[JumpCrisscross]

> better security systems take advantage of that by combing all three. For me to log into work I have to use a password (what I know), use a hardware token (what I have), and be logging in from a location where they'll expect me to be (what I am).

Perfect is the enemy of the good. FIDO is better than just passwords. That’s what it’s replacing. You can keep using triple-factor authentication if you want to.

[autoexec]

"What you know" provides better protection, made better still by requiring something you have and/or something you are. FIDO is a combination of weaker protections plus added convenience. Its better than passwords in terms of being easier.

Perfect is the enemy of the good, and perfect security cannot exist. FIDO is perfectly fine for some things. For anything actually important and worth protecting it's a step in the wrong direction and even worse it's being pushed for by groups who want to increase their ability to collect your data and control you.

[ryukafalz]

FIDO with a PIN also involves something you know, with the added benefit that the PIN is never sent across the internet.

[autoexec]

True, but then you're basically back to having passwords. Weak ones even (assuming a 4 digit pin).

Again, FIDO isn't terrible in all cases, but there is certainly a push to get people to use it for things that should be more secure. I think they're hoping that with enough convenience we'll all just go along with it and start handing over so much more of our personal data and give all these companies so much more power over our lives. Maybe they're right too and we will, but I think our security will be worse off for it. We should be thinking about what specific applications FIDO is useful for and where it's best avoided, as well as exactly what we're getting in exchange for all that we'd be giving away.