[autoexec]

> Something you have can easily be stolen as long as someone is able to access it. Someone on the other side of the world is not going to be able to steal your USB token from the comfort of their own bedroom, just as they're unlikely to get your biometrics.

True, and better security systems take advantage of that by combing all three. For me to log into work I have to use a password (what I know), use a hardware token (what I have), and be logging in from a location where they'll expect me to be (what I am). All of those things have their flaws, but the odds of someone managing to pull off all three are much less likely.

As the use of biometrics increases we'll see more examples of that data being collected stolen and and shared around the world. Right now, it's not used often enough for criminals to bother passing around scans of your fingerprints, or photos used to spoof facial recognition, but it's bound to happen.

> I understand what you're saying, but you're forgetting that passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.

As others have said, they shouldn't. We have to expect failures and breeches, which is why it's so important that we have those other two pillars to fall back on when "what we know" fails us.

[JumpCrisscross]

> better security systems take advantage of that by combing all three. For me to log into work I have to use a password (what I know), use a hardware token (what I have), and be logging in from a location where they'll expect me to be (what I am).

Perfect is the enemy of the good. FIDO is better than just passwords. That’s what it’s replacing. You can keep using triple-factor authentication if you want to.

[autoexec]

"What you know" provides better protection, made better still by requiring something you have and/or something you are. FIDO is a combination of weaker protections plus added convenience. Its better than passwords in terms of being easier.

Perfect is the enemy of the good, and perfect security cannot exist. FIDO is perfectly fine for some things. For anything actually important and worth protecting it's a step in the wrong direction and even worse it's being pushed for by groups who want to increase their ability to collect your data and control you.

[ryukafalz]

FIDO with a PIN also involves something you know, with the added benefit that the PIN is never sent across the internet.

[autoexec]

True, but then you're basically back to having passwords. Weak ones even (assuming a 4 digit pin).

Again, FIDO isn't terrible in all cases, but there is certainly a push to get people to use it for things that should be more secure. I think they're hoping that with enough convenience we'll all just go along with it and start handing over so much more of our personal data and give all these companies so much more power over our lives. Maybe they're right too and we will, but I think our security will be worse off for it. We should be thinking about what specific applications FIDO is useful for and where it's best avoided, as well as exactly what we're getting in exchange for all that we'd be giving away.