Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
zozbot234 9 days ago

> I'd rather granny needs to visit the bank to get access to her account again, than someone phishes her and steals all her money.

The problem is that I can physically show up at my local bank branch or at my job's IT helpdesk to get my account back, but I can't show up at the Googleplex or at Facebook's or Xitter's HQ and do the same. Device bound passkeys are very error prone for the latter scenario, since users will fail to account for that case.

hombre_fatal 9 days ago | parent [-]

To add, services account for that failure by introducing something worse: a customer service backdoor where you can get into an account with very weak or nonexistent authentication.

With Amazon's live chat, someone was able to get into my account by providing an address in the same city as the destination of my latest Amazon order.

You see this with 2FA since "sorry lol you've lost your account forever" isn't an option, and it's trivial for users to lose their 2FA key unlike, say, access to their email.

tzs 9 days ago | parent | next [-]

Services that use passwords for login need to do that too, because people lose passwords.

Even services that use login via emailed link need to do it because people do lose email access. Far too many people use the email provided by their ISP as their only email service, which can be very bad if they move to someplace that ISP does not serve or simply want to switch to another ISP in their current area.

hombre_fatal 9 days ago | parent [-]

The forgot-my-password email link has a customer support load very different from "I can't do 2fa because I lost my device".

And once you set up a customer service pipeline for it, you might accidentally create a backdoor that's far worse than forgot-my-password email verification: https://medium.com/@espringe/amazon-s-customer-service-backd...

Email account access is the closest thing we have to ubiquitous identity on the web. Users that truly lose access to their email account are in a catastrophic situation before they even think of whether they can access your service.

philistine 9 days ago | parent | prev [-]

The solution is what's already happening, but throughly enforced: allow designated users to restore your access to your account.

hombre_fatal 9 days ago | parent [-]

Heh, that is kinda interesting and I've never heard of it before. What are some services that have this set up?

So, I guess you set up some "emergency users". And maybe if you lose access to your account, you get customer support to mark your account as lost which sends an email to the address that you have on file (in case it's an attack started by someone other than the user).

And I suppose if N days pass without any login, one of your emergency users can generate a credential that they can pass to you to recover your account?

philistine 7 days ago | parent [-]

Apple accounts have had it for years. You can set up a legal successor if you die, and a couple of people who can vouch for you to regain access.

That and Apple will give you a very long one-time password meant to be printed that can restore access as well. This one is in a third undisclosed location for me.