Usernames and passwords are easy, if insecure. Type username, type password, done. Get admin to reset password if you forget. Put in password manager if one account is used by a team.
Security keys are hard. Needing a physical key around every time you have to log into something is annoying. Backups are hard, because off-site backups can't be done over the Internet. Self-service hardware tokens for services with infamously bad customer service is highly risky. Resetting an account if a key is lost or locked requires physically transferring hardware, which can be hard if someone is traveling, or can cause days of downtime. Team access is basically impossible if an account is secured with a physical key.
Authenticators are fine, except if you lose a couple of smartphones too close together, or you need a team to access one account. Password managers that let you securely store the QR code, or actually generate the key put the MFA in the same place as the rest of the credentials, which is not ideal but increasingly necessary for the same reason password managers came into existence in the first place.
Windows Hello and FaceID are actually pretty good, although fingerprint-based biometrics can be a little hit and miss. Not that a decent proportion of Windows users have Hello-compatible hardware. Interestingly, two TV shows in just the last few months (The Peripheral and, believe it or not, Mayfair Witches) have had a moment where a phone belonging to a dead or unconscious person was unlocked by showing it their face, so the shortcoming are entering public knowledge.
We can "all" agree that passwords are "bad", but we cannot agree on what to replace them with, mostly because the level of computer literacy for most solutions is much higher than just typing in a username and password. I can bang out the stuff above because, as an IT professional, I've experimented with KeePass, Windows Hello and Yubikeys in the last six months, buying my own hardware, to try to find some level of opsec that could be used by our customers. All I've done is highlight the lack of commitment to IT in general and training of all kinds in basically all of our customers.
FIDO passkeys are supposed to deal with the fiction and provisioning issues you highlight with current fido keys in consumer applications. In enterprise, the status quo is a little more acceptable because generally you have one or a pair of physical keys provisioned to your profile in an IdP that you use across all your apps, and you have a known support structure if your key and backup get lost or fail.
In the consumer realm one has to deal with a gajillion different identity authorities so replacing keys or doing recovery because you lost one is a giant pain in the ass. Supposedly passkeys is targeted at that problem.
> Authenticators are fine, except if you lose a couple of smartphones too close together, or you need a team to access one account.
When you enable TOTP with a service, you can extract the TOTP secret and do all of the above with it -- backup to storage, copy to new devices, distribute to multiple people, etc.
If the service offers something other than a QR code that you did something with other than just adding into a one-way Authenticator, sure.
I have a couple of TOTPs trapped on crappy apps because I didn't care at the time and can't easily refresh them. However, now I use apps that parse the QR code and store the config in an exportable way.
As we change every damn password in our company LP account, moving it to Bitwarden at the same time, we will implement TOTP MFA wherever we can. If you screenshot the QR code and load it into the accound with the app, all the team with access can use it. It's our next best step. (Once the boss gets the new account sorted.)
With all the confusion though, at least we're fortunate there aren't too many long lived "fake" secure systems out there. The IT community seems to love to expose flaws and scams very publicly, very fast. All in all I think we've made good progress in the last decade. Things can always be easier, but to some point it does become the burden of the user to understand security.
>Interestingly, two TV shows in just the last few months (The Peripheral and, believe it or not, Mayfair Witches) have had a moment where a phone belonging to a dead or unconscious person was unlocked by showing it their face, so the shortcoming are entering public knowledge.
You cannot do that with a faceid device, unless the security have been downgraded. It will check for eye activity.
Wrong. There is a setting called "Require Attention for FaceID" that is on by default. If the user is wearing sunglasses, sometimes FaceID fails and so that might be a reason why you would turn this off. It works fine with clear glasses.
Usernames and passwords are easy, if insecure. Type username, type password, done. Get admin to reset password if you forget. Put in password manager if one account is used by a team.
Security keys are hard. Needing a physical key around every time you have to log into something is annoying. Backups are hard, because off-site backups can't be done over the Internet. Self-service hardware tokens for services with infamously bad customer service is highly risky. Resetting an account if a key is lost or locked requires physically transferring hardware, which can be hard if someone is traveling, or can cause days of downtime. Team access is basically impossible if an account is secured with a physical key.
Authenticators are fine, except if you lose a couple of smartphones too close together, or you need a team to access one account. Password managers that let you securely store the QR code, or actually generate the key put the MFA in the same place as the rest of the credentials, which is not ideal but increasingly necessary for the same reason password managers came into existence in the first place.
Windows Hello and FaceID are actually pretty good, although fingerprint-based biometrics can be a little hit and miss. Not that a decent proportion of Windows users have Hello-compatible hardware. Interestingly, two TV shows in just the last few months (The Peripheral and, believe it or not, Mayfair Witches) have had a moment where a phone belonging to a dead or unconscious person was unlocked by showing it their face, so the shortcoming are entering public knowledge.
We can "all" agree that passwords are "bad", but we cannot agree on what to replace them with, mostly because the level of computer literacy for most solutions is much higher than just typing in a username and password. I can bang out the stuff above because, as an IT professional, I've experimented with KeePass, Windows Hello and Yubikeys in the last six months, buying my own hardware, to try to find some level of opsec that could be used by our customers. All I've done is highlight the lack of commitment to IT in general and training of all kinds in basically all of our customers.