Re-imaged, lost, or bad updates on PCs wiping out a all the saved passkeys and being locked out of all accounts during off-campus sales or design meetings.
Making staff look like idiots in front of clients is a resume-generating-event.
I'm not the OP, but I expect it the same issues that have stopped me from using passkeys now.
His reply does give one aspect of it: passkey's are fragile. To be secure, they can't be copied around or written down on a piece of paper in case you forget, so when the hardware they are stored on dies, or you lose your Yubikey or is as he described the PC re-imaged, all the your logins die. That will never fly, and it's why passkeys are having a hard time being adopted despite them being better in every other way.
Passkey's solution to that is to make them copyable, but not let the user copy them. Instead someone else owns them, someone like Google or Apple, and they will do the copy to devices they approve of. That will only be to devices they trust to keep them secure I guess. But surprise, surprise, the only devices Apply will trust are ones sold to you by Apple. The situation is the same for everyone else, so as far as I know bitwarden will not let you copy a bitwarden key to anyone else. Bitwarden loudly proclaims they lets you export all your data, including TOTP - but that doesn't apply to passkeys.
So, right now, having a passkey means locking yourself into proprietary companies ecosystem. If they company goes belly up, or Google decides you've transgressed one of the many pages of terms, or you decide to move to the Apple ecosystem again you lose all your logins. And again, that won't fly.
The problem is not technological, it's mostly social. It's not difficult to imagine a ecosystem that does allow limited, and secure transfer and/or copying of passkeys. DNS has such a system for example. Anyone can go buy a DNS name, then securely move it between all registrars. There could be a similar system for passkeys.
Passkeys have most of the bits in place. You need attestation, so whoever is relying on the key knows it's secure. The browsers could police attestation as they do now for CA's. We have secure devices that can be trusted to not leak leak passkeys in the form of phones, smartwatches, and hardware tokens. But we don't have a certification system for such devices. And we we don't have is a commercial ecosystem of companies willing to sell you safe passkey storage that allows copying to other such companies. On the technological front, we need standards for such storage, standards that ensure the companies holding the passkeys for you couldn't leak the secrets in the passkeys even if they were malicious.
We are at a frustrating point of being 80% of the way there, but the remaining 20% looks to be harder than the first 80%.
SIM banks used to be a thing, but they get less common and common every year.
Why they are dying out? Because they are not that easy to source, maintain, scale or achieve super high reliability with them. Also, hard to offer a high availability option when the phone network only (well, in most cases) accepts one device per phone number.
Edito: Additionally, important to note is that most SIM cards can only be used for a prolonged time in that providers phone network. You e.g. can not buy US SIMS, ship them to the EU and host them there. T-Mobile US (and others) cut you off after (usually) 2 months of roaming.
> Also, hard to offer a high availability option when the phone network only (well, in most cases) accepts one device per phone number.
1. I guess it depends on your providers/region. From all three German mobile network providers (Telekom, Vodafone, o2) you can get up to three SIM-Cards for the same number.
2. The VoIP provider Sipgate (sorry again German) gives you as much SIM-Cards and eSIMs as you like (In exchange for money of course). You can route mobile as well as land line numbers to a VoIP-Phone, -Client or mobile phones. They can all ring in parallel.
3. Many years ago, I saw a presentation on a CCC event. (Sadly I can't find a video of it just now.) It was from a guy who documented how he became a mobile provider. He wasn't just reselling, because his numbers terminated in his own Asterisk server! So maybe, people looking for the best solution, should look into how to become a virtual mobile provider.
I suspect they’re still used for outbound scam calls/texts (and maybe inbound too), and probably gray-market voip-pstn interfaces in countries that make int’l voip interchange expensive.
Some cool stuff on aliexpress with 128 SIM card slots and 8 or 16 gsm radios where you can program your choice of imei.
As a Canadian with crappy cellular coverage, I’ve dreamt of having a couple French SIM cards that I could mail to France every so often so it looked while I wasn’t 100% roaming just to have a cheap unlimited data plan with cheaper int’l calling.
To clarify: do you need to forward phone calls, or only forwarding incoming SMS to another phone? (We are working on such a product and would love your feedback and wish list)
Yes, this is (also) on high priority. But it depends alot on the country, some have very strict regulations around this. Which countries are you mostly interested in?
I was feeling the pain of 2FA and 2FA SMS for too long as well and thus build a product, Daito (https://www.daito.io), around the concept of shared 2FA as a service for companies and teams.
