Whole-known-network
<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> presumably, yes</p><p>as should hopefully be clear from my choice of Amazon for the example, I am not attempting to defend them. they suck!</p><p>but in the real world where I may need to go to "Amazon dot com" to buy "food" so I can "not die" while I am "in extreme pain" this is a problem that can fuck me over really badly, and probably at some point will</p><p>(afaik I've never got phished, but that's a "yet")</p>
<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> and at some point, you do have to just start discriminating against people. I think that unhoused people and refugees in camps need to be given dignity and respect and resources, but I also do not think that we should lead with giving them all administrative force-push access to the repos for openssh</p>
<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> But passwords are WAY worse than I think you're realizing, even with extremely good password manager hygiene (which is punishingly difficult to maintain)</p>
<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> I can think of a couple of sites where I've been able to ditch SMS 1FA in favor of passkeys. it's slow going because the biggest problem with SMS 1FA is incompetent financial institutions, and that's a problem that the auth vendors can't solve.</p><p>I should note that there ARE people for whom device instability is so bad that they really shouldn't be using passkeys ( c.f. <a href="https://glammr.us/@jessamyn/113743765591001673" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">glammr.us/@jessamyn/1137437655</span><span class="invisible">91001673</span></a> ) and educating those folks is a big challenge. They're not perfect.</p>
<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> yes this is how they work</p>
<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> in fact, *because* passkeys are seen as strong as SMS-based MFA, passkeys provide a vast advantage to me, someone who has repeatedly lost access to accounts due to stupid phone number shenanigans</p><p>i hope every bank i have adopts passkeys asap</p>
<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> as a refugee who had to cross borders i am fine with passkeys because passkeys do not have the problem you are describing</p>
<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> there may not be any advantage for you, sure</p><p>now, consider me. i have chronic pain so severe that there are many days where i'm barely conscious, going through my day on some scraps of instinct</p><p>do you think i should get to be phished because i am in pain and, being in pain, i copy&pasted a password in the wrong field once?</p>
<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> let's say you register on amazon.com, you save an entry, it's fine<br />now, because you are in the UK, you get amazon.co.uk. it uses the same login, so you pull up your password manager, and either copy the password, or manually add it to the allowlist<br />now, you get a phishing email with a link on amazom.co.uk. amazon has trained you to do this and you don't quite remember everything you've done, so you just do it again</p><p>2/2</p>