[hn_throwaway_99]

> Instead of passwords, we should use something like FIDO, which allows users to log in using a security key or biometric information.

The problem "in the real world" is that people will lose these keys all the time. I mean, I agree, passwords need to die, and hopefully some of the work that is being done by Apple and others will help bring on an end to passwords, but you can't really talk about replacing passwords with FIDO keys without talking about how to deal with account lockouts, which is a real, hard problem.

Similarly, biometrics may be good for a user ID but they make horrible passwords. These days fingerprints and irises can be copied from photographs.

[mistercow]

This is typically the problem with silver bullet solutions. You can easily look at the solution that’s been in place for decades and see where it fails, because you have decades of data to look at. You look at your new shiny solution, and you can see that it solves all of those problems. What you can’t see, because you don’t have decades of data to look at, are all the new problems that will come up with the new solution. You’ll notice some of them, and you can try to patch over them, but you’re bound to miss a lot.

Which isn’t to say that you shouldn’t go with the new solution anyway. But I’m always skeptical when all people say is “it solves all the existing problems.”

[bluedino]

We have the following:

Authenticator app, HID card, or FIDO key. Biometric is coming but the goal is to not have to give people yet another reader/device.

In theory we wouldn't have to worry about someone losing their card or key but they don't always setup all three in their account.

[tsimionescu]

Are these used in conjuction, or any one will do? If it's the former, it seems like it would make the problem of loss worse. If it's the latter, then it seems you've offered a variety of ways that someone can access your systems - steal a key, copy biometrics, guess the phone password etc. - the weakest one will do.

[bluedino]

You only need to use one. You need a PIN to use any of the devices as well.

[hn_throwaway_99]

Only needing one means you have the "lowest common denominator" of 2FA. E.g. authenticator apps are vulnerable to phishing, while FIDO keys are not. Adding FIDO key as an optional second factor doesn't really add much security if people can still be phished using a MITM attack using the authenticator TOTP.

[lbriner]

Exactly. I asked Per Thorsheim once about resetting 2FA creds, something that is viable for banks etc. that hold a lot of semi-private data which can be used to verify your data but for a much smaller startup with basic account info.

He said he didn't know how it would be done securely.

I see a lot of attacks are due to account takeover and we currently seem torn between allowing an attacker to circumvent the 2FA by account reset or leaving someone unable to access their account for ever.

I started scanning 2FA codes into two phones, my main one and one that I leave hidden at home (and switched off) for backups. Knowing my luck though, I'll ned to access the one that I forgot to scan into the second phone!

[LocalPCGuy]

You could also print the 2FA setup codes (like on actual paper :P) and store them in a safe or otherwise secure location. Along with the backup codes probably (or maybe each goes to a different location, or copy of each in 2 locations, one remote, depending on how important access is and how hard it would be to get it back without that information.)

[Scion9066]

I hope that the availability of using device-based (using the built-in hardware in a device they're less likely to lose like a phone/laptop) or account based (like the passkeys synced to iCloud/Google/Microsoft) will help mitigate the issue of people losing them. Regardless of which option they use though, they should treat them like home/car keys and have backups in place.

As for the biometrics, when people talk about biometrics for authentication, they are usually talking about using the biometrics to unlock something stored securely on a device. Without the device that has the actual credential being used, the biometric that has been copied doesn't do attackers much good.