Passwordless: a different kind of hell?

I recently ordered something on ebay. Nothing expensive, just a £60 item, and delivered to an address I&#x27;ve ordered many things to in the past.<p>First I had to log into ebay - no problem, got my password manager right here, as soon as I unlock my phone with my fingerprint. Now I&#x27;ll just key in my 12 character, randomly generated password with mixed case letters, numbers and symbols.<p>Then ebay decided they wanted to send me a code by SMS. I&#x27;d never enabled that security option, but whatever. I can do that, quick fingerprint to unlock the phone then key in the code.<p>Then I chose to pay with paypal, requiring a second password. And a 2FA code, this time from a TOTP app. For some reason paypal ask for TOTP every time. Easy enough, quick fingerprint auth then just key in the code.<p>Then I told paypal I wanted to pay by card, as I always do. They redirected me to my bank, who asked me to use their mobile app to authorise the payment with my fingerprint. After unlocking my phone with my fingerprint, naturally.<p>Clearly, the days when businesses thought online shopping ought to be low-friction are long gone.

&gt; Gileadite soldiers used the word &quot;shibboleth&quot; to detect their enemies, the Ephraimites. The Ephraimites spoke in a different dialect so that they would say &quot;sibboleth&quot; instead. Experience : you just had to say a word. Security : there&#x27;s a single word to authenticate multiple users and it can be cracked by learning how to spell it.<p>Although that&#x27;s roughly how the Wikipedia entry[0] summarises it, the actual wording of the story indicates a slightly different issue:<p>&gt; for he could not frame to pronounce it right.<p>It&#x27;s not a spelling difference <i>per se</i>, it&#x27;s (AIUI) that the Gileadite pronunciation uses a phoneme that was not used at all in the Ephraimites spoken language, so an Ephraimites soldier was literally incapable of pronouncing the word &quot;correctly&quot;.<p>e.g. How some spoken dialects&#x2F;accents do not use a rhotic &quot;r&quot;, or do not distinguish between &quot;l&quot;&#x2F;&quot;r&quot;, or are not tonal languages. If you have not already learned how to make that specific sound, and distinguish it from the other one, through repeated practice, you will be unable to replicate it properly. And this will be the case no matter how the word is spelled, or even if you try to immediately copy someone saying it the exact way they want you to say it.<p>[0] <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Shibboleth" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Shibboleth</a>

We are going way over the top with 2FA.<p>Why do I need to activate mandatory 2FA in services like GitHub repositories for hobby projects? It&#x27;s a lot of extra effort for a questionable security improvement, and anyway, if someone impersonates me there, it&#x27;s not the end of the world. If they care about end users (which my projects mostly don&#x27;t even have) mark me as &quot;unverified&quot; or something, but let me avoid the hassle.<p>And in more serious services, like banking... since there is no such thing about 100% security (and in particular 2FA is far from it, e.g. if your phone is stolen with the banking app open, you&#x27;re screwed), actually the most important thing is that the bank responds and can refund the money if fraud is committed, which it inevitably will for some percentage of unlucky customers. I view 2FA as a way to pass responsability to the customer (&quot;we have very secure systems, so if someone transferred $X out of your account it&#x27;s surely your fault&quot;). Personally, I feel safer with less security and the bank worrying about fraud than the other way around, so I don&#x27;t think they&#x27;re protecting me when they implement this kind of stuff.

I understand the frustration with login systems, but why is the title &quot;Passwordless: A Different Kind of Hell&quot; if it doesn&#x27;t talk about passwordless authentication, like passkeys, magic links, and biometrics?

I think the industry, to some extent, already have reconsidered the session length, see [0] by Auth0 for example (even if it&#x27;s obv. a PR piece). Nowadays my gut assumption when I use a service with really short sessions is that their security practices are probably questionable.<p>I recently argued, as the cybersecurity guy™, with a vendor that we can&#x27;t ask regular users to reauthenticate every 15 minutes. They insisted raising it would be to insecure and instead suggested to make MFA optional as it would make the login process smoother…<p>[0]: <a href="https:&#x2F;&#x2F;auth0.com&#x2F;blog&#x2F;balance-user-experience-and-security-to-retain-customers&#x2F;" rel="nofollow">https:&#x2F;&#x2F;auth0.com&#x2F;blog&#x2F;balance-user-experience-and-security-...</a>

Something that often gets overlooked in these discussions is the impact of all this on older people and people with intellectual disabilities. Managing all of this is annoying to an average person, but can literally be impossible for an older person with a memory disorder. It creates a lot of additional vulnerability for them, because they now need to trust someone to help them manage their accounts. It also puts a heavier burden on people in customer service who have to deal with often irate older customers who are having trouble managing their accounts.

