Is the era of passwords coming to an end?

[Jaxrebel]

Honestly very country specific.

 

At least in sweden its very easy to fix things if you loose a id card sure small bit of hassle but easy enough.

 

 

 

 

 

[Katze]

I have created a passkey for my android phone and Windows PC and tied them to my google account, but it doesn't give me the option to sign in using them.

It only lets me "Tap YES" or my 2fa code.

[jagdtigger]

On 5/23/2023 at 8:31 PM, StDragon said:

Don't trust OTP / phone app authenticators to save your ass

Use OTP that lets you make encrypted backups, problem solved.....

[Arika]

On 5/24/2023 at 5:19 AM, Kisai said:

You can't walk back into the bank to the person you just deposited the money to, because you no longer have your ATM card or any ID. Sorry, just policy.

sounds like a shit bank then. you can provide your name, address and phone number so they can look you up. they can then ask questions like

• how many accounts do you have?
• what was your most recent transaction
• verbal password (if you set one up)
• name x number of direct debits you may have set up on your account

you will be restricted to how much money you can draw out at one time without photo ID, but unless the US banking system is fucked, they will have ways of letting you get money out.

 

On 5/24/2023 at 5:19 AM, Kisai said:

You can't call the card company to stop the transactions because you don't know the number.

as above. there is more than 1 way to identify someone...i would hope that CC companies over there don't just let anyone with the card number call up and cancel stuff.

[Kisai]

3 hours ago, Arika S said:

sounds like a shit bank then. you can provide your name, address and phone number so they can look you up. they can then ask questions like

• how many accounts do you have?
• what was your most recent transaction
• verbal password (if you set one up)
• name x number of direct debits you may have set up on your account

you will be restricted to how much money you can draw out at one time without photo ID, but unless the US banking system is fucked, they will have ways of letting you get money out.

 

as above. there is more than 1 way to identify someone...i would hope that CC companies over there don't just let anyone with the card number call up and cancel stuff.

It's an analogy, not real life. In real life, humans are more willing to go the extra mile if you're not being a karen about it.

 

But here's the thing, passwords, particularly, re-used passwords is how the vast majority of people do things. They use the same PIN on all their cards, they use the same passwords on all the internet accounts, because they can't remember more than two of them. Yet all these companies want you to pick hard-to-remember passwords that then require you to use a tool to manage them that can ALSO be lost or destroyed with no recoverability.

 

Which is why I made the comparison to losing your wallet and phone. Without any ID, no bank that is following their company policy will even let you look things up. You have to prove you are a customer with them FIRST, by presenting the bank card and then they will ask for your photo ID. You can't prove you are their customer by simply giving them your name. If it was that easy, anyone could walk off the street and pretend to be you.

 

In reality, human workers at banks are willing to humor you and look for meta information on the account to ask.

 

But you can't do that with OTP's or MFA. That phone is your password. Lose or destroy the phone, and you are forever locked out of everything. 

 

On the bright side, it looks like passkeys can "spawn" keys to other devices easily, where OTP's can not. So you can login to gmail from chrome on the desktop, or from the phone, but you STILL NEED THE PHONE. Just now you can let the PC also save a passkey, so if perhaps you lose the phone you can spawn a new passkey to a new phone.

 

So the solution there seems to be, to never recycle your old devices and instead throw them in a drawer somewhere in case you need to get into your accounts.

[Arika]

3 minutes ago, Kisai said:

It's an analogy, not real life. In real life, humans are more willing to go the extra mile

so it's not real life....but then you go on to say:

4 minutes ago, Kisai said:

Without any ID, no bank that is following their company policy will even let you look things up. You have to prove you are a customer with them FIRST, by presenting the bank card and then they will ask for your photo ID. You can't prove you are their customer by simply giving them your name.

...so is this an analogy as well? humans can't go the extra mile if it breaches company policy, that is grounds for immediate termination and a lifetime ban from ever working in the financial industry again.

 

As someone who has worked in the banking industry for 12 years, yes, Banks can look you up if you provide sufficient information, just a name is not enough, which is why there are the other details i mentioned.

 

if that's not how American banks operate, then they have failed their duty of care.

[Kisai]

11 hours ago, Arika S said:

so it's not real life....but then you go on to say:

...so is this an analogy as well? humans can't go the extra mile if it breaches company policy, that is grounds for immediate termination and a lifetime ban from ever working in the financial industry again.

 

As someone who has worked in the banking industry for 12 years, yes, Banks can look you up if you provide sufficient information, just a name is not enough, which is why there are the other details i mentioned.

 

if that's not how American banks operate, then they have failed their duty of care.

Again, the analogy is about "you have just lost access to everything because it's locked behind your  cell phone"

 

A bank is not going to help you. The DMV, which HAS existing photos of YOU, can take you on your  word because they can look at the previous photo. But they will still want proof that the person in the photo is YOU and not your twin, or parent, or child, or other sibling. 

 

In a real word scenario, you'd probably be asked to bring a family member or a co-worker, or someone who see's you regularly to the DMV to sign something that says "this person is who they say they are, I've known them for X years"

 

Accessing your bank? You need your photo ID first. If a bank is letting you access your money without any ID, that is very much a problem. If you regularly come to that bank to deposit cheques in person, it's reasonable to have staff "know" who that person is. However people do check deposits via ATM or via photo deposit with their cell phone. Nobody at the bank knows who the heck you are.

 

Before smartphones and "apps", you received paper statements, in the mail, and you could grab on one of those and take it to the bank and show them your photo ID and the mail and go "see, that's me"

 

But since all that stuff is locked behind the smartphone app now, you can't do that, can you?