I don't think anyone actually wanted to learn about this, but it's stayed on my mind for being "an argument that's wrong and I can prove".
Background:
A while ago I made fun of a Facebook friend (call her D) for her "let them eat cake" cluelessness. This was during the 2018 (?) California wildfires when she made a big post saying how thankful she was that, in miserable air conditions, she could "still get her groceries" through delivery services. That prompted me (and, among others, another FB friend, "E") to drop our jaws and say, "Um, you don't care that you're just offloading all that suffering to poor workers that can't afford to just stay home, and will be breathing the lung-destroying air in your stead?"
(And, to be sure, there's the argument that someone total utility is increasing by virtue of how said workers still have the option to expose themselves to risks for money, and the counterargument about "well why have OSHA that workers can't opt out of ..." which is its own topic but didn't really appeal to me or E at the time.)
So far, so good.
But later, during the pandemic, it came out that E, for similar reasons, didn't feel comfortable just getting delivery so she could stay home when we were being asked/mandated to.
Those ... situations don't seem analogous at all to me, and I don't think someone should feel bad for ordering delivery during a pandemic like in an air quality emergency like wildfires. Here's why:
A) In a wildfire, you are shifting all of the hazard of the smoke onto the people who bring your deliviers.
B) But in a pandemic, moving to delivery reduces the hazard for everyone, including the delivery people.
In Kantian terms: If "everyone did it", then everyone would still benefit in case B). But in A), all the avoidance by the rich "D" personas would be matched by losses to those who still have to deliver.
To elaborate on B: the way a delivery service works, every worker involved has less Covid-spreading contact than than if everyone were shopping at a grocery store. The warehouses that set up the goods for delivery can, for their part, refactor and apply inexpensive countermeasures to reduce those worker's exposure. Furthermore, with everyone moving to delivery, you get economies of scale, allowing everyone to afford the delivery service.
So, to me, it didn't didn't seem like you were doing anyone a favor out of solidarity to keep getting your grocerys through in-person shopping.
Sunday, August 15, 2021
Thursday, April 1, 2021
Leaked Google initiative: No more passwords!
I have an inside source that's claiming Google will be rolling out a new replacement for passwords and other secrets for authenticating users. They shared the upcoming blog post/press release with me. They're moving to a more "holistic" authentication system? Let's see if this pans out. In any case, here's the not-yet-released announcement.
***
User logins protect websites from malicious actors, like spammers and trolls. So when you go online, only people with legitimate credentials can access the useful features of the site -- and others can't impersonate you. For years, you've used logins -- such as a username and password -- to prove to the site that you are who you claim to be, like this:
Some go even further and add a second factor to authenticate with, like an SMS code or one-time-password generator like you might have in the Google Authenticator app.
But, we figured it would be easier to just directly ask our users who they are -- so, we did! Following on our earlier success with No CAPTCHA reCAPTCHA, we’ve begun rolling out a new API that radically simplifies the login experience. We’re calling it "Credential-Free Authentication" and this is how it looks:
On websites using this new API, a significant number of users will be able to securely and easily verify their identities without (separately) having to provide credentials: no password, no rotating code. Instead, with just a single click, they’ll validate who they claim to be.
While the new login API may sound simple, there is a high degree of sophistication behind that modest interface. Authentication has long relied on attackers not having critical secrets, like a password or random number generator seed or other private information. You may have heard the traditional formulation, that authentication requires you to provide something you have, something you are, or something you know.
However, our research recently showed that it's about as likely for the genuine user to be missing the credentials as it is for a malicious actor. How many times have you forgotten your password or encountered a bug with your password manager? (Not GPM, of course!) Thus, challenging users for credentials is no longer a dependable test.
Furthermore, attackers are often able to steal user credentials, forcing providers to rely on a secondary layer of fraud identification, so as to lock accounts when users behave suspiciously. You've seen this if you've ever had a credit card declined for an unusually large or remote purchase.
That got our security engineers thinking: if we already have to analyze a user's behavior in order to catch account compromises, why not just use that as the authentication? It would cut two carrots with one knife! After all, an attacker might be able to guess your password or your credit card information, but they will never be able to mimic the full depth and breadth of how you interact with websites, from your browing history, to your cookies set, to the way you move your mouse.
Following the "No CAPTCHA" model above, we developed an Advanced User Analysis backend for logins that actively considers a user’s entire engagement with the the Internet to determine who that user is. This enables us to rely less on "Do you have the secret?" and, in turn, offer a better experience for users. Now, users can just click a radio button, and in most cases, they’re logged in. In fact, you'll rarely have to log in at all, because sites will "recognize" you, just like you don't have to show your ID to go into an event venue a second time if the bouncer recognizes you.
