mdp/rotp

Webauthn/Passkeys are a shattered dream. Remove text from header of README and move section further down the page.

Opened this issue · 1 comments

evolve2k commented

Currently the README implies that Webauthn/Passkeys are the way forward.
Consensus in 2024 is that passkeys/webauthm is a shattered dream. Related Front Page discussion on HN.

"The biggest issue with passkeys is that I just can't trust the companies offering them"
-- Top comment on HN

Request that this front matter is removed and the section on this moved further down the readme, maybe including that issues around passkeys/webauthm are still being resolved and that there is still no mass adoption of this approach.

MFA TOTP remains best practice for password security in 2024 and this project is doing excellent work in this space.

mdp commented

First off, thanks for opening this issue and sorry for the delay in responding. I think it's a good issue to discuss and wanted to take some time to write up my thoughts on this.

In some ways I agree; Passkeys are a bit of a disaster UX wise, at least at the moment. Adoption of the full "Passkey" login has not been great, and it's definitely confusing for users. But while I can't predict Passkey adoption with consumers, for more security focused users (enterprise/corporate) it's already the standard (hardware keys via Webauthn).

Even as bad as the Passkey UX is, there's no way I could recommend TOTP in 2024 for most users.

  1. OTP's are very phishable, so much so that most high profile orgs have banned their internal use - Google did this more than 6 years ago 1. Cloudflare, Okta, Twitter - This trend is headed in only one direction.
  2. It's a shared secret system. As a developer, this puts the onus on me to come up with a way to store it securely and retrieve the plaintext anytime a user logs in as well as prevent replays.
  3. OTP's also seem to be heading towards UI enshittification. Nearly every enrollment will point a user to a mainstream OTP authenticator that then tries to tie this into the provider's backend. Google Authenticator has 100M downloads and a 3.8 rating, mostly due to cloud sync issues.
  4. It's more work for the end user: install an app, scan a code, verify the code, get your phone out every time you need to login (or when the security team calls you and asks you to read off the OTP to them).

If you've got a user's email and security concerns are low, I think sending them a magic link is probably as safe for most users as TOTP, easier to use and easier for developers to implement (no need to encrypt and manage shared secrets and users don't need a separate app).

For users in more security critical roles, Webauthn/Passkeys is the solution while OTP is actually a liability 2.

From personal experience I've moved every provider I can to Passkeys and haven't had much trouble. However it's clear from adoption rates that Passkeys are still not great for many users. But I think that's starting to change. For users with a password manager, like 1Password or Bitwarden (the beta on Testflight just added this on iOS and it works great), it's incredibly easy to use Passkeys now. It mostly just works, and works well.

While I think Passkeys still have many UX issues to solve, falling back to TOTP isn't an option. Put simply, if security is a big concern for your organization, YOU SHOULD NOT BE USING TOTP, or any OTP for that matter. For users that just want a simple 2FA solution, I think you'd be better off just using a simpler solution like magic links.

Footnotes

  1. https://www.schneier.com/blog/archives/2018/07/google_employee.html

  2. https://krebsonsecurity.com/2022/08/how-1-time-passcodes-became-a-corporate-liability/

  • 👍1