> 2. People don't have their phone on them all the time (and some don't even have a smartphone).
I live in rural Western Australia with almost zero phone coverage, and this is a huge problem. I'm terrified of all these services wanting my phone number, or bugging me to turn on phone 2FA, because the moment that happens, I lose access to that service.
ChatGPT that everyone is spamming on every discussion? I can't even sign up for it (I'm not really bothered about that; it seems like a dangerous crutch than a useful technology).
The problem is the developers have smartphones, their friends have smartphones, their bosses have smartphones and their clients have smartphones. Everyone they know have smartphones and live in places with reception. So they don't or can't imagine something different.
I have a common name, so a ton of people think they have my email address when logging into things. I suspect this triggers 2FA much more than normal as I am constantly logged out of things and have to use 2FA to log back in. Lately I had a pretty funny series of events.
I kept the number from the last country I lived in solely for 2FA of accounts from that country and after almost a year I've managed to change over most things but not all. A week ago I decided to change that physical sim to an esim as I only need to enable it occasionally. I did the process for this, and at the end I got a link to last country's app store. The only way to install the esim is to use this app and it is only in last country's app store. I haven't logged into that for a while so it needed email confirmation. I haven't logged into the associated gmail address for a while so that needed 2FA confirmation by SMS. So I'm now locked out of an email address, apple id, and phone number.
I'm in a similar boat. Not so much service, but I move around internationally and change sims a lot. I dont even have a sim most of the time, I'm on wifi 99% of the time.
Don't want to pay outrageous fees for Google FI or the like, as literally all I need it for is to get into online banking (who have decided sms 2fa is now compulsory, without offering any other options like an authenticator app). I'm currently locked out of my bank, will have to fork out $50+ just to call them, then hope I can convince them I am who I say I am. Then do the dance again next year when they do it again.
Last I checked, they were asking for $20 / month for unlimited calling and texting. Do you consider that outrageous?
As an alternative, Google Voice will host your phone number for free. It works with every WiFi connection and even while traveling internationally. Have you considered that?
Can't you find a cheap prepaid provider that has roaming access? Since you're not going to be making calls, the balance drain should be minimial, although you still have to top up a certain amount (depends on the carrier) to keep the sim active.
I have a dumbphone. Until recently I could not care less about losing it. But I realised that since it's not PIN protected (I could but don't want to do it), losing is a security issue. People can find my phone, match my phone number to my email address using leaked data, try these credentials on different services and wait until they get a reset password SMS.
So by forcing me to add my phone number some services actually decrease the security of my account.
>I have a dumbphone. Until recently I could not care less about losing it. But I realised that since it's not PIN protected (I could but don't want to do it), losing is a security issue.
This really isn't a dumb phone specific issue. Even for smartphones if someone stole it they could pop out the sim and if it isn't password protected (most aren't IME), they'll have full access to your phone number.
Making phone numbers required for signing up was only nominally to improve security. Overall, it’s a net negative for privacy and security, and only benefits the service provider by allowing them to track you (they can buy data on that phone number and create a profile on you) + reducing the number of people calling/emailing them because the user is locked out of their account.
>I live in rural Western Australia with almost zero phone coverage, and this is a huge problem. I'm terrified of all these services wanting my phone number, or bugging me to turn on phone 2FA, because the moment that happens, I lose access to that service.
Have you tried enabling Wi-Fi calling or switching to a carrier that supports it? At least for my carrier and iOS, you can send/receive SMS messages (yes, the green bubbles) through Wi-Fi.
For some weird reason, when im travelling with wifi calling, receiving sms messages is a crap shoot. I basically dont get them if theyre sent by a gov agency, bank, etc.
I do still get them from android phones. Its weird, i have no idea why.
Unfortunately this point is a bit of FUD about Passkeys (or just off topic). Passkeys themselves don't require internet access. Syncing them across devices might require internet access in the same way that password managers might require internet access to sync across devices.
Living on a boat last year, I had a similar problem: we had internet access, but no phone service. Getting into my bank account, or any financial account, became a righteous nuisance; I had to drive inland until I found cell service, use my phone as a hotspot, attempt to log in, then wait for the SMS. Realize after getting home that there was another bill to pay? Oops, guess you're driving back into town again!
