Google's "passkey" effort
https://twitter.com/laurenweinstein/status/1581325271810027523
I have long advocated for FIDO U2F security keys as the preferred
multiple factor authentication model, and have suggested explicitly
that "passwords must die". So it's natural that I'm being asked about
the @google "passkey" initiative.
There are multiple aspects to this. An obvious one is how rapidly
sites will implement this method. Given the glacial speed with which
many financial institutions have implemented crude 2-factor like text
messaging and have delayed U2F key implementations, I am not
optimistic.
Of even more concern is the sense that the methodology of passkeys
will appeal mainly to the tech-savvy, and will be understandably
resisted by many everyday users, who will find the model overly
complex and difficult to trust for that reason.
This presents a familiar dilemma: persons who already are careful with
their authentication security will benefit but the users most in need
of improved security and who are most vulnerable largely will not --
especially if they don't use multiple devices and 24/7 smartphones.
The upshot isn't that passkeys won't have a place -- they will -- but
that I suspect they will not be accepted by a significant proportion
of sites and users, keeping in mind that many people even refuse to
use ordinary autofill, especially for passwords or payment methods.
I have pointed out this problem with @google outreach to users many
times over the years, and again, while there have been some
improvements, many users are still being left behind, and that's very
unfortunate indeed.
L
- - -
Request invite to my private discussion forum: [email protected]
--Lauren--
Lauren Weinstein ([email protected]): https://www.vortex.com/lauren
Lauren's Blog: https://lauren.vortex.com
Founder: Network Neutrality Squad: https://www.nnsquad.org
PRIVACY Forum: https://www.vortex.com/privacy-info
Co-Founder: People For Internet Responsibility
Twitter: https://twitter.com/laurenweinstein
Tel: +1 (818) 225-2800
_______________________________________________
pfir mailing list
https://lists.pfir.org/mailman/listinfo/pfir