Weird post. It&#x27;s a good history of authentication, including offline and online, and I like the ratings.<p>But the title seems like pure click bait, as the author didn&#x27;t spend more than 2 sentences on passkeys&#x2F;Webauthn (which is the typical tech for passwordless solutions nowadays).<p>I have my own issues with Webauthn usability and was expecting a deeper dive into that.<p>That larger problem, of course, is that security and ease of use are in tension. Always were, always will be.

I just opened a ticket with notion on mobile and plan on switching because I can’t use it for simple notes. This is the amount of steps it takes to login and you have to do it all the time:<p>* unlock your phone * tap notion * you&#x27;re logged out - avoid the big login with x sso buttons, scan for and click the little text that&#x27;s black on black labeled &quot;login here with email&quot; * type my email out (no autofill) * tap submit * exit app, open mail * find the notion email, usually it&#x27;s right there other times, you must refresh constantly, sometimes it takes whole minutes because it&#x27;s email * highlight as much of the password as you are able but not all of it because you can&#x27;t due to the dashes * adjust highlighted text while holding down long enough to pop up the copy context window or memorize a cute phrase with dashes and type it out without making a mistake, 3 taps a dash (x4) because mobile keyboard layering * hit copy, exit app, open notion * press and hold in the textbox for the paste window or type it out * finally hit paste and submit * remember what you were trying to do quickly<p>Now add slow or glitchy(5g+) internet and it doesn’t work.<p>Even if you wanted to tie yourself permanently to an sso provider, a lot of the time, they too require re auth. If you have 2fa on (as you should) that&#x27;s as many steps. The push for sso is also incredibly annoying. I’ve nearly deplatformed very intentionally.<p>Notion does a lot of funky things like refuse to build and offline mode which exacerbates this.<p>One other thing I don’t like about “passwordless” is biometric as a security feature instead of it as a convenience. 1Password removed passcode unlock on mobile in favor of faceid. Which if you don’t use it results in entering your full long password every time you use it, even if you just used it. Apparently I wasn’t the only one that complained because they restored the feature shortly after removing it. I unlock my friends phones while they are driving with faceid all the time. Too easy, not secure enough for the app that has most of my secrets.<p>Use 2fa, local passcodes that require reauth occasionally, and assume you are running on a locked device, if logging in from a new place maybe 3fa like Coinbase.

Note that all uses of the password before the computer were not for personal security, but organizational security. If the enemy infiltrated without the use of the password, it could mean the downfall of an empire.<p>Today we use passwords <i>largely</i> for personal security. Yet when companies choose what methods of authentication&#x2F;authorization they offer, they don&#x27;t care what the user wants. They pick methods that will make their own jobs easier, rather than giving the user more convenience. The user has no agency today; it&#x27;s just take what they give you and be thankful for it.<p>As a result, the tech landscape is full of wildly varying authn+z methods. Inconsistent password policies, inconsistent challenge methods (when they exist), inconsistent use (and types) of MFA, inconsistent use of hacker-prevention methods, the occasional use of single sign-on for only a few identity providers, &quot;magic login email links&quot;, nearly non-existent use of client-side keys, etc etc. Almost every site you login to today will have a different system. Passkeys aren&#x27;t much better, because it too is just a hodge-podge of different standards, not all of which need to be supported.<p>We need more consistency for the methods that exist. There should be a standard for challenge questions, a standard for hacker-detection, a standard for password policies, a standard for MFA, etc. That way it will be a little less haphazard how everyone implements them, and it will be easier to prevent security bugs by following the guidelines for implementing the standard.<p>But I also think more should be done to advocate for what the user wants. If the user wants to use a regular password, let them enable it. If the user wants to disable MFA, let them disable it. If they want to opt-out of the multi-layered hacker-detecting challenge-questions, let them opt-out. This is, after all, their <i>personal</i> security, not the security of the entire company selling them some service or product. A person should be able to decide their personal security level.<p>Alas, we don&#x27;t really have much choice in what current companies give us. But if we voice our opinions loud enough, maybe new companies will give us the agency we want, and maybe that tiny competitive edge will prompt other companies to match them.

