The Inner Circle

#repost Saw this post on reddit this morning and wanted to get the community's opinion on the future of passwordless logins.

"I read more and more about passwordless logins and how it's the future, but I'm not entirely sure how to feel about them. By passwordless logins is meant that you can login with a one time password (OTP) that you aquire by email, sms, an app or hardware key (ex Yubi key). The main reason usually being that the user does not have to deal with passwords.

I myself have no issues dealing with passwords, I use a password manager and randomly generate a strong password for each login. I always enable 2FA preferably with an app wherever I can. I believe that this is the most secure as it is a combination of something you know and something you own (phone/hardware key). I also prefer an app over a hardware key since you always need to have it with you if you want to access something on the go with the risk of losing it. Sms and email OTP I try to avoid.

But I'm not like most users and I know from my girlfriend and friends that it's not very common to setup 2FA as they find it annoying having to look at their phone for a OTP. I've been able to convince them to use a password manager, but 2FA is a step too far.

So does it make sense to just skip the passwords all together? I see why they want to skip passwords. Since the majority of users still reuse and/or have weak passwords, even with password manager adoption and most users don't bother to setup 2FA unless forced.

What is your opinion about this? And could this be the solution that offers better security while still being somewhat convenient?"
------------------------------
Olivia Rempe
Community Engagement Specialist
Cloud Security Alliance
------------------------------

#repost Saw this post on reddit this morning and wanted to get the community's opinion on the future of passwordless logins.

"I read more and more about passwordless logins and how it's the future, but I'm not entirely sure how to feel about them. By passwordless logins is meant that you can login with a one time password (OTP) that you aquire by email, sms, an app or hardware key (ex Yubi key). The main reason usually being that the user does not have to deal with passwords.

I myself have no issues dealing with passwords, I use a password manager and randomly generate a strong password for each login. I always enable 2FA preferably with an app wherever I can. I believe that this is the most secure as it is a combination of something you know and something you own (phone/hardware key). I also prefer an app over a hardware key since you always need to have it with you if you want to access something on the go with the risk of losing it. Sms and email OTP I try to avoid.

But I'm not like most users and I know from my girlfriend and friends that it's not very common to setup 2FA as they find it annoying having to look at their phone for a OTP. I've been able to convince them to use a password manager, but 2FA is a step too far.

So does it make sense to just skip the passwords all together? I see why they want to skip passwords. Since the majority of users still reuse and/or have weak passwords, even with password manager adoption and most users don't bother to setup 2FA unless forced.

What is your opinion about this? And could this be the solution that offers better security while still being somewhat convenient?"
------------------------------
Olivia Rempe
Community Engagement Specialist
Cloud Security Alliance
------------------------------

#repost Saw this post on reddit this morning and wanted to get the community's opinion on the future of passwordless logins.

"I read more and more about passwordless logins and how it's the future, but I'm not entirely sure how to feel about them. By passwordless logins is meant that you can login with a one time password (OTP) that you aquire by email, sms, an app or hardware key (ex Yubi key). The main reason usually being that the user does not have to deal with passwords.

I myself have no issues dealing with passwords, I use a password manager and randomly generate a strong password for each login. I always enable 2FA preferably with an app wherever I can. I believe that this is the most secure as it is a combination of something you know and something you own (phone/hardware key). I also prefer an app over a hardware key since you always need to have it with you if you want to access something on the go with the risk of losing it. Sms and email OTP I try to avoid.

But I'm not like most users and I know from my girlfriend and friends that it's not very common to setup 2FA as they find it annoying having to look at their phone for a OTP. I've been able to convince them to use a password manager, but 2FA is a step too far.

So does it make sense to just skip the passwords all together? I see why they want to skip passwords. Since the majority of users still reuse and/or have weak passwords, even with password manager adoption and most users don't bother to setup 2FA unless forced.

What is your opinion about this? And could this be the solution that offers better security while still being somewhat convenient?"
------------------------------
Olivia Rempe
Community Engagement Specialist
Cloud Security Alliance
------------------------------