top | item 35854648

(no title)

atoponce | 2 years ago

2FA is rife with problems. FIDO2/WebAuthn isn't tied to biometrics and can be inconvenient. TOTP can get out of sync and can be phished. Email can also be phished. Voice and SMS are vulnerable to SIM swaps. Now we're seeing that passkeys are horribly opaque without proper management and at risk of getting lost.

Le sigh.

discuss

ivlad|2 years ago

Passkeys are just software backed FIDO keys with no attestation and less features.

FIDO is flexible enough to distinguish userPresence (I.e., touching the key) from userVerification (commonly, entering a PIN), but this is only defined for physical keys IIRC.

dragonwriter|2 years ago

> FIDO2/WebAuthn isn't tied to biometrics

Good. Biometrics (“something you are”) aren’t a second factor.

atoponce|2 years ago

Biometrics aren't the second factor when using WebAuthn, the hardware security key is. But anyone with access to the security key can use the second factor. Biometrics would tie the key to you preventing them from being used by others. The best we have right now for unlocking the security key are PINs, AFAIK.

sowbug|2 years ago

All those problems are also true of 2FA's competition, which is plain old passwords. 2FA is progress. Don't let the perfect be the enemy of the good.