FWIW, ChatGPT asks for your number just as an "are you a human" method. It never uses it for 2FA (at least never for me), so as long as you have service the one time your signing up, you'll never get another OTP challenge.
If you don’t have a smartphone, or your phone cannot connect to a service, why is authentication a problem? If you don’t network access you lose access to the network, this isn’t exactly a surprise.
> If you don’t have a smartphone, or your phone cannot connect to a service, why is authentication a problem? If you don’t network access you lose access to the network
It might seem surprising these days, but the parent poster might have network access through means other than a phone.
In rural areas you can be in an area where you have a gigabit fiber connection and no cell service at all. Wi-Fi calling being added to the main carriers has been a game changer for rural access.
Every company's customer base is going to look different. This requires research, and developer empathy and life experience cannot substitute for research.
> it seems like a dangerous crutch than a useful technology
Not to sidetrack, but could you expound further? I struggle to reach the blanket conclusion of “not useful”.
I don’t really see how it’s a crutch, more than any other assistance tool like Google, StackOverflow, code-completion or actual docs. Hallucination is a separate problem, which is solved by using fine-tuned models.
> Hallucination is a separate problem, which is solved by using fine-tuned models.
They won't solve the main cause of hallucination: prompt has zero connection to generated text other than probability.
ChatGPT do not generate answers, it comes up with something that looks like an answer. There is a good chance it is the answer, but you can't guarantee it.
I believe this particular problem won't be solved, unless researchers teach machines how to reason. But then we would have greater concerns than hallucinations.
I frankly am baffled by the allure ... of letting opaque computational systems perform intellectual tasks for them. ...when it comes to using language in a sensitive manner and talking about real-life situations where the distinction between truth and falsity and between genuineness and fakeness is absolutely crucial, to me it makes no sense whatsoever to let the artificial voice of a chatbot, chatting randomly away at dazzling speed, replace the far slower but authentic and reflective voice of a thinking, living human being.
What I find more annoying is the aggressive insistence of bigcorps to do everything possible with 2FA except actually just use the damn 2FA code I already have set up in my password manager. SMS, emails, pushing codes to random devices I'm logged in on, whatever.
I recently got a pair of yubikeys… they have been around about ten years already and support industry standards. Guess how many services I use support them? A smaller fraction than I’d like.
My employer had a program where you could put in a request and get a free yubikey. Turns out they basically only work with Chrome (no Firefox, no terminal-based auth), so none of my team actually ever uses theirs because it's not really more convenient.
I think this article misses the mark in a pretty big way.
It starts off by saying the problem with WebAuthn is lack of widespread support, which is fair now, but not a fundamental unsolvable problem. WebAuthn/Passkeys are pretty new - essentially less than 12 months old (since iOS 16 GA). Google.com added support this year, and Apple.com is adding support this year. iOS 17 adds support to the system frameworks to let third party apps (like 1Password) store and sync Passkeys.
But my biggest objection is with saying all problems of passwords are "solved by fairly simple password hygiene". Apart from the "if everyone just did the correct thing we wouldn't have any problems" declaration, IMHO the main advantage of Passkeys is that they eliminate phishing as a possibility due to the public/private key cryptography.
Passkeys just entirely eliminate classes of problems with passwords by shifting the burden of security from the user to the tech itself.
I remain skeptical that Passkeys will end up with widespread support, and I think it's too early to tell how it'll go, but all signs are pretty promising. I hope Passkeys work out.
What I find increasingly annoying is third parties (i.e. those whose primary service isn't to provide authentication or MFA, specifically) trying to route me through their mobile apps for a second factor.
For example, GitHub and Google (via their Gmail mobile app) are constantly nagging me to open their apps for certain actions such as modifying security settings on a GitHub repository or even just logging in to Google Workspace.
While certainly more secure than SMS, I'd like to use an authenticator app of my own choosing for that process (e.g., 1Password or Authy). While that's still possible, UX-wise that requires an additional step and possibly also brings about the risk of being flagged by some internal fraud detection system.
To me, this feels like they're trying to promote their apps and increase user retention and interaction by means of what superficially looks like a beneficial security feature.
I use 2FA for GitHub with KeePassXC, on my desktop. I don't have a GitHub app on my phone. You can setup a TOTP app for GitHub without their mobile app.
