Passwords are a weak authentication mechanism and incur liability. MFA is good, Passkeys are better. One time passwords via email are tolerable, still better than passwords.
(customer identity and access management is a component of my work at a fintech)
Your fintech is probably not among the 99% accounts GP says don't warrant 'anything fancy'.
IME as a customer/user, financial institutions are some of the worst culprits for doing appalling things in the name of security (theatre) anyway.
Yes, because financial institutions are responsible for losses incurred via account takeover.
And yet no financial institution in Canada supports webauthn hardware tokens - instead choosing to bake their own scheme within their app or use SMS.
And yet they are still out here offering voiceprint authentication
JP Morgan Chase does this, regrettably.
let me guess, until last years you had deployed a java applet keypad for users to log in? and today every time I can your recording offer to enroll in voice print?
yeah i will not be taking advice from the majority of people in Fintech on this topic. thank you.
Security-wise, passkeys are worse than username/password plus WebAuthn as the second factor.
But better than username/password + TOTP, and username/password + WebAuthn had really low uptake.
Username/password + TOTP is still better than username/password + one time email, no? Especially since the latter creates additional dependencies/risks for the user in the form of an email account.
They're about the same. The important factor is phishing resistance (neither TOTP nor email links have that), and an account that has lost its primary email account is 99% of the time already boned. I would use TOTP in preference to email backup, but that's mostly an affectation.
The reality is that TOTP has been obsolete for awhile now. It's a net negative for ordinary users that is kept front-of-mind for everyone because nerds like us are attached to it.
This is actually the first I've heard of this, re considering TOTP to be not worthwhile. Can you recommend some links to material for me to read to get up to speed with the argument?
Basically everything ever written about U2F, WebAuthn, and phishing-proof authentication generally is about the weaknesses of TOTP. The principle component of the problem is phishing.
There are sites requiring TOTP to mitigate careless users using dumb passwords, because the sites can't guarantee passwords aren't reused but they can enforce TOTP.
Even for phishing, doesn't it count for something that TOTP prevents asynchronous phishing (collect credentials on a fake site, try them in batches later)?
No, it does not. Everybody agrees that password + TOTP is better than just plain passwords. Everything is better than just plain passwords. But I've personally worked on large, high-stakes projects where TOTP phishing was a continuous problem, and it's really difficult to solve. Since we have options besides TOTP that aren't susceptible to phishing, people shouldn't be pushing TOTP anymore.
What is your current to use at this moment preferred option for a general (not especially sensitive domain like banking) consumer site?
TOTP is not phishing resistant, passkeys are. Also can screen grab TOTP.
If and only if you somehow manage to compromise one secret without compromising the other.