Why Consumer Authentication Is Broken

3 points by p0seidon 10 months ago | 10 comments
  • fuzzfactor 10 months ago
    As long as there is any need for authentication, the upside from consumers will be drastically limited no matter what you do.

    That's one big elephant in the room that a strong sense of "broken" comes from.

    • p0seidon 10 months ago
      I think passkeys will bring us automatic authentication, where you can establish an automatic login with consent across all operating systems. The operating system would silently log you in the background. Do you think this could lead to privacy discussions, even if it adds security?
      • fuzzfactor 10 months ago
        >this could lead to privacy discussions, even if it adds security

        These discussions have a lot of catching up to do.

        I'm no expert, but I think privacy needs to be the highest priority. The purpose of security measures should be first to preserve privacy, as they work to mitigate other threats if possible.

        I just don't think I would be a happy camper with a single point of failure for both identity and security.

        Really have no use whatsoever for a Microsoft account or anything like that.

        • p0seidon 10 months ago
          It could be combined, there are solutions to that.
      • crystalshorror 10 months ago
        "As long as there is any need for authentication, the upside from consumers will be drastically limited no matter what you do."

        What do you mean by this?

        • p0seidon 10 months ago
          I guess from a tech perspective, we can now create solid connections between clouds and consumer accounts without the need for social logins (device/cloud -> websites). We will be flying to Mars and have self-driving cars, yet we still have to juggle passwords and password managers.
          • fuzzfactor 10 months ago
            >What do you mean by this?

            By default in a free country there will always be loads of consumers who have no interest in authenticated activity.

            Authentication of all types in every facet of life may not be completely avoidable, but more people are aware of the fruitless friction often involved, plus risk of divulging anything uniquely identifiable for mere consumer acquisitions.

            As malicious threats continue to increase exponentially, especially online, you can expect more consumers to withdraw from previously-accepted remote identification schemes altogether, rather than escalate their own personal "identity crisis" at the rate needed to meet the challenge.

            >we can now create solid connections between clouds and consumer accounts without the need for social logins

            Some casual websites can be more sure than ever who is visiting and whether or not they are a qualified consumer. While at the same time consumers must endure more challenges to access the website, and increasing risk for the disclosure of their information, and are becoming less sure that any website can be trusted at all.

            So the anti-privacy enthusiasts have gotten as far as this will take them (at present levels of consumer friction), as mentioned above I expect downward pressure from here.

            If anti-privacy is to continue flourishing, they're going to need a whole new level of intrusion from this point.