The argument that passwords are acceptable as long as everyone practices good "hygiene" strikes me as having many parallels with the argument that C code is memory safe as long as it is written properly.
I'd rather just have memory safety built in to the language I'm using—I'm not sure exactly what the equivalent is for passwords, but I don't think I would oppose it.
> I'd rather just have memory safety built in to the language I'm using—I'm not sure exactly what the equivalent is for passwords, but I don't think I would oppose it.
It's a hard problem. I don't think passkeys really are the solution long term, they just sweep the problem under a corporate rug and ignore that people will still use them inappropriately.
Not really, to some extent some amount of collateral damage is necessary for a free and open society. I don't want to live in a nanny state that decides everything for me.
But somehow the same people arguing for ultimate freedom and OSS are also arguing for centralization of passwords into corporate controlled infrastructure.
I'm somewhat at a loss on how to argue on these issues. You want to hand over control over your key infrastructure to big tech and you want the average population to do that as well? Go ahead. Most people on iPhones already use sign in with Apple with apples 2FA system anyway it won't matter to them.
But why encroach on me and force me to use it to protect me from myself?
> they just sweep the problem under a corporate rug and ignore that people will still use them inappropriately.
Can you expand on these 2 points? I'm still trying to wrap my head around passkeys and these are some of the arguments I see around but never quite explained.
Of course passwords are fine. What's not fine is getting billions of people to change their behavior and switch to and use a password manager (that's not chrome).
You could even argue passwords are better than passkeys for those with strong password hygiene. However when it to the masses, the convenience-security tradeoff of something like passkeys is always going to be better. And for the nerds and geeks, passwords are not going to disappear anytime soon.
Not the parent but the problem is that Chrome (sub. Firefox and Safari, these are problems with pretty much all browsers) isn't a password manager, its a password autofiller.
The result is that what should be crucial things like "how do we ensure permanency of the passwords file" are treated as very second rank - profile corruption usually is met with "remove the entire profile", which also ditches the password database. Literally every other password manager has some sort of tool available that makes it very clear where your data is stored and emergency backup options.
Chrome also doesn't like it if the login form doesn't look like most other login forms (and because this is the internet, you're gonna at some point run into weird login forms). It also can behave really funny if the site combines the user registration form with the user login form (which a lot of webshops do) by putting the autofill information in the registration form instead of the login form.
Add to that a very subpar experience in manually filling the right fields and "why not Chrome" should have a very clear answer.
This isn't a great answer, but I've never liked Chrome password manager because I feel like a password manager is something I want to pay a company for, not a service I want to be given for free. Somehow, it being a free feature that's bundled with my browser makes me not trust it. (Again, not claiming this is a great reason not to use it)
Not sure if it is what the GPP is referring to, but I prefer to keep a larger gap between my browser and password manager to reduce the potential spread of difficulties if the browser falls foul of a security vulnerability. The risk of this happening is of course small, it would require significant bugs in a couple of different places, but the potential damage is high. Firefox's password manager, or those built into any other web UAs, I'd be wary of for the same reason rather than it being specifically an anti-chrome thing.
An air gap would be preferable still, as that would protect from similar issues at the OS level, but that is another step or few into less practical (well, significantly more inconvenient) territory. I at least have my master password on a USB device (and backed up by other physical means in case that dies) which is only plugged in when needed, that is effectively an air gap when I don't leave the password manager unlocked between uses.
As a user I just despise MFA. I hate having to keep my phone with me while I work. I hate the disruption in flow logging into everyday services like AWS.
But MFA is not supposed to replace your password. It’s in addition to it, and if it’s implemented correctly, only on new devices.
Once you’ve done the second factor dance on a new device once, and assuming the MFA setup has been done well, you shouldn’t need to reach for the MFA code again (at least, not often).
In reality, the vast majority of services ignore that principle and MFA is a never-ending daily nightmare. It feels like I can't even take a leak without the phone now.
In my opinion 2FA is one of the best use cases for a smart watch, and at least Authy supports that use case, it's so much better than to look where I put my phone...
I don't despise all inconvenient things. I don't mind carrying house keys. It's just a question of whether you value the security enough to make it worthwhile.
