> Phishing attacks are effective, anti-phishing training doesn't work (even for technically savvy users)
This is overstating the case. I've never been successfully phished. Many people have never been successfully phished. Yes, phishing exists, but it's not an excuse for big tech companies to take away all user freedom. "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
I think passkeys are fine in concept — replacing passwords with site-specific cryptographic keypairs — but the demands of the big tech companies go too far above and beyond the basic concept. For example, here are statements from the person in charge of passkeys at Apple:
> If you can drop a single device in a lake and lose your credential, it’s not a passkey. Passkeys are backed up and synced across your devices to deliver a great and safe user experience, while also eliminating phishing. If it’s device-bound, it’s not a passkey. :) https://hachyderm.io/@rmondello/111188643228872151
> A reminder to attendees of Authenticate and people everywhere that “device-bound passkey” is an oxymoron. Passkeys are a phishing-resistant password replacement, usable by people of all levels of technical sophistication, built in to smartphones. If a credential is not resilient to device loss, and it doesn’t sync across devices, calling it a passkey will confuse your users who will expect a durable, resilient credential. https://hachyderm.io/@rmondello/111252067006418583
To me, these statements are both paternalistic and frightening. You have to understand what they mean by "synced" and "phishing-resistant". The big tech companies are taking these superfluous requirements to extreme. In essence, the attitude is that users can't be trusted with anything, and so users can't be given any control. This attitude is anathema to me.
All of my passwords are SSH keys are regularly backed up to multiple storage locations, including offsite. However, I take care of backups myself, manually. I don't use any cloud syncing service. I don't trust them, for a number of reasons, I don't want to use them at all. If I have to use a cloud sync service with my credentials, that's a nonstarter.
Moreover, as far as I can tell, when the big tech companies say "phishing-resistant", what they actually mean is that it should be impossible for the user to manually export and examine the private keys, because that would theoretically allow phishing. To my knowledge, FIDO still hasn't agreed on export/import methods, and it's very telling to me that they were willing to ship passkeys without this feature, which I would consider essential. My suspicion is that the "solution" they eventually come up with is some sort of "trusted" list of service providers, who can export/import between themselves without giving users direct access to the keys.
There are much bigger problems in the world than phishing. We can harm ourselves in so many ways: driving a car, riding a bike, crossing the street, smoking cigarettes, drinking alcohol, eating bad food, using a chainsaw, opening the front door for strangers, or any combination of the aforementioned. Thank god that cars aren't locked down yet, though I expect that "security professionals" will demand that it be done someday for our own good. Freedom is dangerous. Yes, freedom means that users can be phished. And it means that passwords can be lost. But the absence of freedom is even more dangerous, and I'll fight to the death to preserve my freedom.
It is not overstating the case, I don't think. Large security teams have done population-level studies on this. You feel like "freedom means users can be phished". That's fine, private companies are going to make different choices on the freedom/security spectrum than you'd prefer.
> It is not overstating the case, I don't think. Large security teams have done population-level studies on this.
If it were that easy, then wouldn't everyone have been phished by now? I've certainly received plenty of scam emails myself, and I think it's safe to assume almost everyone else has too.
> private companies are going to make different choices on the freedom/security spectrum than you'd prefer.
It's not that simple, because we don't have a free market. Three big companies — Apple, Google, Microsoft — have nearly the entire consumer market share for both operating systems and web browsers, and they're colluding to eliminate passwords. If they succeed, then I as a private individual and a private company (self-employed) will not be able to make a different choice than those three big private companies. None of us will be able to make a different choice.
I think the reasonable assumption of serious security teams is that past some number of people with access, and absent phishing-proof authentication, the probability of a successful phishing attack approaches (and probably rapidly approaches) 1. You can dispute this, but security teams are going to disagree with you, they have the data, and your freedom/security spectrum doesn't mean anything at all to people making corporate access control decisions.
I get that you're not talking about corporate access control, but rather your feeling that you're downwind of those decisions as a consumer, because Google and Apple are embracing the findings of corporate security research. I don't know what to tell you about that. If a friend asked me what they should do to secure their online accounts, I'd tell them to make sure they were using Google Mail, and to make sure they had Passkeys enabled.
What are you going to tell your friend if Google and/or Apple unexpectedly, permanently locks them out of their account, with no possibility of appeal, because they triggered some kind of false positive in the "security" algorithms?
These are real things that happen, as real and harmful as phishing.
