[api]

So it's finally happened at least a tiny bit: one of these corporations to which we have decided to dedicate all authority has had a breach.

Someday it will be much, much worse. Someday someone will manage to breach and take control of a bigger one in a bigger way, and will instantly gain root on a large subset of the entire computing ecosystem. There's a trend of even delegating things like ssh to systems under OIDC control, so I'm not using root metaphorically.

But hey, OIDC is convenient and that's all that matters in computing.

[hnav]

LastPass had a breach recently where entire vaults where stolen encrypted. Older entries were stored using worse (key derived using KDF with too few iterations) encryption than more recent ones.

[HL33tibCe7]

What’s your alternative?

[api]

A more portable standardized version of the Apple distributed Secure Enclave sort of thing as 2FA with passwords as the first factor would be great. You could also add something like a Yubikey as an emergency unlock token.

It’d be based on keys you control so there’s no way someone could hack some master database or key authority and own the entire universe. That’s a distinct possibility today.

Plausible scenario: high sophisticated nation state sponsored break at Google with cooperation from inside, used to launch a sudden mass malware infection attack against hundreds of millions of systems.