Security is inconvenience, therefore the role of security is to find where is the limit. Because afterwards users will start to search for shortcuts, which usually makes the systems even less secure.
> 2. People don't have their phone on them all the time (and some don't even have a smartphone).
Even if people have their phones all the time there's always a possibility that components on the device might suddenly fail.
The charging port in my iPhone stopped working on one May morning and thus device died. I temporarily lost access to most of the apps incl. 2FA code generators for about a month. Luckily one of service centers was able to find component and replace it cheaply.
Readit News
I live in rural Western Australia with almost zero phone coverage, and this is a huge problem. I'm terrified of all these services wanting my phone number, or bugging me to turn on phone 2FA, because the moment that happens, I lose access to that service.
ChatGPT that everyone is spamming on every discussion? I can't even sign up for it (I'm not really bothered about that; it seems like a dangerous crutch than a useful technology).
The problem is the developers have smartphones, their friends have smartphones, their bosses have smartphones and their clients have smartphones. Everyone they know have smartphones and live in places with reception. So they don't or can't imagine something different.
I kept the number from the last country I lived in solely for 2FA of accounts from that country and after almost a year I've managed to change over most things but not all. A week ago I decided to change that physical sim to an esim as I only need to enable it occasionally. I did the process for this, and at the end I got a link to last country's app store. The only way to install the esim is to use this app and it is only in last country's app store. I haven't logged into that for a while so it needed email confirmation. I haven't logged into the associated gmail address for a while so that needed 2FA confirmation by SMS. So I'm now locked out of an email address, apple id, and phone number.
Don't want to pay outrageous fees for Google FI or the like, as literally all I need it for is to get into online banking (who have decided sms 2fa is now compulsory, without offering any other options like an authenticator app). I'm currently locked out of my bank, will have to fork out $50+ just to call them, then hope I can convince them I am who I say I am. Then do the dance again next year when they do it again.
Can we all just do authenticator apps?
Last I checked, they were asking for $20 / month for unlimited calling and texting. Do you consider that outrageous?
As an alternative, Google Voice will host your phone number for free. It works with every WiFi connection and even while traveling internationally. Have you considered that?
So by forcing me to add my phone number some services actually decrease the security of my account.
This really isn't a dumb phone specific issue. Even for smartphones if someone stole it they could pop out the sim and if it isn't password protected (most aren't IME), they'll have full access to your phone number.
Making phone numbers required for signing up was only nominally to improve security. Overall, it’s a net negative for privacy and security, and only benefits the service provider by allowing them to track you (they can buy data on that phone number and create a profile on you) + reducing the number of people calling/emailing them because the user is locked out of their account.
Have you tried enabling Wi-Fi calling or switching to a carrier that supports it? At least for my carrier and iOS, you can send/receive SMS messages (yes, the green bubbles) through Wi-Fi.
I do still get them from android phones. Its weird, i have no idea why.
You can even have the authentication app on your laptop so you don’t need to switch devices (1Password at least supports this).
It might seem surprising these days, but the parent poster might have network access through means other than a phone.
Deleted Comment
Not to sidetrack, but could you expound further? I struggle to reach the blanket conclusion of “not useful”.
I don’t really see how it’s a crutch, more than any other assistance tool like Google, StackOverflow, code-completion or actual docs. Hallucination is a separate problem, which is solved by using fine-tuned models.
They won't solve the main cause of hallucination: prompt has zero connection to generated text other than probability.
ChatGPT do not generate answers, it comes up with something that looks like an answer. There is a good chance it is the answer, but you can't guarantee it.
I believe this particular problem won't be solved, unless researchers teach machines how to reason. But then we would have greater concerns than hallucinations.
I frankly am baffled by the allure ... of letting opaque computational systems perform intellectual tasks for them. ...when it comes to using language in a sensitive manner and talking about real-life situations where the distinction between truth and falsity and between genuineness and fakeness is absolutely crucial, to me it makes no sense whatsoever to let the artificial voice of a chatbot, chatting randomly away at dazzling speed, replace the far slower but authentic and reflective voice of a thinking, living human being.
https://www.theatlantic.com/ideas/archive/2023/07/godel-esch...
