ティージェーグレェ on Nostr: Re: "it’s a problem that websites that have adopted passkeys aren’t using them to ...
Re: "it’s a problem that websites that have adopted passkeys aren’t using them to replace passwords and one-time codes."
I'm not sure that's a problem.
I think a problem is when HUGE NAMES (e.g. Micro$oft owned GitHub) uses incorrect terminology that I must enable 2FA (Two Factor Authentication) when I am already using at least 4 factors (more often at least 5) and they have even more factors of authentication to choose from, including passkeys.
At a minimum they should be correcting their terminology to be MFA (Multi Factor Authentication) but adding more factors when I am already at a level of having factor fatigue, is not a security win, it's security theater.
Moreover, since I was previously IT Admin for iSEC Partners, I want to scream at the morons who drafted that email.
Instead, I toned down some of my language and filed a bug:
https://github.com/orgs/community/discussions/147069
It's been two weeks without a response.
So the Ars article harping on passkeys and confusion, is the least of my worries, personally.
I'm old enough to remember when "two factor authentication" was called "paranoid mode" and I've implemented client certificate authentication at past employers.
And y'know what?
I'm beyond burnt out at trying to get folks to adopt a stronger security stance and when people getting paid more than I have are misusing terminology and mandating "changes" when I'm already using many factors of authentication, I mostly wonder:
Who do they think they are improving security for? It isn't me, it just makes me wish that everyone would migrate their code out of GitHub already.
I don't care about the passkey issue. I know you do because you worked on some implementations of such things, but you may be too close to the fire to see how others who sympathize with wanting people to not get hurt, are being burnt by even bigger morons fanning the wrong flames in our field.
I'm not sure that's a problem.
I think a problem is when HUGE NAMES (e.g. Micro$oft owned GitHub) uses incorrect terminology that I must enable 2FA (Two Factor Authentication) when I am already using at least 4 factors (more often at least 5) and they have even more factors of authentication to choose from, including passkeys.
At a minimum they should be correcting their terminology to be MFA (Multi Factor Authentication) but adding more factors when I am already at a level of having factor fatigue, is not a security win, it's security theater.
Moreover, since I was previously IT Admin for iSEC Partners, I want to scream at the morons who drafted that email.
Instead, I toned down some of my language and filed a bug:
https://github.com/orgs/community/discussions/147069
It's been two weeks without a response.
So the Ars article harping on passkeys and confusion, is the least of my worries, personally.
I'm old enough to remember when "two factor authentication" was called "paranoid mode" and I've implemented client certificate authentication at past employers.
And y'know what?
I'm beyond burnt out at trying to get folks to adopt a stronger security stance and when people getting paid more than I have are misusing terminology and mandating "changes" when I'm already using many factors of authentication, I mostly wonder:
Who do they think they are improving security for? It isn't me, it just makes me wish that everyone would migrate their code out of GitHub already.
I don't care about the passkey issue. I know you do because you worked on some implementations of such things, but you may be too close to the fire to see how others who sympathize with wanting people to not get hurt, are being burnt by even bigger morons fanning the wrong flames in our field.