|
Top-level
another key takeaway for me from excavating the digital remains of a loved one who died suddenly: usable security or bust. in my case, the iOS Password Manager saved the day because it stored their creds by default as they used their devices. ...but they found the 2FA app so confusing that they offloaded it and never saved the password to it. SMS 2FA may be more insecure, but it confused them less and meant my access to their phone = access to 2FA. Security isn't the only thing that matters. 16 comments
 @shortridge Ugh. My tax account uses SMS 2FA. Will have to tell my spouse to hang onto my phone for a while until everything is sorted. She has the password to my password manager. But soon Apple will require touch or Face ID to change some security settings. Can't wait to see how this shakes out. @dan613 there was a very real moment when I told the deceased person's spouse that we might have to wait on cremating them to use their thumbprint. thankfully, we guessed their device passcode correctly (it wasn't written down anywhere). it's uncomfortable to think about this "use case" when designing or implementing, but sudden incapacitation can happen to anyone so imo should be taken more seriously.  @dan613 @shortridge pretty sure you can have 2 faces, something "alternate appearance", cant check right now, @cy @shortridge Yes, for wearing glasses or a mask. Not sure if there has to be some overlap in the faces or if they can be completely different. @dan613 @shortridge anyway, since face/touch is only a convenience option for the phone password, just write Up that password and put it somewhere safe next to the others :) @shortridge Went through this a year ago and had similar experiences. If I hadn't been a very knowledgeable tech person I would not have been able to get it done, and that's a bad situation for all those who are not.  @shortridge NIST dropped the verbot on writing down passwords. Writing down is a good idea. A better idea is to use a password manager, which would also document all the accounts you have. The password manager also generates high entropy passwords. You can give your loved one an uptodate copy. Have it password protected, but then there is only one password to have on paper. I use Keepass @shortridge I would prefer webauthn/passkey with yubikey. You'll need a backup token anyway, so just tell your person how to use it. (actually get them yubikeys for their own accounts, too) @cy you are vastly overestimating the usability of yubikeys for non technical people, especially the elderly. many elderly people no longer even have fingerprints, too @shortridge it is "plug into USB, press button when prompted", how is this more complicated than typing a code from an SMS? And you don't need fingerprint for it @cy @shortridge This is so far from the truth for non-tech savvy people. For me it's ok if my mum builds passwords from the first letters of long sentences like I explained to her 10 years ago, she can cope with that, I won't explain new ways of managing pwds to her every 2 years because that only makes her insecure and then she just takes insecure pwds  @cy @shortridge bro, I have worked in tech for 30 years and Yubikeys are still largely unusable to me. Because in order to use them you need to A) know where they are, B) have a device with the right port and software, C) have everything configured, and D) have *physical access* to the relevant port, while also seeing the relevant screen. As a disabled person with severe ADHD, chronic pain, and other health problems, coordinating all those variable for every logging is fucking impossible. @cakeisnotalie @shortridge still unusable for non-techies. MAYBE one should include a techie-friend into the last-resort recovery plan for your non-techie person |
Gregory's Server
@shortridge now that iPhone keychain can also act as a 2FA device I bet that’ll get easier. Not easy.