OMG! Password resets!

[nlinecomputers]

 

[Sky-Knight]

And yet it can’t cross the Google/iOS divide.

It works fine on both platforms, the issues with it being unusable as an authenticator with Google and Apple account systems is a Google and Apple failing.

Microsoft made its systems compatible, so you can use Apple and Google authenticators with all their junk.

I fear this is a space where regulation will be required.

P.S. Amazon's auth process is the largest joke in the history of jokes... it's just so horrifically poorly designed I have to assume someone was making it a joke on purpose. I'm not watching the bulk of that video as a result. That's not what passkeys are, they are NOT a replacement for passwords, they are MFA to get an authtoken to start and should be "single factor" in effect.

But they can't be because insurance companies... again.. regulation.

 

[nlinecomputers]

It works fine on both platforms, the issues with it being unusable as an authenticator with Google and Apple account systems is a Google and Apple failing.

Microsoft made its systems compatible, so you can use Apple and Google authenticators with all their junk.

I fear this is a space where regulation will be required.

P.S. Amazon's auth process is the largest joke in the history of jokes... it's just so horrifically poorly designed I have to assume someone was making it a joke on purpose. I'm not watching the bulk of that video as a result. That's not what passkeys are, they are NOT a replacement for passwords, they are MFA to get an authtoken to start and should be "single factor" in effect.

But they can't be because insurance companies... again.. regulation.

I think you have misunderstood my point. If I have an Android phone and I get a new Android phone all I have to do is login to my Microsoft Account and I can recover my tokens. If I cross the river and switch to an iPhone I can’t access them. For whatever reason Microsoft is using on iPhones the iOS key ring to store the data.

I’m sorry but you are wrong. Passkeys are intended to be a replacement for both usernames, passwords, and MFA. That’s the pitch. And before you say it, yes that’s not as secure as using it as just an MFA process. Passkeys are supposed to be a compromise between convenience and security that will provide better protection than passwords alone. The point is to make the process so stupidly easy that it gains traction as the default login process.

But for that to happen a truly universal login process and storage/access system that works the same on all devices and fully transferable to new phones has to be adopted. We we all know will never happen. So passkeys are doomed.

 

[Sky-Knight]

I think you have misunderstood my point. If I have an Android phone and I get a new Android phone all I have to do is login to my Microsoft Account and I can recover my tokens. If I cross the river and switch to an iPhone I can’t access them. For whatever reason Microsoft is using on iPhones the iOS key ring to store the data.

I’m sorry but you are wrong. Passkeys are intended to be a replacement for both usernames, passwords, and MFA. That’s the pitch. And before you say it, yes that’s not as secure as using it as just an MFA process. Passkeys are supposed to be a compromise between convenience and security that will provide better protection than passwords alone. The point is to make the process so stupidly easy that it gains traction as the default login process.

But for that to happen a truly universal login process and storage/access system that works the same on all devices and fully transferable to new phones has to be adopted. We we all know will never happen. So passkeys are doomed.

No...

Passkeys are FIDO2 keys, little more. They just gained the ability to transpose text input so crap sites that only have password controls can work with them. It's MFA in motion naturally, because you need something you are, or something you know to decrypt the tokens, then the token is passed to the identity provider. Every use of them is supposed to be MFA, but they AREN'T because companies like Amazon have garbage authentication systems. The key exchange is all they need, but it's not all they are requiring!

Microsoft is using Apple's keyring to store tokens because Apple demands such behavior. So if you want to complain, again... blame Apple. This is the consequence of a walled garden.

But you know what is perfectly portable right this second?

A password manager, locked behind a master password made out of a passkey input token.

The only problem is the training required to use it.

 

[britechguy]

The point is to make the process so stupidly easy that it gains traction as the default login process.

To which I say, because of how this is going, and has pretty much always gone: Good luck with that.

People are ready to ditch anything for additional convenience, but nothing whatsoever that's been offered since I started in IT in the mid-1980s has been as easy and consistent as username and password. That actually matters, and matters more than pretty much all other factors combined.

If you can't "gain traction" it's game over. And traction will not be gained via regulation because those doing the regulating have to support what it is they're intending to make mandatory. I don't know of anyone that's a man/woman on the street or in the office (and that includes insurance execs) that find ANY of these modern authentication methods acceptable for daily use. That matters a lot, probably more than any other single factor. Whatever is used has to be able to be used easily and consistently, not be able to be lost, and people have to like it.

No one's ever put it better than this:

In a democracy only those laws which have their bases in folkways or the approval of strong groups have a chance of being enforced.
~ Abraham Myerson

 

[trevm999]

For my personal accounts, I have what I consider to be "root accounts", which would be email, password manager, and anything used for SSO.

They are password protected, and are setup with 2 different FIDO2 hardware keys, as well as TOTP for MFA options.

None of this information is stored on a computer anywhere. TOTP key isn't in use, password manager doesn't have these passwords saved. Phones are not used as hardware keys.

But I'm also paranoid about losing access to these accounts. Everything is written down, MFA backup codes, my not-in-use TOTP key, etc.

Everything else is in 2FAS and password manager. I'm more concerned about easily transferring all of that between phones. Microsoft Authenticator doesn't necessarily restore everything you backup.

Also, the web app I created had no user passwords. I'm not keeping a database of user passwords to be breached. Let's face it, someone's reusing their password. You need either a Facebook, Microsoft, or Google account to login. Though I which there was some kind of blockchain directory or something so that any provider could be used, instead of having to rely on big tech.