Future of Second Factor Authentication

It seems like passwordless logins are going to be the direction we’re headed. From my understanding, the implementation requires a password for the initial set up. It works similarly to Windows Hello in that the authentication process happens locally.

While this works in theory, people will change devices as technology evolves. Ultimately, I am concerned that this will move forward without extensive collaboration with disabled people. If the goal is to have a passwordless, no-knowledge security format, will the future of two factor authentication involve some sort of surgical implant or what? Face ID, perhaps?

As a consequence of having a disability, disabled people (more so than able-bodied people) have to entrust information with family members, caregivers, etc. They are statistically more susceptible to living in problematic situations as a result.

Thoughts?

:rofl:
If you go far enough into the future, maybe.

For now fingerprint, face scan, iris scan, voice print or whatever other “external” methods should be sufficient for the “something you are” aspect of it.

There’s even

Would injuries change the print?

Burns can change fingerprints. Cuts shouldn’t.

Hello,

It seems to me that from FIDO2 alliance’s vision, passkeys will be used in place of passwords. So, when you initially set up any account, you register your passkey to identify you. When you use an additional device, if this passkey isn’t synced and can be used on that device, you basically go through an account recovery route on that device, which if based on the current technology/workflow, will be password/email/phone-number/app based.

I agree with you that it’s rare that the first-wave technology implementer will give enough importance to disabled people, especially when the implementers are working on a widely-adopted standard. The mass-marketed biometrics are currently fingerprints and facial identification. If those don’t work for a person, they may be out of luck in some specific cases. On platforms that use Biometrics identically with PIN (like Windows), this wouldn’t be an issue. On platforms that don’t (like Android), the disabled people wouldn’t be able to use the technology in some cases.

So, I’ll say, we will have to live with password, or as an alternative, for a while until they figure out how to carry everybody with passkeys.

Going forward, maybe governments could implement baseline standards for authentication (i.e. a minimum percentage of all computer monitors and/or USB keyboards sold in country X must have either face or fingerprint biometrics built-in).

Apart from that, I don’t know how else we will proceed as a society. If you have and use a smartphone, there are a certain number of built-in assumptions Google and Apple are making about you. To a certain degree, they are assuming that you have a basic level of fine motor control, even if you use some of the available accessibility features.

The general ‘appifying’ of everything has really made my life more difficult than it should be. Web browsers are apparently not good enough anymore, even though we use them every day.

In example, I can no longer use Google Pay at all. I used to send money to family members to help with bills. Google completely axed web access. You have to use a mobile app. And yes, I’ve tried using BlueStacks. Doesn’t work.

Facebook did a similar thing with Meta Pay. In order to send someone money, I have to use BlueStacks in order to use mobile Mesenger.

End-to-end encryption is completely possible through modern web browsers, but rather than integrate that, companies would rather force users to buy a tablet or phone (that they may not be able to use) in order to function in the modern world. A phone or tablet is not inherently more secure. It’s all software. They are all vulnerable to malicious actors and security flaws.

/rant

I really don’t understand what exactly are you asking or complaining about.
Are you asking about people with physical disabilities unable to use 2fa?
Are you asking about brain implants?
Are you asking about browsers? apps? phones?
I really don’t understand where you are going with all that.

In summation, I’m complaining about our reliance primarily on smartphones as a second factor and tying software dependencies to smartphones in the first place. Smartphones should be optional, but not a requirement to use a service securely. Such a requirement creates barriers for disabled people.

There are fido2-spec hardware keys which do not require smartphone.

If you want to promote more support for people with various disabilities, going directly to fido2 alliance or disabilities advocacy groups is a better approach than posting on a password manager forum.

Are you referring to the FIDO Developer Forum? I’m not a programmer. As far as I know, there is no FIDO Alliance community forum.

No, I’m referring to the organization itself. Contact them and voice your concerns about users with various disabilities.