Oddbean new post about | logout
notmandatory | 6 months ago (raw) | root | parent | reply | flag +3 
 This amazing impromptu interview is a great example of why anyone building or using a centralized web based service needs to switch to a password less authentication system, ideally supporting hardware tokens like a Yubikey.  

Your grandma can't be scammed out of her password if there is no password or SMS 2FA or anything like that to give the person on the phone scamming her. 

I hope new systems like Passkey become ubiquitous. Sure if you use Google or Apple for your keystores it's not ideal, but still a big improvement.  And there's no lock-in saying you HAVE to use a hosted keystore/password manager, it's an open standard with multiple open-source implementations. </end_rant>

https://passkey.org/

nostr:note14qremgdht7kpvymmaezhds2wmw42l89z0hcspjg2n4cn6ljcu5vsn0nush
sommerfeld | 6 months ago (raw) | root | parent | reply | flag +4 
 Seems that people are getting sour  about passkeys: 
https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/
which is a shame IMO. I agree with the criticisms but still prefer them to email+pw.
notmandatory | 6 months ago (raw) | root | parent | reply | flag +1 
 Very interesting. I'm sorry to hear the browser big tech vendors are shitting it up, but I'm still hopeful. The root problem seems to be the apple/google browsers and key managers. 

I agree with the author that using a third-party key manager with Passkey support like Bitwarden is the way to go. It's not perfect but still much better than using passwords. I guess we'll see, for now I'll still support Passkey or any other passwordless auth whenever I can.
vnprc | 6 months ago (raw) | root | parent | reply | flag +2 
 Yes to everything in this thread. Passkeys sound nice on the surface but I am very skeptical of the protocol complexity and perverse incentives of big tech companies driving the effort.

I believe nostr is the best model but we have so much more work to do to properly secure, make available for signing, and rotate private keys.

Also, one last thought. The kid in the interview is exploiting boomer information asymmetry. The folks getting hacked A) trust random strangers on the phone and B) have little or no awareness of the security models they are operating under. The hacks will continue until a generational shift occurs that closes these gaps. This will absolutely limit the growth of cryptocurrency and bitcoin in particular. You witness this phenomenon in action every time someone voices the belief that crypto is all scams. These people are directionally correct, but they don't understand the root causes. They also don't understand the extent to which the legacy financial system is all scams. It will take a long time for these biases to fade. Mostly, it will happen one death at a time.