of identity and accountability.
And then the unsubscribe, close account, or basic support is all locked behind the login, or it's an international phone call. As far as I know, even if it's my email it's not legally my account so signing in would be illegal.
Obliterates all sense of security beyond the email account itself, but that's where we're at anyway. Do the same pattern with a message to your phone "click to authenticate login: www.someurl.com?p=134234535" and you've got 2FA without any dumb "enter this code".
But it's slow compared to my PW manager just autofilling a user/PW combo, since I have to wait for the email and go click the link.
It's a bit annoying, since I don't want to login into the gmail in-app browser, I want to login on my regular browser.
This is I think why unsubscribe links now have a single button saying “Unsubscribe” or similar when you press them. Likewise anything interesting should require a 2nd user action after loading the page.
Personal favorite? Send a 6-digit code with ~1h expiry, exchange for a refresh token and keep the session for a long time. If you have really high value irreversible actions then you can just confirm with a new code.
Also works if mail client is on a different device.
Why make things worse for your users?
Magic links can be more like convenience links, not secure, or security.
1. Nearly every online service needs some sort of "forgot password" flow, and often times that flows boils down to what is essentially a magic link like TFA is about.
2. The vast majority of users these days use either personal email accounts from one of the big providers (Google, Yahoo, MS), or they use corporate accounts often through a hosted solution. 9 times out of 10 I'd bet the email provider has better security than whatever rinky dink website you may be creating an account on.
Emailing magic links is essentially "poor man's SSO". It makes much more sense IMO to have super secure email accounts (e.g. ideally with passkeys) and then just use magic links for everything else.
Magic link is effectively passwordless login, behind a facade outsourced to a third party provider.
Passwords are much more actual consent, than clicking on a link in an email account that might be open on a screen or device... not always.
SSO is technically easier than poor man's sso, it's just one click once logged in. Magic links make me switch a screen to make it easier for the developers of Magic Link to not implement SSO.
Fingerprints are a username, not a username+password. It's super convenient, but well established not secure.
Face-ID logins are more a username, should not be a username+password - selling it as secure is not ideal, but it is super convenient.
SMS verifications too, are a little weak, since SMS' generally are like post cards. But they are very convenient. Until someone does something to get malware into your phone, or your phone number itself which seems to happen so often.
Now, magic links are very convenient. And definitely can remove friction to you know, get a user onboarding to the point of adoption.
Please never do this short amount of time. Email isn't reliable time-wise for delivery. You have systems like Postgrey (one of the basic spam protections for email servers) and deliberately pretends the email server is offline for emails from new servers until they server retries a set number of times.
Not to mention if your email ends up in a corporate quarantine until you can request it released.
So if someone finds out your password for a certain site is `Facebook1234ABCD` they have a fair guess at every other password?
Same applies for `MyPasswordFB` using the reverse method.
It can go two ways depending on your preferences: use a shorter passphrase generated from a large dictionary; a good one can be obtained from 1password:
https://1password.com/txt/agwordlist.txt
https://1password.com/password-generator
or a longer passphrase from a short dictionary including only the most common words, like the EFF one:
https://www.eff.org/dice
https://secure.research.vt.edu/diceware/#eff
I don't use either generator, preferring a local command:
wrapped in a small helper script with desktop notifications and copy-to-clipboard.a message to your phone "click to authenticate login
Should be both code and a link (enter 1234 or click <url>), because it’s not always the phone you’re loggin in on.
Please, for the love of god, just let me use my username/email and password. Have the magic link for the dummies that don't use a password manager if you have to, just let me do the username + password way.
Using a work computer that you don’t want your personal email downloaded on?
Using a computer you don’t use often and don’t feel like setting your mail client up?
Still, the loop to hit up email is so fundamental now the rest are secondary options - these Magic Links should just be the primary base-level expectation. It's annoying when services don't even get this right though and return you to the site with either:
- a new form to enter the one-time code they just sent (just put it in the link)
- a new form to enter a new password (who cares, make that optional to the actual sign in, to save time next login)
- (worst offense): they don't even actually sign you in after those forms and you have to re-enter everything
Login should be "do you have an email address? Okay great you're in". Because there is nothing beyond that from a security perspective these days.
Unless you're in Germany using a service provided by the Vogons, you might end up getting a letter containing an activation PIN via snail mail or worst having to visit the post office to show your passport.
Double factor improved a bit this, or at least made it harder to break into this to some of the players, and simplified the process for some others.
The point is that they are already tied together because most sites allow password reset (or account recovery) via email.
It doesn't matter how securely your sign-on is designed, what identification token you are using (username, biometrics), what authentication mechanism is in place (passwords, MFA, yubikey, etc) if all an attacker has to do is type in the targets email and click 'forgot password'.
If your site allows password resets or account recovery via email, then the users account is still only as secure as their email password anyway. Adding yubikeys, MFA, authenticator apps, etc into the mix doesn't move the security needle a single bit at all.
I do this because I don't care enough about the particular account or use it frequently enough to manage put more effort into it.
