Can sites PLEASE adopt better security?

Yeah, I said it. I've been eager to encourage FIDO authentication in some form on the modern web, as I feel physical security offers some immediate and intuitive benefits.

Passwords are stupid

Passwords are fundamentally a clunky and unpleasant method of authentication. Normal people do not memorize them, and yet we still have a culture around it. Nobody ever knows their passwords, so they use easy to remember insecure methods, and insecure passwords that are reused find themselves in data breaches. What do you do about that?

Password managers are an effective solution to act as a stopgap for the crappiness of passwords, but ultimately even a secure, randomly generated password is just one form of authentication. We need multiple factors!

The way 2-factor authentication works is that it demands multiple types of it to decrease the likelihood of having one method compromised.

• Something you know
  • Passwords, usernames, passcodes
• Something you are Biometrics (face ID, touch ID, voice)
• Something you have
  • Broad definition, but this is often phone 2FA apps and security keys

All of these have their drawbacks:

The way we currently do two factor authentication sucks

SMS 2FA

• It sucks
• It's inconvenient
• It demands a strong cellular connection
• It's wildly insecure

SMS 2FA, i.e., getting a one-time code from your phone, just sucks in general and it being consistently used across tons of mission critical services is a nightmare. I don't really trust it because of how exploitable it is and most people do not enjoy the process. It leaves a bunch of one-time texts from random six letter senders strewn all throughout your messages.

Timed one-time passwords

• It's really easy to implement
• Straight improvement over SMS 2FA with little technical burden
• It lets you use your existing phone or computers

TOTP has various exploits, but it strikes a nice balance. If you store TOTP codes on your phone, it lets you easily secure things behind a device you generally carry around 100% of the time. If you want to access a phone's 2FA, you'll have to unlock the phone, which has become increasingly difficult. At the end of the day, however, it's not impossible and probably never will be. Fundamentally, there's always the risk of a phone being unlocked or your TOTP codes being snatched.

Physical tokens

• People treat physical items in a more secure fashion intuitively

Most normal people have a certain sense of security when it comes to items like their wallet and keychain. If their Yubikey or similar item is attached to their keychain, they will often naturally protect and secure them from attackers.

• No offline functionality

It's a lot harder to breach or steal information and exploit security keys when there's no networking functionality whatsoever. This makes it a safe bet against exploits.

Digital Passkeys

• It's fundamentally waaaay more pleasant than usernames and passwords

• A single key that you don't memorize but have stored in a password manager

With passkeys, a site stores a public key that you generate, and you personally store a private key. This means that even if the website in question is breached, you can't do anything without having the private key to match.

Passkeys connect with biometric identification. Both of these are BY FAR the most convenient methods when tied together as they're fairly low-tech and easy to implement, don't require you to obtain physical items, and are well-implemented within phones. However, like physical tokens, a lot of websites just don't care to implement the standard.

Yubikeys use passkey technology as well, with the trade-offs of being physical.

Biometrics

• By far the most intuitive and pleasant

• No need to carry anything around

• What are the security flaws?

  • You cannot change biometrics. Your hands/face/voice cannot be drastically changed.

The problem with physical tokens

• It's another item to keep track of and potentially lose

• It's annoying as hell to have to get up and find your Yubikey if it doesn't happen to be near you

• SITES don't work properly with it!!!! DIE DIE DIE

  • Implementations are all a mess

This hurts adoption! What the hell am I supposed to do when even sites that present support for Yubikeys like Apple's own website don't work properly? It's unreliable and frustrating.

All methods are INCONVENIENT and ANNOYING

• Normies turn this stuff off. I feel as if the future of authentication is one where the Apple approach of passcodes/biometrics + keychain/password management + passkey standards is the most transparent and easy to remember. The situation needs to change and I'm really frustrated with the inability to comfortably use my Yubikey everywhere.

/security/