A nice little read! Fun to have a short trip through history, there.<p>I&#x27;m a little disappointed that it didn&#x27;t talk about passwordless logins, at all, though. I&#x27;m thinking of implementing one, and I was hoping this would give me some food for thought! Ah well.

I find myself wondering, how much collective time is being lost these days to authentication? I mean, if you have to authenticate using your phone, you have to dig it out of your pocket, sign into the phone, read the text message or use the authenticator app, type in the code...

We have all been using physical keys for our homes and cars our whole lives. Physical U2F keys for digital authentication are basically the same level of convenience and actually very very secure: no shared secrets, not copyable, not forgeable, not vulnerable to phishing, etc. I don’t know why we haven’t all jumped on this solution to digital authentication

Oh, this was disappointingly light on substance. It&#x27;s an interesting musing on the history of passwords and the (very real) frustrations of modern authentication.<p>I thought it would have more depth though into the current state of various authentication schemes, in particular passwordless, which isn&#x27;t actually mentioned at all. I find passwordless to be slightly less bumpy than various 2FA but still a genuine pain in the ass, to have to open up email in a second tab, wait for the email to come through, and then often follow a dubious link.

I have an iPhone that fell, and its fingerprint reader doesn’t work any longer. It simply cannot recognise my fingers, or it does recognise the finger once in like 50 attempts. I was unable to trace what I did and how much I pushed that sensor. I turned the biometrics off and use passwords instead. It’s less convenient, but I’m not planning to upgrade the phone for that very reason either. So I’m stuck with this for a while. I cannot imagine how passkeys are going to work in this scenario.<p>This, and also brand dependency, is what makes my worried about passkeys. If I got the idea correctly. It hashes my fingerprint data, but what if my fingerprint changes? I have that very often on my iPad that it stops seeing my thumbs as the correct thing. I assume that happens due to some manual work I may do. And my thumb becomes different to the sensor. I hack that with my pinky finger, for some reason it’s more reliable. But what if something happens to the sensor and it stops being reliable.<p>What are my options then? What are my options if I’m about to change my smartphone brand? What are my options if I’m on my PC that has no sensors for any biometrics?

Interesting that the article picks Notion as its example. For me too it seems like I am initially NEVER logged in no matter how often I login to Notion.

If the author is reading this, sorry but I spaced out when you started going into the history of passwords.<p>When you say passwordless in this day and age my thoughts go straight to hw keys.<p>And speaking of hw keys I started using one alongside my gpg password for my personal password manager a year ago.<p>After 1 year I removed the hw key from the list of keys.<p>My experience is that it&#x27;s more of a hassle to reach for a hw key every time I need to view a password, than it is to just enter a very long passphrase.<p>I&#x27;m of course special to be able to remember multiple very long passphrases, but as long as I do it&#x27;s much more convenient.<p>Then it also got me thinking, what if I had gone 100% hw key and lost the key? Then my passwords are lost forever. It&#x27;s much harder to lose the passphrase in my head.

What really annoys me lately is websites which require me to verify my login by email, but which also allow me to change my password by email without knowing the old password. It seems to be an attempt at &quot;2FA&quot; but it ends up being 1FA, and even less secure than if they&#x27;d just accept my password on its own.<p>A friend of mine recently got caught in a loop where he wanted to interact with an account that he hadn&#x27;t used in a long time, which was registered under an email he hadn&#x27;t used in a long time, which had a recovery email set which he also hadn&#x27;t used in a long time. He had the passwords written down for all three, but account A refused to let him in without an email verification (but would let him in without a password, if only he could access the email), and email A wouldn&#x27;t let him in without proving he had access to email B, which wouldn&#x27;t let him in without proving he had access to email A. A person who wandered into a logged-in computer with access to email B could theoretically have done anything they wanted to all 3 accounts, password or not, but the rightful owner was forbidden from using any of them, despite knowing all the passwords.<p>I miss the days of, &quot;You have a password, and we&#x27;ll assume anyone with that password is you. Don&#x27;t get phished.&quot; It&#x27;s actually pretty easy not to get phished, and sometimes downright impossible to go through the hoops that all of these new anti-phishing measures require.<p>A service I stumbled into recently which I think does it right is Mullvad. They&#x27;ve taken it a step further and done away with usernames, too. They just give you a long numerical code and tell you that if you lose it, you&#x27;re screwed. It feels much more respectful to the user.

