Saturday, December 06, 2025

Passkeys are the new hotness in MFA

Whether you're logging into your bank, health insurance, or even your email, most services today do not live by passwords alone. Now commonplace, multifactor authentication (MFA) requires users to enter a second or third proof of identity. However, not all forms of MFA are created equal, and the one-time passwords orgs send to your phone have holes so big you could drive a truck through them.

Posted by LampLighter at 09:40 PM | 2 COMMENTS | permalink

Comments

More from the article ...

... The rise of passkeys

MFA methods typically fall into three categories: Something you know (a password, code, or security question), something you have (like a token or a smartphone), or something you are (like fingerprints or facial scans). They include hardware tokens, authenticator apps, passcodes sent via SMS or email, push notifications to approve a login on a connected device, and biometrics using physical traits to verify a person's identity.

Historically, authentication used the "something you know" model, where two parties -- a user and a server, or two devices -- prove their identity by both knowing a secret like a password or code. The problem here is that someone can guess your secrets, or maybe you put it on a sticky note or in a plaintext file on your desktop.

Criminals can also phish these secrets via phony websites that prompt users to enter their username and password, and intercept one-time passwords (OTP) sent via SMS or email by redirecting the messages before they reach the intended recipient.

"So one of the things that we're seeing is the whole movement away from passwords to passkeys -- a certificate-based authentication wrapped in a usability shrink wrap," Forrester VP and analyst Andras Cser told The Register. ...



#1 | Posted by LampLighter at 2025-12-06 09:42 PM

@#1

A bit of a deep dive (understatement).

I have noticed that it is now more difficult to log into some of my finance-orients websites of late.

For example, ssa.gov now requires my to provide a one-time-password, given to me via a progam that I can run on my smartphone. I chose nt to run that app on my smartphone, due to the inherent insecurity I see in smartphones.

Instead, I installed the one time password program on a FreeBSD client here.

And it works smoothly. But it is also another step wen I try to view my ssa.gov account.

And that is the trade-off with added security. In order to make it more difficult for bad actors, it has to also be more difficult for me.

imo, that is the issue that needs to be solved without someone like google tracking all my moves.



#2 | Posted by LampLighter at 2025-12-06 09:48 PM

Drudge Retort Headlines

3 Dead, 14 Hurt in Austin Bar Shooting (42 comments)

U.S. Troops Told Iran War Is for 'Armageddon' (36 comments)

Oil Prices Expected to Increase (29 comments)

3 F-15 Strike Eagles in Kuwait 'mistakenly shot down' (27 comments)

RFK Jr. Suggests Buying Liver or 'cheap cuts' Instead of Steak (27 comments)

US Moving Pregnant Immigrant Girls to Texas (25 comments)

Top MAGA Voices Furious over Iran Attack (24 comments)

Three US Soldiers Dead in Iran Action (21 comments)

Trump: US Could Carry Out 'Friendly Takeover' of Cuba (19 comments)

Iran Wants to Talk, I Have Agreed -- Trump (19 comments)