|
|
|
|
|
|
by tialaramex
1874 days ago
|
|
|
There already is a future without passwords, it's WebAuthn. The key element that didn't make your list is phishing. The next threat to Joe Average once he isn't reusing a crap password is phishing. Joe goes to a site which he thinks is the right place but it isn't, it's actually run by bad guys and then Joe gives them his credentials and helps them break into the real site Joe thought he was visiting. Better passwords make no difference to that. Some types of password managers might slow Joe down a bit, as he needs to override a default presumption that this is the wrong site, but since the site has tricked Joe already this is very fragile. TOTP makes no difference, SMS of course makes no difference, and even the Google Auth tech AFAIK makes no difference. But WebAuthn just stops this attack dead in its tracks. |
|
|
WebAuthn does have its own issues and complications, mainly with how to handle account recovery on a lost or corrupted device. Sure, you can have a replacement device, as likely me and you try and do for most things, however, this is too burdensome for many.
I think the biggest issue with any new spec like WebAuthn is vendor adoption. As is... many banks fail to have any 2FA, and those that do, give you the terrible choice of SMS 2FA. In addition, they have odd and archaic password requirements, such as only these symbols, and only up to 20 characters etc... If they have failed on rectifying these in the last 2 decades, I'm afraid how far in the future away something like WebAuthn is to being in realized use. Hence I made SrsPass as hopefully a solution to today's passwords problems, the ones I considered sanely resolvable.