21 comments

[ 3.3 ms ] story [ 43.1 ms ] thread
Quite funny. Amusingly, the self-portrait method is effectively the signatures we considered acceptable for financial and legal transactions for many decades - make up a scribble and compare it to a scribble you do previously - if it's close enough and you _seem_ to be the guy, we're good.
> make up a scribble and compare it to a scribble you do previously

I'll take "Lies that your parents told you about how the world works" for 500, Alex.

Serious question though, I thought the whole signature thing was more of a legally binding thing for the signer asserting themselves as X, sort of like checking the "I'm over 18" box. Sort of a "Well we asked you the question, it's not our fault if you lied" type thing.

A fingerprint locked NFC Yubikey seems to be the preferred with all ages at work. Everyone likes it as long as it is once per login to the computer (which basically means we have to use Edge for everything which is fine).

Everyone universally hates passkeys because they never work right.

Except for those whose fingerprints don't work (climbing wears away fingerprints). I have even heard of people struggling to renew their passports because of difficulties getting their fingerprints read.
> Everyone universally hates passkeys because they never work right.

I’m considering a passkey deployment. What sort of issues did you encounter?

Tied to the browser and did not travel with the user across devices and apps. It's that way by design.

An authenticator device is agnostic, transportable and can be backed up (or a secondary added)... sometimes. Implementations can suck (looking at you, my bank that only allows one key)

These are such terrible ideas that I expect someone already has one of them on github.
> When I tell people I work on authentication software, I nearly always hear some version of the same story: I hate multifactor authentication. No, really. People hate this stuff.

I hate all of the half-cooked non-TOTP MFA methods that I'm forced to use. Just let me use my freaking authenticator app. If you believe that your users prefer (or maybe it's just you?) more databroker-friendly methods, then fine, but please at least provide TOTP as an option.

Yes, for the love of god and all that is holy, just let me use TOTP for MFA. I absolutely HATE that some banks use SMS as a method of MFA. Sometimes it's a mix of 8 character numeric password with SMS as MFA.
totp is still terrible, still phishable, more annoying to enter or use. it's only tolerable because it's better than the other methods you might see (email, sms, custom app), but imo it also falls into the half baked category behind things like passkeys.
Poker hands would pretty cool for encoding things that you have to recognize quickly; e.g., key fingerprints. If there are 2.5M unique hands then encoding 256 bits of information requires 12(ish) poker hands.
One aspect I find puzzling is why most two-factor authentication (2FA) applications restrict authentication to only a single valid code at any given time. This constraint inevitably creates a window during which it is inconvenient or impractical to copy the code to another device. Allowing the previous code to remain briefly valid would eliminate this unnecessary delay, enhancing usability without significantly compromising security.
Why do we like entropy in auth factors?
Pedantry warning: I'm not convinced that some of these methods qualify as a second factor of authentication, based on the "something you know, something you have, something you are" model. They're both "something you know", right?
That is actually multifactor. Second factor is just any additional factor.
I know that the article is a joke, but the last one is (or was?) actually used by Facebook as a forced mfa when it suspected a correct login to be "suspicious".

Of course, it's also a way to force users to tag their contact's photos and train Facebook's face detector by holding your account hostage until you comply, similar to those CAPTCHA street view challenges.

Besides, it only works if the attacker is a stranger, if it's an acquaintance (or a very dedicated stalker) then it doesn't work so well anymore.

The problem with multi-factor authentication is its overuse. I would also hate physical keys if every single door I came across required me to unlock it.

When you already have so many logins that you start using a password manager, your passwords are already high entropy enough that they don't get brute forced and a leak doesn't compromise your other accounts. TOTP adds challenge response to this, so it is actually a bit better than a password since an interception cannot be reused, but they are both still shared secret and in both cases need to be stored in some other device (password manager vs TOTP code manager). For most logins that don't require real security I just use my password manager for both so it is just a disjoint shared secret approach. Nevertheless, TOTP "increases security" for websites (but not my security specifically) because the shared secret is generated by the website owner so is definitely unique and not reused unlike many other user's passwords.

I expect the majority of people are storing their TOTP secrets on the device they are logging in from (their mobile device) and so have single points of vulnerability. So multifactor auth is typically just a disjoint shared secret with a partial challenge. The extra security is just created because the website forces true random shared secret. We could have all this with a single factor.

The only 2FA I'm using is the one of my bank, because I must (there are regulations.)

I stopped logging in into GitHub since they enforced 2FA on my account. Luckily no current customer of mine is using GitHub. They are on Bitbucket and it does not require 2FA yet.

A number of services that I use ask me to enable 2FA. I skip the offer everytime.

The worst 2FAs are SMS based: not because of the (in)security of SMSes but because I don't receive SMSes when I'm outside of my country.

Please, non of these. Just a QR code with an authenticator app of my choice.
> It's incredibly easy to remember your hand. Just ask any of your friends that play poker -- they can surely remember a bad beat. And it's pretty much impossible for an attacker to guess.

There's an implication here that users would pick a random hand. I'm sure a set containing all flushes, straights, full houses and four of a kind would account for most of the used passwords.

I would want X.509 client authentication. You can use a passworded private key if wanted (and the server will not need to know your password), and there are other benefits with security and other stuff, compared with the more common 2FA and cookies and that stuff. It also ensures better that the client and server are communicating with each other that they want to rather than someone else that they don't want, then merely using X.509 server authentication only.