Everyone hates two-factor authentication but coming from someone who has first hand experience in security for higher education, I’ve seen even SMS style 2fa almost completely stop all compromised accounts.
I’m sure there’s a better way to do it, but I’m not sure what the better way is. I’m not sure passkey is the answer, but that’s the one everyone embraced– I feel like it’s going to be a nightmare to deal with when it’s time to recover an account though, and I’ve yet to try using it.
In my experience, if you have user-support, Passkeys are pretty much a non-starter.
The big problem with passkeys from a user support perspective is, nobody understands it and nobody has any good tooling around debugging it. I’ve put passkeys in the hands of our IT department as users and it’s been a complete disaster to debug and troubleshoot when things go wrong. And lots of things go wrong.
If you have user support, you can’t use passkey’s (last I tried about a year ago). Pretty much all the big tech companies pushing passkeys hard basically don’t have any user support, which makes it a lot easier to deploy passkeys.
The best I could do is make passkeys completely optional and when users get outside of the happy path, just delete all their passkeys and let them try to set it up again after rebooting their computer. i.e. you don’t actually fix anything, you just hope whatever problem happened won’t happen a second time around.
We never got out of beta and have no current plans to ever try and actually deploy it. Maybe in another 5 years passkeys won’t be such a mess and we can actually try deploying them again. But maybe by then we will be on to try #4 at getting public/private keypairs across web infrastructure.
We currently use TOTP, and while it’s hard to implement, at least it’s doable. 95% of the problems with TOTP are clock sync issues. We have special code at setup time that verifies their clock and shows them how to go about turning on time sync for their devices. It’s amazing how many users have bad time sync, even with Android and iOS devices by default having NTP turned on for years now. Even our tech support people have issues understanding and troubleshooting TOTP, because there is generally at least 3 devices involved(user machine, user phone and the server) and that’s very complicated to reason about.
With current passkey implementations, there are generally at least 4 things involved, the users computer, their phone, the network/bluetooth between the two user devices and the server and that network. It’s a recipe for disasters and things to go wrong.
That’s the lazy way, and I agree it’s the only way I ever had any chance of getting passkeys to deploy when I tried about a year ago. You can’t troubleshoot and debug passkeys well at all last I tried. There is a lot of magic dances that have to happen just right, and the browsers and OS’s just say “ERROR” and give up if anything goes wrong..
With current passkey implementations, there are generally at least 4 things involved, the users computer, their phone, the network/bluetooth between the two user devices and the server and that network. It’s a recipe for disasters and things to go wrong.
Maybe in another 5 years passkeys won’t be such a mess and we can actually try deploying them again. But maybe by then we will be on to try #4 at getting public/private keypairs across web infrastructure.
I do have to agree with the ux experience on all these things. For Microsoft, I have to worry about the wonderful two-digit code and a thumbprint, for my Amazon. I have to worry about pressing the UB key and ignoring all the things that tell me to use my computer, and I won’t even talk about the stupid email or SMS things which are horribly insecure. Oh well.
I have Outlook on my iPhone, which I have to use for university. Whenever I log into the university website - to request a book from the library, for example, or to submit some coursework - I have to enter a two-digit code into Outlook on my phone. The university seems to use Microsoft for all their auth these days.
The interesting thing is that sometimes I have to do this in order to log into Outlook on my phone too. The two-digit code will flash up very briefly before the 2FA dialog appears on top of it. As long as I pay attention and remember the code, I can now authenticate myself. How Outlook on my phone can act as a 2FA authenticator for logging into Outlook on my phone is beyond me… but I’m sure Microsoft know what they are doing.
I agree with this, except for the end.
Everyone hates two-factor authentication but coming from someone who has first hand experience in security for higher education, I’ve seen even SMS style 2fa almost completely stop all compromised accounts.
I’m sure there’s a better way to do it, but I’m not sure what the better way is. I’m not sure passkey is the answer, but that’s the one everyone embraced– I feel like it’s going to be a nightmare to deal with when it’s time to recover an account though, and I’ve yet to try using it.
In my experience, if you have user-support, Passkeys are pretty much a non-starter.
The big problem with passkeys from a user support perspective is, nobody understands it and nobody has any good tooling around debugging it. I’ve put passkeys in the hands of our IT department as users and it’s been a complete disaster to debug and troubleshoot when things go wrong. And lots of things go wrong.
If you have user support, you can’t use passkey’s (last I tried about a year ago). Pretty much all the big tech companies pushing passkeys hard basically don’t have any user support, which makes it a lot easier to deploy passkeys.
The best I could do is make passkeys completely optional and when users get outside of the happy path, just delete all their passkeys and let them try to set it up again after rebooting their computer. i.e. you don’t actually fix anything, you just hope whatever problem happened won’t happen a second time around.
We never got out of beta and have no current plans to ever try and actually deploy it. Maybe in another 5 years passkeys won’t be such a mess and we can actually try deploying them again. But maybe by then we will be on to try #4 at getting public/private keypairs across web infrastructure.
We currently use TOTP, and while it’s hard to implement, at least it’s doable. 95% of the problems with TOTP are clock sync issues. We have special code at setup time that verifies their clock and shows them how to go about turning on time sync for their devices. It’s amazing how many users have bad time sync, even with Android and iOS devices by default having NTP turned on for years now. Even our tech support people have issues understanding and troubleshooting TOTP, because there is generally at least 3 devices involved(user machine, user phone and the server) and that’s very complicated to reason about.
With current passkey implementations, there are generally at least 4 things involved, the users computer, their phone, the network/bluetooth between the two user devices and the server and that network. It’s a recipe for disasters and things to go wrong.
Recovering an account with a passkey is the exact same scenario as recovering an account with a 2fa that got lost.
That’s the lazy way, and I agree it’s the only way I ever had any chance of getting passkeys to deploy when I tried about a year ago. You can’t troubleshoot and debug passkeys well at all last I tried. There is a lot of magic dances that have to happen just right, and the browsers and OS’s just say “ERROR” and give up if anything goes wrong..
With current passkey implementations, there are generally at least 4 things involved, the users computer, their phone, the network/bluetooth between the two user devices and the server and that network. It’s a recipe for disasters and things to go wrong.
Maybe in another 5 years passkeys won’t be such a mess and we can actually try deploying them again. But maybe by then we will be on to try #4 at getting public/private keypairs across web infrastructure.
Magic link should do the trick.
I do have to agree with the ux experience on all these things. For Microsoft, I have to worry about the wonderful two-digit code and a thumbprint, for my Amazon. I have to worry about pressing the UB key and ignoring all the things that tell me to use my computer, and I won’t even talk about the stupid email or SMS things which are horribly insecure. Oh well.
What’s insecure about email and magic links?
I have Outlook on my iPhone, which I have to use for university. Whenever I log into the university website - to request a book from the library, for example, or to submit some coursework - I have to enter a two-digit code into Outlook on my phone. The university seems to use Microsoft for all their auth these days.
The interesting thing is that sometimes I have to do this in order to log into Outlook on my phone too. The two-digit code will flash up very briefly before the 2FA dialog appears on top of it. As long as I pay attention and remember the code, I can now authenticate myself. How Outlook on my phone can act as a 2FA authenticator for logging into Outlook on my phone is beyond me… but I’m sure Microsoft know what they are doing.