10 years ago "use a strong password with all these symbols"
Average person reluctantly moves from 123456 to P@55word!
8 years ago "no passwords such, use a pass phrase"
Average person reluctantly moves from P@55word! to correct-horse-battery-staple
6 years ago "ok but you need to use different passwords on each site"
Average person reluctantly moves to different passwords per site
4 years ago "but you can be phished, you have to use 2FA"
Average person reluctantly moves to SMS
2 years ago "no in some countries it's easy to take over SMS, use TOTP"
Average person reluctantly moves to TOTP
Today "no TOTP is rubbish, you can be phished, use this hardware authenticator"
Normal people don't like new shiny ways of working every year or so. My house's front door lock is broadly the same interface as my great-grandparent's front door lock, but technologists think changing the way things work every couple of years is acceptable.
> My house's front door lock is broadly the same interface as my great-grandparent's front door lock
True, but your house's front door lock is very likely to offer quite poor security. Most house locks are vulnerable to bumping attacks that are almost trivial to pull off. The only reason this is acceptable is the threat model you're dealing with when securing a physical house is very different from securing an internet-connected computer.
Moreover, while the threats against your front door have remained marginally the same as those against your great-grandparent's door, computers and the network they are operating in change extremely frequently. All the security recommendations you're naming were quite reasonable for their time but rapidly became outdated.
If someone _really_ wants in, the windows are an even weaker point. Obvious at a glance breakage probably not even necessary... (those latches seem awfully flimsy).
A similar argument I have with my wife: She insists on only living in gated communities. I'm like, "it's just a PVC pipe that goes up and down, it's not fort knox." But for some reason that gives her peace of mind, and worth the HOA fee of $350/mo.
My God. My condo complex is responsible for all external maintenance. It has steel gates that would stop an f150. They handle water, gas and trash pickup and it only costs $230/mo. It's in a fairly pricey area. I feel like you're getting robbed.
To be fair, there are also metal gates, probably aluminum... but they only close after 8pm. I think it's more for aesthetics really. The communities in Palm Beach County miss the mark on being bad & boujee.
Funnily enough where I live those gated communities have actually ended up being specifically targeted, because funnily enough people assume that if you can afford to live there you probably have stuff worth taking.
At a certain point the walls will be the weak point to a dedicated attacker. Time to dig a moat to scare off the backhoes!
Something I found out recently is that my lockable desk drawer can be thwarted by giving it a sharp shove to the right while pulling the drawer. It juuust about pops the metal locking rod out of the mechanism for a moment, if you're pulling on the drawer it'll just open.. Found it out when I misplaced the key, haha.
I can't really say I've tried, but probably. I 'ran through' a glass storm door once as a kid -- I was locked out in the cold by my grandpa
The safety glass in cars is especially difficult where I expect much less from that in a home.
With the obsession over insulation I suspect they're stronger than I remember, but brute force always works - if not, just use more. Maybe introduce leverage
Very few break-ins are accomplished via defeating a lock with something in the vein of a pick (bumping, pick gun, etc). Most break in are accomplished via a broken window/glass door.
Nobody should ever suggest you use TOTP or SMS 2fa to prevent phishing.
> 6 years ago "ok but you need to use different passwords on each site"
Really the only one that matters in practise. TOTP is basically just a work around to get users to actually do this.
Edit: i would also add this is a corporate environment where its reasonable to be more picky. And webauth really is the best (only?) Solution to phishing.
Well, if you use a compromised device temporarily and your password gets stolen and you have 2FA, it will sort of be ok once you stop using that device.
Depends how long your session cookie lasts for the site. Some high security sites are paranoid, but most of the time they last for like a year.
It also depends on how sophisticated the attacker is. Do they fake log you out so they could capture a second 2fa token in order to change the totp token to a new device and change your email?
And of course, for the most part damage can usually be done in minutes - copying confidential files does not need long term access.
For applications where it really mattered, harware authenticators have long been established. Big companies use smart cards, and my bank has always offered the choice between the 2FA-du-jour (switching from pre-distributed TAN lists to SMS 2FA to various iterations of 2FA apps, currently push tan) or just getting a $20 reader for my existing bank card (which has a chip since forever in europe).
