Don't use third party auth to sign in

[F3nd0]

There’s also re:claimID¹, which should be fully distributed and work on top of GNS², but it’s still very much a work in progress.

1. https://reclaim.gnunet.org/ 2. https://gnunet.org/en/gns.html

[theamk]

First promotion point:

> Self-sovereign You manage your identities and attributes locally on your computer. No need to trust a third party service with your data.

Why do people assume that is a good thing? I do cybersecurity at work (among other things) and it takes a lot of effort to keep things both available and secure. My home PC, not to mention PCs of my friends, are never going to be as secure.

A system which has a chance will have to be federated, not local-only.

[Osiris]

I work in crypto and we sell a hardware device to keep your seed phrase secure and the physical device is required to sign transactions.

But then you should listen to the advice we're given if we use one for personal use.

1. buy two devices

2. Generate a phrase on one then import to the other

3. Put the second one in a safety deposit box in another city or state, or a safe with a family member also out of the city or state.

4. Keep a copy of the phrase on steel seed phrase tool (Steely, etc)

5. Mount the steel seed phrase backup inside of a wall of your house and plaster and paint over it.

6. If your phrase ever gets seen by any electronic means, it's compromised and the process must be redone (note that importing uses a randomly shuffled alphabet on the device to make MITM or keylogging attacks unusable).

So... Security is hard. We should build systems that make it easy. There should be ways to recover from backups of a service goes offline, but we can't expect everyone to make good decisions.

Not to mention having passwords synced between devices and available on demand is really a requirement of you use random passwords for every site and need to log into something (heaven forbid) on someone else's device.

[TedDoesntTalk]

> [effective and meaningful] Security is hard. We should build systems that make it easy

These are in direct conflict with each other.

[bsder]

Not necessarily.

What's your threat?

Most people are not trying to stop a determined attacker. Most people just want random people to not get be able to get into their stuff--same as a physical lock.

They carry a physical key on their person. It's not too much to ask them to carry a "digital" key on their key ring.

The problem is that most "digital" keys are a pain in the ass:

1) Mostly because everybody wants to "centralize" authentication so that they can charge you and administrate you.

2) Secondarily because there is no good solution for talking to the key on your person. NFC sucks. USB requires that I plug my key in. WiFi requires that the device be able to hit your network. BLE has no access from web pages.

BLE is probably the best choice, but there is no real money in making it work.

[senectus1]

Any tool used to create another tool, is the very tool that will be used to help dismantle that other tool.

There is no way around this... Security isn't a state, it s a process. It relies on the human to propagate it. A bit like a garden.

Make the process simple for the user (but not thoughtless) and that is about as good as is going to get.