Recent searches
Search options
It is genuinely baffling how much discussion of passkeys omits the extremely basic question of WHAT HAPPENS IF YOU LOSE YOUR PHONE https://www.theverge.com/2023/5/3/23709318/google-accounts-passkey-support-password-2fa-fido-security-phishing
Even Google's own documentation just completely punts on the question.
"I lost my device."
"No problem! Just sign into your device."
Like, I'm a nerd, I get it, the idea is you use your computer or whatever to deauthorize the lost phone and set up a new one.
But, A) Some people's only device is a phone B) It's not impossible for all your devices to get lost/stolen at once C) The whole concept is strange and new and needs to be explained in the clearest possible terms and not just, like, "You hate passwords so get rid of them! It'll be great!"
Here's Google's big passkey announcement post, where they also completely fail to explain what happens if you lose your phone - https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/
I'm almost certainly writing about this in next week's newsletter btw. If I do it won't be paywalled. Free sign-up form's at the bottom! https://advisorator.com/members/2023/05/02/5-2-2023-try-these-email-apps-2/
So after this thread last week, I spent some time playing with passwordless login systems and ... it's not great.
As promised, no paywall on this column: https://advisorator.com/members/2023/05/09/5-9-2023-the-passwordless-mess-2/
@Newmy I got the email today and ended up way more confused after reading it
I guess in this brave new world, your phone is more you than your flesh and blood body is.
@alienghic Hah. Why trust your brain when you can trust your thumb instead?
@Newmy one question - if the service supports multiple, why not have an individual key for each device you have?
@theomegabit I guess it's possible but I've got that password manager mentality where everything's stored in once place, that way I know I've got all my logins when I'm syncing to a new device.
@Newmy I'll stay with my 1Password before moving to zero passwords then
@yury_mol 1Password is working on passwordless too, but unclear how well it'll work on mobile without the OS-level support that Google and Apple enjoy.
@Newmy Yes, but in day-to-day experience, it's already pretty close. Passwordless will be great one day, especially for regular people.
@Newmy Right?! I work with digitally divided people at a public library. You know how some people have food insecurity? There is a LOT of device insecurity in rural Vermont I can not imagine a lot of the folks I work with--the ones who save the six digit codes they get texted for 2FA because they think they need to know them now--being able to handle this at all. I get that people want to mitigate risk, I think they should care more about people being locked out of their stuff.
@jessamyn I don't even think passwordless is necessarily a bad thing, but the lack of clear documentation along the lines of "Here's what your backup plan should be if you lose your phone" is utterly confounding.
@Newmy Agree, or it's a thing you can use if you feel you need or want more security. I mean I even know people who have gotten locked out of Google's universe with its existing 2FA structure. Not enough research into failure modes, not enough caring about vulnerable people, not enough knowledge of the actual way actual people access and use their tech outside of the rarefied air of big cities with ubiquitous cell signal and wifi options. And this data is out there!
@Newmy I saw the enthusiasm from a few people here yesterday as well. I think this Ars article sums it up nicely.
"Switching is probably a terrible idea right now, but you've got to start somewhere. "