Basic password: bruteforce/dictionary attack if the password is simple, risk of forgetting it if the password is complex.
Password manager + complex random strings: amplifies the loss in the event if the master password is lost, and the manager system presents an obvious target for malicious actors.
2FA using phone number/app: sim swap attack or losing the phone
2FA using hardware key: risk of losing the key
Biometrics: probably the only one that can work when the device is compromised...potentially could be faked, and user might lose access in case of injury. And the extent we are comfortable with giving biometric information to different service providers is also debatable.
I wonder how much effort has gone into determining what is the optimal method for a given situation, and whether there are anything new in the making that might offer some improvement.
Of course, different types of services/users will also find different protocols being optimal. Password manager would work very well for accounts created for commenting on blogs, and “recover account through trusted contacts” probably works for Facebook.
But maybe corporation/institutional systems would be interested in specifically designed authentication protocols to squeeze one last bit of security? What could be done, both technologically and procedurally, in this case?
[Question] Designing user authentication protocols
The impact of this issue is perhaps fairly minor, but I wonder how much effort is put into designing optimised protocols for user authentication?
It is not a surprise that all existing user authentication methods can fail in pretty obvious (or non-obvious) ways, and every method has its own attack surface and risk of losing access.
Basic password: bruteforce/dictionary attack if the password is simple, risk of forgetting it if the password is complex.
Password manager + complex random strings: amplifies the loss in the event if the master password is lost, and the manager system presents an obvious target for malicious actors.
2FA using phone number/app: sim swap attack or losing the phone
2FA using hardware key: risk of losing the key
Biometrics: probably the only one that can work when the device is compromised...potentially could be faked, and user might lose access in case of injury. And the extent we are comfortable with giving biometric information to different service providers is also debatable.
I wonder how much effort has gone into determining what is the optimal method for a given situation, and whether there are anything new in the making that might offer some improvement.
Of course, different types of services/users will also find different protocols being optimal. Password manager would work very well for accounts created for commenting on blogs, and “recover account through trusted contacts” probably works for Facebook.
But maybe corporation/institutional systems would be interested in specifically designed authentication protocols to squeeze one last bit of security? What could be done, both technologically and procedurally, in this case?