These comments are everything from eliminating passwords (good luck) to “congress should fix it with law” (lol).
Having been in the identity space for a while and seen how various companies think about it, these kinds of problems will keep coming up...mostly at companies for whom identity is commodity. These companies will always give account security the minimum requisite attention. No one at Twitter gets excited about working on the login form.
I know OpenID was a bust and everyone hates Facebook Connect, but as an industry we need to figure out how platforms that view account security as a necessary evil can vendor that to people who take it seriously. Trying legal avenues to get people to take it seriously or finding alternative methods is what we’ve been trying for the last 15 years and it hasn’t worked.
Security Keys are often used as a second factor, but the original vision was that they could also be a primary factor in lieu of a password. Humans are bad at passwords, but they carry around house keys every day. Why not also carry around computer keys on their keychain?
For the average person (not worried about a megacorp or nation state attacking them), TouchID is also a possible "password replacement" for the primary authentication factor, although it comes with the disadvantage of not being rotatable.
Alternatives to passwords have "kind of worked" with bitcoin and cryptocurrencies: When they became valuable and exchange breaches became costly, people started using 2FA (exchanges made them mandatory) and ledgerwallets en masse. We should be making these kinds of technologies cheaper and dumbproof so that everybody can use them. Some alternatives proposed in the past, like OpenID, were almost comically complicated for Joe User.
Having been in the identity space for a while and seen how various companies think about it, these kinds of problems will keep coming up...mostly at companies for whom identity is commodity. These companies will always give account security the minimum requisite attention. No one at Twitter gets excited about working on the login form.
I know OpenID was a bust and everyone hates Facebook Connect, but as an industry we need to figure out how platforms that view account security as a necessary evil can vendor that to people who take it seriously. Trying legal avenues to get people to take it seriously or finding alternative methods is what we’ve been trying for the last 15 years and it hasn’t worked.