Good where Security is Trivial and Peripheral
Thanks to John Marrett for calling me in this post — https://www.linkedin.com/posts/jmarrett_google-is-rolling-out-password-killing-tech-activity-7059862499826790400-XiDh
I had come across this one as well — “Go ahead, forget that password. Use a passkey instead, says Google” https://www.theregister.com/2023/05/04/google_passkey/ in which deploying multiple authentication factors is viewed as something better than MFA.
Confusions are getting further messed up with wonderfully security-literate tech media whipping up!
- Pincode, which is no more than a numbers-only password, is kicked out of the family of password.
Presumably because they want those pincode-dependent solutions to be called a passwordless authentication.
2. Biometrics, which is probabilistic by nature and brings down security when used with a default pincode, is given the status of a legitimate authentication factor.
Presumably because they are ignorant of the opposite security effects of deploying biometrics and pincode(password) in a multi-layer/in-series formation and in a multi-entrance/in-parallel formation.
3. They speak as though removal of the password, which removes the defense that the password has somehow provided, would enhance the identity security.
Presumably because they presuppose that the attack surface of the password is larger than its defense surface.
Here is a comic we published in 2005 — “Entangled thinking makes everything more Entangled” https://www.mnemonicidentitysolutions.com/Comics/Comic2.2.html
Although it might look a bit more complicated here the title of this comic seems very pertinent for the situation around Google over Passkeys.
Here is my recent post on the people who spread falsehood — “Security-Illiterate Guys Selling Security Solutions ?”
A more comprehensive analysis of the security-destructive effect of removing the password is offered here — “How to not see our weak digital identity further weakened” https://www.linkedin.com/pulse/how-see-our-weak-digital-identity-further-weakened-hitoshi-kokumai/
The proposition of Passkeys might be good where cybersecurity is a trivial and peripheral matter. A password must stay at the centre of identity solutions where security matters.
- Counterarguments will be very much appreciated!
