Back

Smart people keep saying things like “but authenticator apps will still be free and those won’t require you to pay, plus they’re more secure.” That’s true! But also completely misunderstands what’s about to happen.

What sets SMS 2FA apart is that it’s almost “free” from a user-effort perspective. If you own a phone, the feature is already built-in and enabled. Setup is nearly effortless. Backup is taken care of. Unfortunately none of the same things are true for HOTP/authenticator apps.

The cognitive overhead of installing an authenticator app (and then worrying about what happens when you lose your phone) is absolutely ridiculous. The overall experience is just stunningly bad, given that it’s one of the best defenses we have.

Free one-time code authenticators *should* be built into every phone. They *should* be enabled on the default keyboard. They *should* be securely backed up to an end-to-end encrypted account. If Google/Apple did this, adoption would be high.

Instead we have this ecosystem of crappy apps that you have to install manually. Some have weird cloud backup built in, of unknown security level. Some require you to back up manually with a QR code (ugh, Google Authenticator). It’s such garbage.

I learned recently that iOS has authenticator capability built in, and it will even back up to iCloud Keychain (using end-to-end encryption)!

All you have to do is navigate to a hidden submenu buried under “Settings”. It really sucks. But at least it’s better than Android.

I know companies like Apple and Google have all these great ideas like “let’s eliminate passwords using cool new ideas, eg ‘passkeys’”. Maybe that’ll work out. I hope so! I hate that these companies are slow-rolling security *today* so things can be “perfect” tomorrow.

@matthew_d_green slow-rolling?

@durumcrustulum iCloud Keychain has been around since 2015? The authenticator feature arrived when… 2019? And it doesn’t have any prominent UI elements during account setup, it’s basically hidden. Google Authenticator feels like abandonware.

@matthew_d_green k; passkeys aren't a slow roll

@durumcrustulum Passkeys are bypassing existing tech so that we can leapfrog to something better. But they have essentially zero adoption, whereas HOTP has some (for high-values websites.) I think it will take years to get major adoption.

@matthew_d_green hotp is second factor, passkeys are trying to be first factor, no one has ever replaced primary auth; i think the big players will keep investing in device-bounded challenges vs otp because they're easier to use

@durumcrustulum OTP has one major advantage, which is that I can keep a key on a mobile device and log into things on my laptop. I think Apple’s answer to this is to go all in on the iCloud ecosystem and use Keychain for portability?