Hacker News new | ask | show | jobs
by nothrabannosir 2371 days ago
After talking this through with many non technical people, I have become of the opinion the shame is ours. Why do we keep pushing this patently unsafe authentication mechanism? It should never have been allowed in the first place, but now with hardware keys readily available there really is no more excuse. I understand there is a first mover disadvantage to disallowing password-only auth, but that’s on us. Our collective timorous prevaricating is to blame for the misuse of passwords by end users. Because, unlike them, we do know better.
2 comments
91iejrj20310 2371 days ago
It's a shame that operating systems exist with no functioning system-wide API for authentication, let alone storing passwords.

That would change things.

Just look how Apple now inserts long random passwords in registration forms and immediately saved it. That's how users will use secure authentication. By helping them, not telling them to do better on their own.

link
kardos 2371 days ago
Hardware keys get lost, what is the fix for that?
link
marcosdumay 2371 days ago
Backups. Either in backuping the data, or in enabling several tokens for the same service.

The problem is that the first one is frowned upon for good reasons (but maybe not as good as they seem), while nobody supports the second one. So, yes, currently depending on hardware keys is dangerous.

link
nothrabannosir 2371 days ago
The same as real keys: you make a copy. If you don’t, you have to call someone to get it fixed, which is an expensive hassle. It’s an intuitive model that everyone already groks. No fragile user re-education necessary.
link
kardos 2370 days ago
That doesn't seem right: https://support.yubico.com/support/solutions/articles/150000...
link
thomk 2371 days ago
Hardware keys embedded under your skin. What could possibly go wrong with that?

Joking aside, hardware keys will absolutely get lost. Even car keys get lost around here on a fairly regular basis.

Fingerprints maybe?

link
kardos 2371 days ago
Probably not: https://www.csoonline.com/article/3268837/busted-cops-use-fi...
link
stevenicr 2371 days ago
and when the fingerprint database is stolen and shared with multiple adversarial parties? they now have your password and its gonna be hard to update / change yours.

This happened with the opm hack and a big one in India or Indonesia or something not too long ago I think.

link