I have 743 login credentials (1984-present).<p>Trusting 743 “randos on the internet” to safeguard “my” data, and give me access to use it.<p>Insanity.<p>Agent-Centric systems where I retain signing keys to authorize access to (and transactions using my) data are the way forward.<p>A Key Fob (like you have for your car) is not onerous, and methods for recovery using trusted community members is practical.<p>Holochain (and the Holo project) are good examples of working implementations.

My biggest pet-peeve is when they just ask for your email address, then on the next page inform you they&#x27;ve emailed you a one-time login code, and then you need to hunt for the link in small text along the lines of &quot;Log in with a password instead&quot;.

Lots of people having lots of issues in the comments, I can&#x27;t be the only one that has no problems with this.<p>I use bitwarden, it has my passwords and my TOTP codes in there, I have this on my phone and on my computers, everything auto fills. Other than that, I also have a hardware key for some services, all I need to do is click the hardware key when prompted. Some services only have email 2FA, but that&#x27;s quite easy as well, I just get a notification and copy the code from there.<p>Doing a chain of 3 2FAs for 3 different services takes seconds.<p>For improved security this is easy, I&#x27;m not sure what everyone is on about.<p>Is this another case of complaining just for the sake of it?

I can&#x27;t login to a website from my desktop any more because I enabled passkeys, and my desktop doesn&#x27;t have bluetooth to talk to my phone.<p>Nor does anyone say what version of bluetooth is required

It is really hard to read that article on a site where 20% of the page is covered by a cookies warning with only an &quot;OK&quot; button. Talk about hell.

Fraud is a huge driver of this. The need for high friction is here as more people are issuing chargebacks, hackers are getting more bold, etc.,.<p>Source: I work in ecommerce.

My work just replaced our VPN app (which required a password) with something that they excitedly promised would provide us &quot;passwordless login!&quot;<p>Lo and behold, it uses 2FA. Periodically I have to go get my phone[1] just to do my work. Way more friction than typing in the password.<p>[1] No, I don&#x27;t keep my phone on me all the time. It usually just sits in some random room at home.

anything other than username&#x2F;email + password is stupid bullshit, i don&#x27;t care what any cybersecurity nerd says.

This is why I run passwordless on my most high value&#x2F;important services and use my password manager to hold passwords for all the end point services like ebay and other low &#x2F; risk low expectations sites.<p>for me its about lowering the price to use a service. (as in mental price not dollar value)

I&#x27;m currently unable to log in to my Amazon account on new devices because I accidentally deleted the MFA for it. I&#x27;ve submitted my government ID to their recovery form multiple times. No response. Phone customer support said they couldn&#x27;t do anything. Any ideas?

SMS-based 2FA is still vulnerable to phishing, but U2F is not. This has been solved for a while now, but I guess it&#x27;s still a hassle for most folks to use them.<p>I got my whole family Yubikeys a while back, and it seems to be going pretty well.

I&#x27;ve had a personal Google e-mail account for decades.<p>I never worried about losing access to it.<p>Until the day I enabled 2FA on it.<p>You can&#x27;t get my personal e-mail password out of my mind but you can get my smart phone out of my hand.<p>I&#x27;ve used half my backup codes by now.

Auth is like paint. Adding more layers can make it better or worse.

Can we talk about having your account locked from a website because a bot attempted to login using someone&#x27;s email address?

90 days timeout for a login session seems very decent. Why is logging back into a service once every 3 months even an issue?

I love the theme of this blog but the side bar just disappears when scrolling which is kinda jarring.

You are a pavlovian dog, 2FA is just reporting to uncle Sam,<p>It binds the biologic to the transaction, no plausible denieability.<p>Great for securely buying Pizza but not so much for the future of humanity.

&quot;I, like most people, hate passwords...&quot;<p>Citation needed.

The reason this happens is because of bad actors. This is why we can’t have nice things. Walk around and pay attention next time and you will notice all the little things that are shitty because of bad actors like thieves.

2fa and always having to enter a pin for credit&#x2F;debit cards is simply a way for banks to refuse to refund fraud.<p>Because no one has ever hacked 2fa and stolen a pin before &#x2F;s

Biometrics seem worse-is-better: you now have some unique identifier for me, which is totally swell until the inevitable DB breach.<p>Which breech will likely be due to an Admin whoopsie of some sort.<p>Because the people remain the weakest link.