And yes, I'm talking about free consumers rather than corporate drones. Of course, in a corporate environment, you're not likely to get permanently locked out unless you're fired, and you won't experience personal data loss, because corporate data isn't yours in the first place.
I'm going to tell them that that's much less likely to happen than them getting owned up, and that the outcome of them getting owned up is much worse than the outcome of having a problem with Google or Apple. I know† lots of people that have been owned up, and zero people who have had the problem you're describing.
I'm also going to tell them to beware of technologists, who have rooting interests that are more about industry politics and big picture principles than about user safety. I'll tell them that people lobbying against the increasing influence of big tech companies on security are going to lose that fight anyways, so there isn't much point in staking any of their personal safety on the debate, even if they do believe in it (in reality: very few of them will care).
Regardless: just as a connoisseur of Internet nerd argumentation: if you're going to come at Passkeys, you need to do better than "the Unix greybeards were right about HTML email", because (a) no they weren't and (b) it obviously wouldn't matter if they were.
> I'm going to tell them that that's much less likely to happen than them getting owned up, and that the outcome of them getting owned up is much worse than the outcome of having a problem with Google or Apple.
Citation needed.
> I know lots of people that have been owned up, and zero people who have had the problem you're describing.
Anecdotal. My personal experience is the opposite.
> I'm also going to tell them to beware of technologists, who have rooting interests that are more about industry politics and big picture principles than about user safety.
You don't think I care about user safety? To the contrary, I care deeply about it. I just don't believe that paternalism and infantilizing the public increases public safety; rather, I believe it creates the very conditions that make the public ripe to be exploited.
> you need to do better than "the Unix greybeards were right about HTML email"
I have no idea what you're talking about. This is a straw man argument.
Ah, ok. Given that we're deep in a thread, I assumed you were talking about my arguments.
In any case, that one paragraph in the article wasn't even intended as an argument against passkeys, since the HTML email ship sailed long ago (though I still use plain text religiously).
This is overstating the case. I've never been successfully phished. Many people have never been successfully phished. Yes, phishing exists, but it's not an excuse for big tech companies to take away all user freedom. "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
I think passkeys are fine in concept — replacing passwords with site-specific cryptographic keypairs — but the demands of the big tech companies go too far above and beyond the basic concept. For example, here are statements from the person in charge of passkeys at Apple:
> If you can drop a single device in a lake and lose your credential, it’s not a passkey. Passkeys are backed up and synced across your devices to deliver a great and safe user experience, while also eliminating phishing. If it’s device-bound, it’s not a passkey. :) https://hachyderm.io/@rmondello/111188643228872151
> A reminder to attendees of Authenticate and people everywhere that “device-bound passkey” is an oxymoron. Passkeys are a phishing-resistant password replacement, usable by people of all levels of technical sophistication, built in to smartphones. If a credential is not resilient to device loss, and it doesn’t sync across devices, calling it a passkey will confuse your users who will expect a durable, resilient credential. https://hachyderm.io/@rmondello/111252067006418583
To me, these statements are both paternalistic and frightening. You have to understand what they mean by "synced" and "phishing-resistant". The big tech companies are taking these superfluous requirements to extreme. In essence, the attitude is that users can't be trusted with anything, and so users can't be given any control. This attitude is anathema to me.
All of my passwords are SSH keys are regularly backed up to multiple storage locations, including offsite. However, I take care of backups myself, manually. I don't use any cloud syncing service. I don't trust them, for a number of reasons, I don't want to use them at all. If I have to use a cloud sync service with my credentials, that's a nonstarter.
Moreover, as far as I can tell, when the big tech companies say "phishing-resistant", what they actually mean is that it should be impossible for the user to manually export and examine the private keys, because that would theoretically allow phishing. To my knowledge, FIDO still hasn't agreed on export/import methods, and it's very telling to me that they were willing to ship passkeys without this feature, which I would consider essential. My suspicion is that the "solution" they eventually come up with is some sort of "trusted" list of service providers, who can export/import between themselves without giving users direct access to the keys.
There are much bigger problems in the world than phishing. We can harm ourselves in so many ways: driving a car, riding a bike, crossing the street, smoking cigarettes, drinking alcohol, eating bad food, using a chainsaw, opening the front door for strangers, or any combination of the aforementioned. Thank god that cars aren't locked down yet, though I expect that "security professionals" will demand that it be done someday for our own good. Freedom is dangerous. Yes, freedom means that users can be phished. And it means that passwords can be lost. But the absence of freedom is even more dangerous, and I'll fight to the death to preserve my freedom.