My mother used to do that, until I teach her about bitwarden and it has completely changed her thought process. It's just that having to remember every password is impossible and they don't know about password manager.
I remember having seen this idea at other places before. I don't really like it, because for me, using a password manager makes everything already quite convenient.
How many people do you think use password managers? 1 in a 100? 1 in a thousand? Looking at the user counts for all the major password managers combined, the number looks more like 1 in a few dozen million.
We're a demographic that is smaller than the demographic of blind users. As a group, we're not even a rounding error. It makes no sense to optimise our group's workflow when the resources could be diverted towards making a better product.
After all, it's not like they lock out password-manager users completely.
1. Type in email address
2. Get sent and email with code
3. Enter code to login
While I can understand why someone might do this, as someone with multiple emails I kind of hate it. I had to add it to my password manager with the email and a note, so I remember which one to use and it’s not missing a password.
Why email then? Why not some other, better protocol?
Why not just use a TOTP at that point?
Friction. When the username is an email address, 100% of people logging in have an email address. Telling someone they need to setup TOTP, especially if they have never done so before, is going to be a bridge too far for something they may only use once or twice.
One site I remember using this email code login was a small online store. If I was prompted to setup TOTP to buy something, I would have probably not bought anything. If my mom was prompted for that, she’d end up calling me, and I’d have to try to walk her through the whole thing… then I’d keep getting calls the next 5 times she’s had to login.
If the site gives directions on what to do, they will probably only be written targeting a single authenticator app. For people who don’t yet know that the apps are generic (in most cases), this can lead to a user having 3 sites setup in 3 different apps. It can become a mess very quickly.
This isn’t where you put in a username and password, then get an email code prompt because something looks off.
In the case I’m talking about, the user has no password. This is just the way it is, VPN or not.
I do this with a B2B SaaS: an individual user would log in maybe once of twice every six months. Have passwordless logins means:
1. No added pressure on the user to remember a password for a service they use rarely.
2. Easier onboarding for companies, as they upload a CSV of all their users and their users can get to work immediately without being prompted to create a password, double-check it, confirm it, adhere to the rules, etc.
I don't like using links in emails, as they get 'clicked' by many phone apps when previewing, by corporate virus scanners, etc.
My theory is if you can’t make a proper login system you’re skills probably aren’t good enough to deliver on what you’re promising. Magic links have turned from an annoyance to a filter for me.
Using that logic, I wouldn't trust most websites I visit. Even FAANG companies with their billions can't do certain things properly. Even something reallly basic like focus the 2FA box when you ask for the code, don't make me have to click on it! Don't stop people pasting passwords, don't limit how long the password can be (within reason) don't say they can't use arbitrary characters like a - because "SQL Injection" and don't invent riduculous hurdles like adding random digits from a secret word as well as your password. If you are going to do that, just ask for two passwords or tell people if you choose stupid passwords, you will be hacked!
I like the password strength meter that doesn't block passwords that it has mistakenly decided are weak (20 random alpnanumerics) but instead estimates how quickly it could be hacked. People don't understand entropy but might understand "hacked in 5 minutes", they also don't want to be told that your password has to be at least 100 characters long with uppers, lowers, numbers, specials, klingon etc. If your system is that susceptible you are doing it wrong.
Even if I offer both options, I would guess that I’d see more drop off during my signup flow by asking for a password as well as verifying their email. Not to mention the code is way simpler without dealing with passwords and multiple login flows for email.
Basically something like this:
1. Website generates random string as challenge, sends to Browser, invokes API via JS on the client side.
2. Browser asks user to select the email to use, allows adding a new one.
3. Browser sends its auth token and challenge string to Browser Maker, Browser Maker verifies that the auth string is valid, signs email address and challenge with its public key, transmits signature back to Browser.
4. Browser sends data back to Website, Website verifies that the signature matches and that Vendor is trusted, lets user in.
As an extra precaution against Vendor being hacked, Email providers could implement support for the system. Compliant providers would handle the email verification flow themselves, informing Browser maker when done and sending an extra certificate. Websites would then refuse to accept any logins where Email Provider indicated support (via DNS records) but its certificate wasn't included.
This would also make the system usable in small (and therefore untrusted) browsers, as long as the email provider implemented support.
It would even improve privacy, Browser Maker and Email Provider would only ever see the random challenge string, which would make it impossible to track the websites you visit.
THe idea isn't hard to implement, we've had the tech to do it since the 90's (US restrictions on crypto notwithstanding). What we have instead is a mess of passwords that nobody can remember and proprietary authentication flows with horrible developer experience, terrible privacy issues and spotty website support.
For the rest you can do weird stuff that doesn't work on nerds.
Another great side effect is that your backend doesn’t have to store user passwords which means removal of a lot of compliance headaches.
It cannot be more secure to store it in a password manager than not to store it at all. The email recovery path exists in either case, so that part is a wash.
There is a tiny link at the bottom that allows you to sign with a password, which I prefer.
I will share this great innovation of mine:
The location.hash is not send to the server. You can javascript it into a POST rather than a GET.