← Back to context

Comment by dheera

2 days ago

Frequent reauth only makes people figure out hacks to work around it.

Passwords get written down, passwords end up in Google Docs, Arduinos with servos get attached to Yubikeys, SMS gets forwarded to e-mail, TOTP codes get sent over Wechat, the whole works

5 comments

dheera

Reply
catlifeonmars  2 days ago

> SMS gets forwarded to email

This hop is actually more secure than receiving an SMS natively. Your mobile network provider can already read all of your SMS and there are tons of exploits for modifying the receiver of SMS in the wild. SMS is a terrible way to send information securely.

zer00eyz  2 days ago

Because much of what passes as "security" is a bunch of theater.

> SMS gets forwarded to e-mail, TOTP codes get sent over Wechat,

Here we are deep into 2FA land. Where you have institutions blocking SMS/MMS to IP telephony because they want to capture real people (and this locks out rural customers). Using your cell phone was never a suitable 2nd factor and now it is evolving into a check to make sure you're not a robot/script.

Passkeys are adding another layer to this... The police department getting a court order and forcing you to unlock your phone and then everything else is coming. Or here if you live in some place with fewer laws.

  • jesseendahl  18 hours ago

    Whether or not you can be compelled to unlock your phone doesn't really have anything to do with passkeys. If you can be compelled to unlock your phone, then whatever you have on your phone (including the stuff in your password manager/credential manager) is potentially up for grabs. In this threat modeling scenario there's nothing unique about a passkey vs. a password.

    And if you're against using credential managers at all, because you only want to have the password stored in your brain and nowhere else.... then that creates different problems, namely it dramatically increases the odds that you will use the same password across multiple services, which is bad because then attackers can steal your password from one service and use it to login to a bunch of other services.

  • yawaramin  1 day ago

    > The police department getting a court order and forcing you to unlock your phone

    If you live under a tyrannical regime, neither passkeys nor passwords will help you. The police state will find a way to do what they want with you.