I'm not that enthusiastic about Google, Apple and Microsoft doing away with #passwords as an #authentication factor, because it's one of the few areas left on these platforms where people have some control over their own #security. #infosec https://puri.sm/posts/microsoft-ruined-passwords-now-aims-for-a-passwordless-future/
@kyle I hear you.
But passwords are well past their sell-by date, and their initial use-case assumptions.
Even Fernando Corbato thought so before he died.
https://www.businessinsider.com/inventor-of-the-password-2014-5?op=1
@dredmorbius As I elaborate on in the article, I think the main reason passwords failed is due to bad password policies (which I blame Microsoft for in large part!) that didn't take the user into account. I'm not convinced that unrevokable biometrics that unlock a "something you have" in your phone are necessarily *better* than a good password. Which factors are appropriate comes down to particular threat models and I don't think doing away with one of the three auth factors entirely is wise.
@kyle TL;DR: I disagree, passwords failed for intrinsic reasons, not any specific party's (or parties') implementations
Passwords were developed for a vastly simpler world. I think we really need to go back to first principles, and determine:
What we expect passwords to provide.
What the risks are.
What the alternatives are.
What the landscape / terrain / participants are, and what affordances these provide.
In particular, Fernado Corbato was solving a problem for a very limited-access facility with limited connectivity. The solution he devised for the 30 or 300 people inside that phsyical space wasn't appropriae for the 3 billiion outside (this was 1960), but those 3 billion had very little opportunity for access.
Today, 5--10 billion people have immediate access to many online systems. If we consider nonhumans potentially accessing systems, that count likely increases by a few more orders of magnitude. Passwords somewhat work within a spatially-constrained space, not in a global one. Global data systems have a fundamentally different data / security "physics".
Corbato came to think passwords were a nightmare, and that they were designed "to protect against casual snooping":
https://www.welivesecurity.com/2014/05/23/password-inventor-says-creation-now-nightmare/
I share your concerns for hegemonic appropriation of identity. But in a #HierarchyOfFailureInProblemResolution, I think the assessment that passwords are themselves a problem is correct.
https://old.reddit.com/r/dredmorbius/comments/2fsr0g/hierarchy_of_failures_in_problem_resolution/
What's the problem?
What's the root cause?
What's the goal?
How do we get there from here?
Who needs to help, or get out of the way?