In addition to TOTP 2FA (our main service), we also started to offer 2FA via SMS via _physical SIM cards_ hosted in a data center in Germany (we are a German company) as every other solution we tried (Twilio + seemingly 50+ other, non-physical SIM card-based, options by now) was simply not working reliable.
We have been talking to Twilio et al and a lot of telcos, carriers, ISP, providers and seemingly everyone in between: there simply is no easy and reliable solution to this. :(
In our tests the best reliability we could reach for national and international senders&receivers on VOIP-based numbers was only every around 80%. We are still looking for other options, and specially non-VOIP options that are actually affordable, but so far we can only offer a German number (+49). This number however, is way, way more reliable than anything we have seen from others.
We currently support forwarding SMS to an email address, and webhooks for incoming notifications are in the works.
Anytime I think about these issues and this model I always wonder:
Can you get a cellular connection over a wire?
That is, instead of having 500 little radios connecting to one or two nearby towers, can you negotiate a direct connection to the tower and use the entire cellular stack except for the PHY ?
This is pretty much what we have been asking every supplier (telcos etc) over the past 2 years. The answer is always no. And if it is a "Maybe, I think so" it turns into a "no" weeks or months later when have finished digging through the corporate hierarchy.
The only solution that seems to work is old school SIM card hosting in a SIM bank. In some narrow cases, e.g. sender is in the country and receiver is in the same country, you might have pretty good (95%+) reliability of receiving critical SMS (A2P traffic), but still far away from what you'd call reliable.
There exists FOSS that could do this too (start with "osmocombb").
But the real problem here isn't technical, it's a business/legal issue: the carriers and their regulators are trying to minimize (or at least, reduce) the ability for bad actors to operate large numbers of "cell phones" at minimal cost/complexity.
So everything that could be done (technically) to make this work is, in practice, prevented by those business/legal considerations.
Open source stacks are already or basically on the verge of being obsolete in most of the world's telco networks if you want to actually use them. They are incredibly cool and a huge undertaking but no one is saying they are practical for actual usage, and that's ignoring the clear illegality of broadcasting with such firmware.
Osmocom and others like FreeCalypso only work on very old devices with TI Calypso chipsets.
But in this context, I think the supported devices don't matter: the idea is to interface with one-or-more telcos directly at a higher level of the 3GPP stack?
You won't need the air interface - hypothetically just an appropriately rooted femtocell, carrier HSS/HLR/MME that can authn/authz you, and Asterisk server that is secure. Or a flooded Nokia Flexi on a rack shelf, I mean, they look cool, don't they...
Can you please elaborate on SMS 2FA being intercepted or snooped?
(Disclosure: working on a product to prevent exactly that and really curious to hear about those hijacking cases.)
We are a small, founder-led indiehacker company (based in Berlin, Germany) that is enabling companies around the globe to better secure their various SaaS accounts through securely sharing 2FA via our web-based 2FA authenticator solution, https://www.daito.io. We have been growing steadily over the past 2 years and are now looking to extend our team with an experienced rails full stack dev.
We are looking for a professional full stack ruby on rails developer, ideally with some multi-disciplinary experience in the background and at least 5 years of experience in startup environments using the usual tech stack(s).
Benefits & perks:
- No stupid meetings, no politics, no bullshit (+ no outside investors)
- Async & 100% remote work (very autonomous)
- Very small team (you'll work directly with the founders) and your chance to shape our product's future
- 40 hours of work per week max (but we are flexible re contract type, hours worked, etc.)
- We take attention to detail and minimizing tech debt seriously
Please reach out to hello@daito.io with some info about you (linkedin, github, CV, whatever you want to share) and at least a salary range you feel comfortable with.
As a long term 1Password user I can only shake my head. What are their PMs thinking?
If anybody is interested in not upgrading 1Password, maybe my SaaS https://www.daito.io/ , a web-based 2FA Authenticator, is an alternative for you and your team.
Any decent password manager nowadays allows sharing of 2FA tokens, it's not a technical problem, it's a managerial and staff training problem in non-tech industries. It is simply not enforced enough and there are still too many people who are not aware of the risks and can not be bothered to be inconvenienced.
Disclosure: My company is offering a web-based 2FA authenticator (https://www.daito.io/) that explicitly is for sharing 2FA tokens, but not usernames+passwords, thus eliminating a single point of failure. I regularly have discussions about why and sadly why not people are using 2FA. There are tons of small business & mom+pop shops out there who are at risk.
I hope the guidance gets upgraded to a mandatory requirement (as some platforms do) sometime soon.
