That's indeed scary. Losing your 2nd factor shouldn't block you from accessing your accounts indefinitely. There should at least be one recovery path outside 2FA be it "printed recovery keys", "email recovery", "support channels", or even (despite being fully insecure) SMS maybe with a grace period (like 48 hours). Backing up your 2FA secrets isn't user-friendly at all, and it's even harder after you've started using it.
Yes, those recovery paths are also susceptible to phishing, scam attacks, and they should be designed with that in mind like, for instance, with ID verification, notifications from multiple channels, process delays.
Everyone should go over their Authenticator app and check their recovery options with every account they have there to make sure they don't fall into this trap.
> Losing your 2nd factor shouldn't block you from accessing your accounts indefinitely.
You’re absolutely right and also you don’t have to worry. Everyone who operate auth of any sort will be forced on day one to have reasonable recovery. Nobody is gonna lock customers out because you lost their super-secret private key.
In practice, it goes back to email recovery for 98% of services. This will remain true with passkeys. Just like people forget passwords today, they’ll lose their passkeys tomorrow.
An average user can keep perhaps 5 decent-entropy passwords in their brain, at most. Thus, they can be useful for master passwords and your bank account. Other than that, it’s an elaborate dance of reusing existing passwords, using low entropy ones for low-value services, and for some of us, systematic usage of pw managers. But it’s still a dance, extra steps. And the UX is fragmented at best.
Passkeys has a chance to greatly improve both security and UX of happy-path auth. That’s not bad at all.
Personally, I’m more worried about spec bloat. It looks like tons of knobs and flags already, imagine where we are in 5 years.
I’m also a little worried about public computers, shared devices, borrowing etc. Not everyone has a personal $1000 phone. This whole “my own device” assumption is a first world bias, and the experts should know better.
>I’m also a little worried about public computers, shared devices, borrowing etc. Not everyone has a personal $1000 phone. This whole “my own device” assumption is a first world bias, and the experts should know better.
Exactly. That's why I'm in favour of SMS based auth for really important services like banking and government services. Your phone got broken/lost? Most providers offer replacement sims immediately or in 24h at worst around here. Your phone is broken, but you have an old 20 year old flip phone? Pop your card in there (with a plastic frame) and you can still authenticate (another reason against non physical sim cards).
I saw mentions that SMS is insecure, but I never heard about a credible remote attack that didn't include provider cooperation or taking over your phone. (someone driving to your house and setting up a fake cell tower in your yard doesn't count for most people). Yes, the user experience is annoying to say the least. Consider the current system we have in Poland for government services (taxes, health care, driving agency, benefits). Most people use their bank as the auth provider a typical session would look like this:
- go to a gov website, click login, be present with various login options that include personal certs etc, choose your bank from the list
- login to your bank's system the normal way (with physical 2fa if you have it, printed keys, or SMS).
- then the bank asks you "do you want to provide auth request that contains these personal detail to _gov_agency_A, if yes tick these 4 boxes that absolve us from anything you do down the line
- then they send you another SMS to confirm finally authenticating you to the site
- you can browse the site etc, but let's say you want to send in a document that requires signing, you fill that document online and they ask you "select your signing provider" (despite already being logged in
- you select your bank, you go through two rounds of SMS again to sign the doc
- phew... Done
It's rather elaborate and hinges on SMS being secure. Most older people get lost at around "tick these 4 boxes" part, so most likely the whole process is being done for them by a local gov/library/internet cafe employee or a relative.
Is it secure? It's pretty annoying to use, but personally I consider the security adequate. I
SMS is monumentally insecure and any suggestion to use it as an auth factor (much less a recovery mechanism) is wildly irresponsible. Not only is SIM swapping as easy as convincing the teenager at your local phone store that you lost your phone and want to pay his commission when buying a new one, but the SMS protocol itself is unencrypted and you can MITM, or just straight up spoof it with a few grand worth of equipment (see "stingrays" for the professional version of this). This _abolutely_ happens all the time in the EU too.
> I saw mentions that SMS is insecure, but I never heard about a credible remote attack that didn't include provider cooperation or taking over your phone.
Technically correct, but how likely those attacks are seems to depend on the country. While I'm not aware of this being an issue in any EU country, sim swapping is a common thereat at least in the USA. Yes, American providers really need to improve the security of their procedures, but this means that in the current situation the security of any authentication flow based on SMS heavily depends on which country the user is located.
> In practice, it goes back to email recovery for 98% of services. This will remain true with passkeys.
My understanding is that passkeys are really intended for the non-technically-skilled users.
So then, how will passkeys succeed with that audience? A high percentage of them already routinely use password recovery mechanisms rather than keeping track of their passwords. That's an established habit. If they can keep doing that, then why wouldn't they?
Yeah. They’d only switch if it’s discoverable and easy, (perhaps their browser + the website presents the option).
Also, the “forget password” flow itself has opportunities for happy-path improvements that are much more simple than passkeys. I have thought for a long time we should embrace that and lean into it, perhaps change it to a better “magic link” type of flow.
My point here is to note that "phones" are not a good 2nd factor, unfortunately, because they're not that durable and are kind of targets of theft. So moving to solely rely on phone sounds like a bad idea.
In my case, this was not the end of the world since I use a Yubikey for Google rather than TOTP, so at least my core email services (which represent a huge identity provider) were fine.
(This is also the reason why I could afford to wait to get parts and fix the phone rather than get into some panic mode of having all my digital accounts in a state where I might get locked out at any point.)
Yes, I even use multiple FIDO2 keys for both convenience (some stay plugged in to my machines) and as backups. I find Passkeys convenient too, but the author's points need to be addressed, I agree.
Yes, those recovery paths are also susceptible to phishing, scam attacks, and they should be designed with that in mind like, for instance, with ID verification, notifications from multiple channels, process delays.
Everyone should go over their Authenticator app and check their recovery options with every account they have there to make sure they don't fall into this trap.