In the context of the passwordless desideratum that might be achieved by the generalization of solutions based on standards aimed at improving authentication security by moving away from passwords and towards biometric or cryptographic credentials, I wanted to express my “Ludditus says no!” opinion. To make it clear, this is about WebAuthn (Web Authentication), which uses public-key cryptography, and in which users can authenticate by using an external security key or built-in hardware like fingerprint sensors or facial recognition on their devices; it’s also about FIDO2 by the FIDO (Fast Identity Online) Alliance, which uses the WebAuthn API and the Client to Authenticator Protocol (CTAP).

■ The ratiocination coming from the Luddite that I am:

  1. Passwords are somewhat insecure and increasingly so, given the computational power of today that makes brute attacks more likely to succeed. OUCH! 😟
  2. But this can be mitigated in various ways, such as 2FA and logins that add a delay between attempts and block any attempt for a long time after a number of consecutive failures. COOL! 😀
  3. Well, 2FA can sometimes be insecure too, e.g. when an SMS can be intercepted. OOPS! 😲
  4. But you can have e.g. YubiKeys! COOL! 😀
  5. Which means you’ll pay for a monopolistic manufacturer and make them rich. Also, I find it inconvenient and reminiscent of the dongle times. OUCH! 😟
  6. OK, say you rely on passwords. Given that nowadays a typical individual would need to have dozens, if not hundreds of passwords, they are hard to remember, and storing them in a paper notepad or in a text file is insecure. OOPS! 😲
  7. But we have password managers, some of which are free! COOL! 😀
  8. Well, the best password managers are not free, which means “yet another civilization tax” and “let’s make some other companies rich”! OOPS! 😲
  9. Even worse, a password manager is a single point of failure! OUCH! 😟
  10. I also find them inconvenient. OUCH! 😟
  11. Hey, but you can live passwordless by using WebAuth/FIDO2 keys! COOL! 😀
  12. Well, I also find this inconvenient. OUCH! 😟
  13. But when the passkey is stored by a device and all you have to do is to enter your PIN, fingerprint, or to use face recognition, this also creates a single point of failure, especially when you’re stupid enough to use Face ID! OOPS! 😲
  14. And, should you want to use password managers able to store keys, not only passwords, you’ll have to pay. The costs of living in a “modern” and “civilized” world. OOPS! 😲

Ludditus dixit: When “they” try too hard, all “they” can do is increase complexity and incur higher costs and inconvenience.

I’m against such solutions. They are secure, they can simplify life, but they also complicate it. And they add costs. I don’t use any password manager and I never will. Not in my lifetime. As for the passwordless logins with biometric shit, I’ll also have to die first.

■ Make no mistake: I don’t reject the use of SSH keys instead of passwords! On the contrary, this is the right way to use SSH! Public-key cryptography is da shit, although it has its limitations. A Zero Trust world needs to go beyond the dumb use of passwords in the enterprise world, and this is why there are advanced commercial Zero Trust Suites that can even eliminate SSH keys, and various Privileged Access Management solutions deemed to be “quantum-safe” (duh). What a stupid cliché! Quantum computers are a hoax and pretty much useless. GPUs are not. I see a problem, though, when people use good technologies to implement stupid ideas, then force them on the public.

■ A few links about password managers being single points of failure (despite most of them saying that “until we have a better solution, in most cases, the benefits with password managers far outweigh the risks”):

■ A few links on the passwordless technologies:

From the piece on Medium, let me show you how simple it is:

The passkey registration ceremony
The passkey authentication ceremony

And a chronology:

From the piece in WIRED:

Over the past year, it has become possible to ditch the password and move to passkeys instead. Passkeys are generated codes—created using public key cryptography—that are stored on your device or in your password manager and let you log in to websites and apps using your fingerprint, face recognition, or a PIN. They can’t be guessed, leaked, or stolen, and they stop phishing attacks in their tracks, according to those behind the technology. Passkeys are widely considered to be more secure than passwords.

Google, Apple, Microsoft, Amazon, GitHub, PayPal, the UK’s National Health Service, OnlyFans, Nintendo, and more than 100 websites have started supporting passkeys. More than 8 billion online accounts can set up passkeys right now, says Andrew Shikiar, the chief executive of the FIDO Alliance, an industry body that has developed the passkey over the past decade. So, I decided to kill my passwords.

Put very simply, when you create a passkey, the website or app you’re using generates two pieces of code. One is stored by the website or app; the other is saved on your device. When you log in, you prove it is you via a face scan, fingerprint, PIN, or however you’d usually unlock your device, and the two pieces of saved code communicate with each other. That means that creating a passkey as a user is relatively simple. All you have to do is visit your account’s security settings and go through the options to set up and save a passkey. In most cases, that’s just a few clicks.

Logging in to my Coinbase account is the perfect example of how passkeys can work. To sign in to the cryptocurrency trading app—which I largely had forgotten I had an account with—it now just takes seconds. Opening the iPhone app, I can tap on the option to sign in with a passkey, which sits alongside the choice to enter my email address or sign in with an existing Apple or Google account. I tap the passkey option, and a popup appears to ask whether I want to “Use Face ID to Sign in?” and says it will use the passkey saved in my iCloud keychain. A quick face scan later, and I am logged in. No password, no username—under 20 seconds to sign in.

However, there are a few things that caused me problems setting up passkeys—my first attempt was disastrous. In that case, my work laptop wasn’t running an operating system that supports passkeys. While waiting for it to update, the PayPal app kept glitching and wouldn’t let me complete the passkey process. Then I couldn’t create one specifically for TikTok as I used my work Google account to create the account. When I tried to set up a passkey for Amazon and needed to scan a QR code on my phone, I found that my password manager, Bitwarden, currently doesn’t support passkeys on mobile.

Using passkeys likely means having a different mindset from how you think about passwords. There’s nothing to remember when you log in, and you have to use something else to store your passkeys. Passkeys can be stored in Apple’s, Google’s or Microsoft’s password manager systems; your browser; a dedicated password manager; or on a physical security key. I created a Google passkey on one USB key, and all I need to do to sign in is, essentially, plug it in. (All of the devices I use professionally and personally are Apple, meaning I haven’t tested passkeys between my iPhone and a Windows laptop, for instance.)

“The technology is mature, the front ends are still nascent,” Shikiar from the FIDO Alliance says. Over the past year, the FIDO alliance has also been working on user experience guidelines, he says, making it more straightforward for people to sign up and use passkeys across systems. Gary Orenstein, the chief customer officer of password manager Bitwarden, says there are multiple groups involved in the creation and rollout of passkeys, so transitioning to a world where everything is seamless takes coordination. “The standards are at one level, user expectations are at a different level,” he says. “The vendor implementations are at a third level, and they’re merging, but it takes time.”

Most of my work is done on my laptop—and it’s rare that I download new apps or log out of apps on my phone—so I have been saving the majority of my passkeys in Bitwarden, which costs me $10 a year for a premium account alongside my hundreds of passwords. It works like this: When logging in to my Amazon account, I enter my username, and then Bitwarden’s browser extension pops up asking whether I want to log in with my passkey for Amazon. I press confirm, and I am logged in. It also offers the option to use my device or a hardware key to log in, and if I select one of these options, it looks for passkeys stored on my laptop.

However, as mentioned, Bitwarden doesn’t currently offer passkeys on mobile, meaning that to get the mobile-first Coinbase integration to work, I ended up saving that passkey to iCloud’s Keychain instead. 

What else could people dream of, short of nuclear war? Of course, trading cryptocurrency and using TikTok and using Face ID already labels you as a shithead.