The list you are describing could as well be seen as every service trying to implement the simplest and least disruptive technology, only to find out two years later that it was insufficient and switching to the next best thing, only for the cycle to repeat each time.
Which of course from the users perspective doesn't make a difference, but it gives a different perspective on how to solve it for the future.
The Egyptians has wooden door lock mechanisms. It took thousands of years to develop modern door locks. We went from lever tumbler locks in 1778 to the modern Yale lock in 1861 (which fundamentally still operates on similar principles to the Egyptian wooden pin lock).
I'm sure authentication technology will settle down in a decade or two.
WebAuthn is an UX improvement as well as a security improvement. I sympathize with your point, but in this case it’s easily sellable as the cure to the rest of your list … unless you somehow lose your key.
Not a UX improvement. Most users need a yubikey for the computer unless they have a new Mac. Asking my 65 year old dad to keep up with a yubikey is not just bad UX, it's failing UX. It simply will not happen.
I don't even think it's realistic to get him to use a smartphone for this, he hates the things.
WebAuthn works great for your Web 3.0 startup but as soon as you're talking about the average user, who is likely decades older than the commenters here, and far less interested in keeping up with these things, and far less patient with the hassles... asking them to carry hardware is a nonstarter for so many.
I thought Windows machines just used the TPM to store WebAuthN keys? No yubikey necessary. Just a click on some popup dialog to select your credential for login.
Windows has a service called "Windows Hello" which can work with WebAuthn (otherwise it's hardware keys). It requires your computer to have various biometric or camera technology built in, such as a finger print scanner. I'm sure windows laptops are more equipped for this, but desktops obviously are not, and I'm certainly not advising folks to leave some insecure cheap imported webcam hooked up 24/7 "for security purposes".
I don't know anyone using "Hello" but I suppose it's an option. Most Windows users would likely have to use a hardware key though.
I would be weary of using this, I have been using Windows since Windows 95 and seen enough things go wrong that I wouldn't want to be locked out of my online accounts. For example one thing I noticed is that by simply updating my BIOS in Windows 11 causes havoc and everything gets signed out. A cross-platform hardware token sounds more appealing to me. I could see Hello being something to secure corporate laptops/accounts in an enterprise environment though.
>For example one thing I noticed is that by simply updating my BIOS in Windows 11 causes havoc and everything gets signed out.
That's surprising. As in, the fact that that happens is to be expected from the firmware's point of view - updating the firmware changes the measurements made to the TPM so any secrets can no longer be unlocked. But I would've expected Windows to update the expected measurements before applying the update to prevent that from happening.
The difference is that your door is exposed to the neighbourhood while computers are exposed to the whole planet. Notice how your plain old number password is still sufficient for unlocking your phone.
Ten years ago, everyone got hacked all the time. Today, basically the only way to get you hacked is to hack the actual site you're using. I'd say that's progress.
A reluctant move is still a move, and thus beneficial. But we definitely have different ideas of the “average person”. I sincerely doubt the average has moved on from P@55word, and even then only because the website they’re trying to register an account with imposes the rule. I’d be happy to be proven wrong; do we have data on it?
> Normal people don't like new shiny ways of working every year or so. My house's front door lock is broadly the same interface as my great-grandparent's front door lock, but technologists think changing the way things work every couple of years is acceptable.
Your front door doesn't have thousands of anonymous bots a day trying to brute force it.
TOTP uses a publicly known algorithm that you can implement yourself. Most people use an app, but that’s not mandatory. No special hardware is required.
> And this is why we should all adopt webuathn, and get rid of totp based 2fa.
I'd be glad to personally, but if a site supports 2fa at all, then it's mostly likely TOTP. And some require TOTP first and allow webauth only in addition to it.
You know, I used to think the same thing. But then lastpass got hacked and it made me realize password managers have a lot of eggs in those baskets. It might be worth using two separate password managers and keep TOTP in the second one.
This attack vector is significantly harder to pull off if a hardware authenticator will assert that the user is logging into the correct domain.