The impact of this issue is perhaps fairly minor, but I wonder how much effort is put into designing optimised protocols for user authentication?
It is not a surprise that all existing user authentication methods can fail in pretty obvious (or non-obvious) ways, and every method has its own attack surface and risk of losing access.
Basic password: bruteforce/dictionary attack if the password is simple, risk of forgetting it if the password is complex.
Password manager + complex random strings: amplifies the loss in the event if the master password is lost, and the manager system presents an obvious target for malicious actors.
2FA using phone number/app: sim swap attack or losing the phone
2FA using hardware key: risk of losing the key
Biometrics: probably the only one that can work when the device is compromised...potentially could be faked, and user might lose access in case of injury. And the extent we are comfortable with giving biometric information to different service providers is also debatable.
I wonder how much effort has gone into determining what is the optimal method for a given situation, and whether there are anything new in the making that might offer some improvement.
Of course, different types of services/users will also find different protocols being optimal. Password manager would work very well for accounts created for commenting on blogs, and “recover account through trusted contacts” probably works for Facebook.
But maybe corporation/institutional systems would be interested in specifically designed authentication protocols to squeeze one last bit of security? What could be done, both technologically and procedurally, in this case?
A lot of work does go into it, but the users will mostly ignore that work and continue using “[Dog’s name] + [Wife’s birthday]” as a password (and that’s if you’re lucky).
This is true, I do wonder what could be done to get around the fact that we really can’t handle remembering complex passwords (without using some memory aid that could be compromised).
Biometrics makes sense for worker/admin access, but I’m not sure about the merits of deploying it en masse to the users of a service.
Despite all the controversies surrounding that (in?)famous XKCD comic, I would still agree with Randall that passphrases (I’m guilty of using them) are okay if we make them long enough. And the memory aids that one might need for pass phrases are probably less easy to compromise (e.g.
I imagine it’s not too hard for an average human to handle a few pass phrases of 10 words each, so maybe bumping “allowed password length” from 16-30 characters to 100 would solve some problems for security-minded users.
Another tool I imagine might be good is allowing unicode characters in passwords, maybe mixing Chinese into passwords could let us have “memorable” high entropy passwords.