It is not overstating the case, I don't think. Large security teams have done population-level studies on this. You feel like "freedom means users can be phished". That's fine, private companies are going to make different choices on the freedom/security spectrum than you'd prefer.
> It is not overstating the case, I don't think. Large security teams have done population-level studies on this.
If it were that easy, then wouldn't everyone have been phished by now? I've certainly received plenty of scam emails myself, and I think it's safe to assume almost everyone else has too.
> private companies are going to make different choices on the freedom/security spectrum than you'd prefer.
It's not that simple, because we don't have a free market. Three big companies — Apple, Google, Microsoft — have nearly the entire consumer market share for both operating systems and web browsers, and they're colluding to eliminate passwords. If they succeed, then I as a private individual and a private company (self-employed) will not be able to make a different choice than those three big private companies. None of us will be able to make a different choice.
I think the reasonable assumption of serious security teams is that past some number of people with access, and absent phishing-proof authentication, the probability of a successful phishing attack approaches (and probably rapidly approaches) 1. You can dispute this, but security teams are going to disagree with you, they have the data, and your freedom/security spectrum doesn't mean anything at all to people making corporate access control decisions.
I get that you're not talking about corporate access control, but rather your feeling that you're downwind of those decisions as a consumer, because Google and Apple are embracing the findings of corporate security research. I don't know what to tell you about that. If a friend asked me what they should do to secure their online accounts, I'd tell them to make sure they were using Google Mail, and to make sure they had Passkeys enabled.
What are you going to tell your friend if Google and/or Apple unexpectedly, permanently locks them out of their account, with no possibility of appeal, because they triggered some kind of false positive in the "security" algorithms?
These are real things that happen, as real and harmful as phishing.
And yes, I'm talking about free consumers rather than corporate drones. Of course, in a corporate environment, you're not likely to get permanently locked out unless you're fired, and you won't experience personal data loss, because corporate data isn't yours in the first place.
I'm going to tell them that that's much less likely to happen than them getting owned up, and that the outcome of them getting owned up is much worse than the outcome of having a problem with Google or Apple. I know† lots of people that have been owned up, and zero people who have had the problem you're describing.
I'm also going to tell them to beware of technologists, who have rooting interests that are more about industry politics and big picture principles than about user safety. I'll tell them that people lobbying against the increasing influence of big tech companies on security are going to lose that fight anyways, so there isn't much point in staking any of their personal safety on the debate, even if they do believe in it (in reality: very few of them will care).
Regardless: just as a connoisseur of Internet nerd argumentation: if you're going to come at Passkeys, you need to do better than "the Unix greybeards were right about HTML email", because (a) no they weren't and (b) it obviously wouldn't matter if they were.
> I'm going to tell them that that's much less likely to happen than them getting owned up, and that the outcome of them getting owned up is much worse than the outcome of having a problem with Google or Apple.
Citation needed.
> I know lots of people that have been owned up, and zero people who have had the problem you're describing.
Anecdotal. My personal experience is the opposite.
> I'm also going to tell them to beware of technologists, who have rooting interests that are more about industry politics and big picture principles than about user safety.
You don't think I care about user safety? To the contrary, I care deeply about it. I just don't believe that paternalism and infantilizing the public increases public safety; rather, I believe it creates the very conditions that make the public ripe to be exploited.
> you need to do better than "the Unix greybeards were right about HTML email"
I have no idea what you're talking about. This is a straw man argument.
Ah, ok. Given that we're deep in a thread, I assumed you were talking about my arguments.
In any case, that one paragraph in the article wasn't even intended as an argument against passkeys, since the HTML email ship sailed long ago (though I still use plain text religiously).