Dead Comment
It starts off by saying the problem with WebAuthn is lack of widespread support, which is fair now, but not a fundamental unsolvable problem. WebAuthn/Passkeys are pretty new - essentially less than 12 months old (since iOS 16 GA). Google.com added support this year, and Apple.com is adding support this year. iOS 17 adds support to the system frameworks to let third party apps (like 1Password) store and sync Passkeys.
But my biggest objection is with saying all problems of passwords are "solved by fairly simple password hygiene". Apart from the "if everyone just did the correct thing we wouldn't have any problems" declaration, IMHO the main advantage of Passkeys is that they eliminate phishing as a possibility due to the public/private key cryptography.
Passkeys just entirely eliminate classes of problems with passwords by shifting the burden of security from the user to the tech itself.
I remain skeptical that Passkeys will end up with widespread support, and I think it's too early to tell how it'll go, but all signs are pretty promising. I hope Passkeys work out.
For example, GitHub and Google (via their Gmail mobile app) are constantly nagging me to open their apps for certain actions such as modifying security settings on a GitHub repository or even just logging in to Google Workspace.
While certainly more secure than SMS, I'd like to use an authenticator app of my own choosing for that process (e.g., 1Password or Authy). While that's still possible, UX-wise that requires an additional step and possibly also brings about the risk of being flagged by some internal fraud detection system.
To me, this feels like they're trying to promote their apps and increase user retention and interaction by means of what superficially looks like a beneficial security feature.
I'd rather just have memory safety built in to the language I'm using—I'm not sure exactly what the equivalent is for passwords, but I don't think I would oppose it.
It's a hard problem. I don't think passkeys really are the solution long term, they just sweep the problem under a corporate rug and ignore that people will still use them inappropriately.
But somehow the same people arguing for ultimate freedom and OSS are also arguing for centralization of passwords into corporate controlled infrastructure.
I'm somewhat at a loss on how to argue on these issues. You want to hand over control over your key infrastructure to big tech and you want the average population to do that as well? Go ahead. Most people on iPhones already use sign in with Apple with apples 2FA system anyway it won't matter to them.
But why encroach on me and force me to use it to protect me from myself?
Can you expand on these 2 points? I'm still trying to wrap my head around passkeys and these are some of the arguments I see around but never quite explained.
You could even argue passwords are better than passkeys for those with strong password hygiene. However when it to the masses, the convenience-security tradeoff of something like passkeys is always going to be better. And for the nerds and geeks, passwords are not going to disappear anytime soon.
The result is that what should be crucial things like "how do we ensure permanency of the passwords file" are treated as very second rank - profile corruption usually is met with "remove the entire profile", which also ditches the password database. Literally every other password manager has some sort of tool available that makes it very clear where your data is stored and emergency backup options.
Chrome also doesn't like it if the login form doesn't look like most other login forms (and because this is the internet, you're gonna at some point run into weird login forms). It also can behave really funny if the site combines the user registration form with the user login form (which a lot of webshops do) by putting the autofill information in the registration form instead of the login form.
Add to that a very subpar experience in manually filling the right fields and "why not Chrome" should have a very clear answer.
An air gap would be preferable still, as that would protect from similar issues at the OS level, but that is another step or few into less practical (well, significantly more inconvenient) territory. I at least have my master password on a USB device (and backed up by other physical means in case that dies) which is only plugged in when needed, that is effectively an air gap when I don't leave the password manager unlocked between uses.
As a user I just despise MFA. I hate having to keep my phone with me while I work. I hate the disruption in flow logging into everyday services like AWS.
Passwords are so much better.
Once you’ve done the second factor dance on a new device once, and assuming the MFA setup has been done well, you shouldn’t need to reach for the MFA code again (at least, not often).
At least my password isn't changing anymore but I never understood that policy if you made a strong password. It was overkill.
Some websites still require it though, and that's nonsensical and annoying. Just randomly generate one and keep it in a password manager.
And for services (like AWS) that don't (yet) support passkeys, a hardware token like a YubiKey is also an option.
I use a desktop app for most time based authentication tokens, there are plenty that sync up across mobile and desktop.
Even if people have their phones all the time there's always a possibility that components on the device might suddenly fail.
The charging port in my iPhone stopped working on one May morning and thus device died. I temporarily lost access to most of the apps incl. 2FA code generators for about a month. Luckily one of service centers was able to find component and replace it cheaply.