Recent searches
Search options
Per @racheltobac: 75% of Twitter 2FA users are using SMS-based authentication. In theory those users could switch to authenticator apps (or pay 
) but they probably won’t.
Smart people keep saying things like “but authenticator apps will still be free and those won’t require you to pay, plus they’re more secure.” That’s true! But also completely misunderstands what’s about to happen.
What sets SMS 2FA apart is that it’s almost “free” from a user-effort perspective. If you own a phone, the feature is already built-in and enabled. Setup is nearly effortless. Backup is taken care of. Unfortunately none of the same things are true for HOTP/authenticator apps.
The cognitive overhead of installing an authenticator app (and then worrying about what happens when you lose your phone) is absolutely ridiculous. The overall experience is just stunningly bad, given that it’s one of the best defenses we have.
Free one-time code authenticators *should* be built into every phone. They *should* be enabled on the default keyboard. They *should* be securely backed up to an end-to-end encrypted account. If Google/Apple did this, adoption would be high.
Instead we have this ecosystem of crappy apps that you have to install manually. Some have weird cloud backup built in, of unknown security level. Some require you to back up manually with a QR code (ugh, Google Authenticator). It’s such garbage.
I learned recently that iOS has authenticator capability built in, and it will even back up to iCloud Keychain (using end-to-end encryption)!
All you have to do is navigate to a hidden submenu buried under “Settings”. It really sucks. But at least it’s better than Android.
I know companies like Apple and Google have all these great ideas like “let’s eliminate passwords using cool new ideas, eg ‘passkeys’”. Maybe that’ll work out. I hope so! I hate that these companies are slow-rolling security *today* so things can be “perfect” tomorrow.
Anyway. I’m certainly no expert on usable security. My only real expertise is that as a user, *I am extremely lazy.*
SMS 2FA sucks sucks sucks, but I empathize with the Twitter users who chose it — and I understand why the alternative will be “no 2FA.” Too bad for Twitter.
@matthew_d_green slow-rolling?
@durumcrustulum iCloud Keychain has been around since 2015? The authenticator feature arrived when… 2019? And it doesn’t have any prominent UI elements during account setup, it’s basically hidden. Google Authenticator feels like abandonware.
@matthew_d_green k; passkeys aren't a slow roll
@durumcrustulum Passkeys are bypassing existing tech so that we can leapfrog to something better. But they have essentially zero adoption, whereas HOTP has some (for high-values websites.) I think it will take years to get major adoption.
@durumcrustulum I have no idea what it takes to get passkeys into a site. I don’t know what happens when I want to access a site on a laptop but the passkey is on a phone. I honestly don’t know! I should go read about it. I feel like that’s where we are on passkeys — the “we should learn about it” phase, not deployment.
@matthew_d_green you can listen to our episode about it 
https://podcasts.apple.com/us/podcast/passkeys-with-adam-langley/id1578405214?i=1000575799425
@matthew_d_green hotp is second factor, passkeys are trying to be first factor, no one has ever replaced primary auth; i think the big players will keep investing in device-bounded challenges vs otp because they're easier to use
@durumcrustulum OTP has one major advantage, which is that I can keep a key on a mobile device and log into things on my laptop. I think Apple’s answer to this is to go all in on the iCloud ecosystem and use Keychain for portability?
@matthew_d_green for apple, yes
@durumcrustulum I genuinely don’t know. One of my biggest annoyances is that I don’t use Safari on Mac so I’m totally desynchronized between phone and Firefox. However: I have to imagine this is what life is like for Windows users too.
@matthew_d_green this is why I 1Password (possibly needing a rename eventually); pixels, macbooks, chrome, linux
@durumcrustulum Didn’t even know 1Password had HOTP/TOTP until just now.
@matthew_d_green it's very nice, especially for shared accounts
@durumcrustulum I don’t trust my computer enough to use it there ;) But I like that it exists.
@matthew_d_green you can create an easy shortcut that will take you directly to the passwords. I still prefer 1Password, but I do also save to Keychain and the shortcut makes that more bearable
@subrandom This is so nuts. A trillion dollar company built a password manager and people have to download a shortcut one of their employees made in their free time, just so it has UX equivalent to a normal password manager.
@matthew_d_green It is a little nuts, but I do expect it will eventually get its own UI. I think there’s a little hesitancy there to be directly competing with some of the most popular software on the App Store.
Plus like all the big tech, increasing scrutiny over the vertical integration and such…why push it? It’s nice as an option if you don’t want to pay for something more full-featured, but I’d be surprised if they grew it beyond where it was, except to add it as a dedicated app.
@matthew_d_green This year 1Password will support Passkeys, which the only thing Apple’s solution has that they don’t. I’ll still use KeyChain as my backup though, because if 1P drops the ball or gets bought up, I want to be able to cut and run. :)
@matthew_d_green but using this will simply reinforce the grip iOS already have on users. Plus it wouldn’t it make shifting to a different mobile platform difficult?