> What can a random user like our moms or siblings do?
Security Keys. Your mother and siblings have seen keys before right? They can understand the metaphor and use it. Several of the accounts listed, such as Google and Facebook allow Security Keys.
Bad guys can't steal the credentials out of Security Keys the way they'd steal say passwords or a TOTP code, they would need to physically obtain access to the keys, your mother and siblings almost certainly don't face adversaries who'll break into their homes or hold them at gunpoint, just ordinary online automated attacks.
You seriously overestimate the average user. There is a reason why 123456 is still a common password. I would not expect a grandma to know how to put a key on her phone and use it reliably.
And my main argument is that corporations can do better. We should not put the burden on the common folks when the ones who are in the positions to do something are not pulling their weight. Sure, this will reduce their profit, and probably their share prices, and as a result, dev's compensation. Maybe that is the hardest part to argue through.
Legit question from someone who both wants their mum to stop getting hacked, and is not sure Security Keys are a good idea: What happens when they lose their phone?
My limited understanding is that the key is on their phone (let's say it's a Google key, on an Android phone). When their phone gets lost, stolen, or breaks, are they screwed? This worries me because the chances of the phone being lost is high.
A security key is a hardware token that uses USB, Bluetooth, NFC. A security key may not have TOTP capability like a Yubikey. Security keys are not marketed or suitable for consumers, and sysadmins don’t like them either:
Maybe start a pilot automated service run by Google or Microsoft or whoever where backup codes are securely sent to local credit unions and it's all almost transparent to the user. They just need to either pick up the code at the credit union and put it in their safety deposit box or approve that last step.
I'm not upset at all about banking working with private entities or any of the past with banks. I'm mostly upset because some of these ideas are good, you know? Maybe not this, but some. For a short while longer.
Security Keys are an independent device. I believe you are thinking of Passkeys which can live on the phone or in a password manager like 1Password.
If you do go with a security key it’s typically recommended to have at least 2 so that if one dies or is lost both have the same level of access. So long as you add them both/all to every account you need to access.
> Security Keys. Your mother and siblings have seen keys before right? They can understand the metaphor and use it. Several of the accounts listed, such as Google and Facebook allow Security Keys.
The problem with these is, they can get lost, stolen, damaged or misplaced. With a physical key to the home, no problem - call up a locksmith and if you don't have an ID card also the police, he'll drill out the lock and you can enter your home back.
Google, Facebook, whatever - good luck trying to get into touch with a human to reset your "security key".
Security Keys. Your mother and siblings have seen keys before right? They can understand the metaphor and use it. Several of the accounts listed, such as Google and Facebook allow Security Keys.
Bad guys can't steal the credentials out of Security Keys the way they'd steal say passwords or a TOTP code, they would need to physically obtain access to the keys, your mother and siblings almost certainly don't face adversaries who'll break into their homes or hold them at gunpoint, just ordinary online automated attacks.