However, authentication challenges aren't going away just yet. In cases where our tracking cookies and other behavioral metrics can't confidently predict who someone is, we will prompt the user for additional information, increasing the number of security checkpoints to confirm who the user really is. For example, you might need to turn on your webcam or upload your operating system's recent logs to give a fuller picture.
As more websites adopt the new API, more people will see Credential-Free Authentication. Early adopters, like Snapchat, WordPress, Twitch, and several others are already seeing great results with this new API. For example, in the last week, the number of support tickets for account resets on WordPress went down by 90%. Twitch reported similar figures -- and also was able to unmask several sockpuppets who had been manipulating discussions and vote totals.
To adopt the new CFA API for your website, visit our landing page for more.
Good users, we'll continue to keep the internet safe and easy to use. Bad users, it'll only get harder to hide yourselves and take over legitimate accounts -- sorry we're (still) not sorry.
***
Edit: Yes, this was an April Fools joke.
***
Are you who you claim to be?
User logins protect websites from malicious actors, like spammers and trolls. So when you go online, only people with legitimate credentials can access the useful features of the site -- and others can't impersonate you. For years, you've used logins -- such as a username and password -- to prove to the site that you are who you claim to be, like this:
Some go even further and add a second factor to authenticate with, like an SMS code or one-time-password generator like you might have in the Google Authenticator app.
But, we figured it would be easier to just directly ask our users who they are -- so, we did! Following on our earlier success with No CAPTCHA reCAPTCHA, we’ve begun rolling out a new API that radically simplifies the login experience. We’re calling it "Credential-Free Authentication" and this is how it looks:
On websites using this new API, a significant number of users will be able to securely and easily verify their identities without (separately) having to provide credentials: no password, no rotating code. Instead, with just a single click, they’ll validate who they claim to be.
A brief history of user authentication
While the new login API may sound simple, there is a high degree of sophistication behind that modest interface. Authentication has long relied on attackers not having critical secrets, like a password or random number generator seed or other private information. You may have heard the traditional formulation, that authentication requires you to provide something you have, something you are, or something you know.
However, our research recently showed that it's about as likely for the genuine user to be missing the credentials as it is for a malicious actor. How many times have you forgotten your password or encountered a bug with your password manager? (Not GPM, of course!) Thus, challenging users for credentials is no longer a dependable test.
Furthermore, attackers are often able to steal user credentials, forcing providers to rely on a secondary layer of fraud identification, so as to lock accounts when users behave suspiciously. You've seen this if you've ever had a credit card declined for an unusually large or remote purchase.
Introducing Credential-Free Auhentication
That got our security engineers thinking: if we already have to analyze a user's behavior in order to catch account compromises, why not just use that as the authentication? It would cut two carrots with one knife! After all, an attacker might be able to guess your password or your credit card information, but they will never be able to mimic the full depth and breadth of how you interact with websites, from your browing history, to your cookies set, to the way you move your mouse.
Following the "No CAPTCHA" model above, we developed an Advanced User Analysis backend for logins that actively considers a user’s entire engagement with the the Internet to determine who that user is. This enables us to rely less on "Do you have the secret?" and, in turn, offer a better experience for users. Now, users can just click a radio button, and in most cases, they’re logged in. In fact, you'll rarely have to log in at all, because sites will "recognize" you, just like you don't have to show your ID to go into an event venue a second time if the bouncer recognizes you.
But are you really that person?
However, authentication challenges aren't going away just yet. In cases where our tracking cookies and other behavioral metrics can't confidently predict who someone is, we will prompt the user for additional information, increasing the number of security checkpoints to confirm who the user really is. For example, you might need to turn on your webcam or upload your operating system's recent logs to give a fuller picture.
Adopting the new API on your site
As more websites adopt the new API, more people will see Credential-Free Authentication. Early adopters, like Snapchat, WordPress, Twitch, and several others are already seeing great results with this new API. For example, in the last week, the number of support tickets for account resets on WordPress went down by 90%. Twitch reported similar figures -- and also was able to unmask several sockpuppets who had been manipulating discussions and vote totals.
To adopt the new CFA API for your website, visit our landing page for more.
Good users, we'll continue to keep the internet safe and easy to use. Bad users, it'll only get harder to hide yourselves and take over legitimate accounts -- sorry we're (still) not sorry.
***
Edit: Yes, this was an April Fools joke.
Labels:
humor,
infosec,
internet,
technology,
user interface design
Subscribe to:
Posts (Atom)