What’s the alternative? It would have to be something that wouldn’t work if the user was unconscious and that offered plausible deniability if they were awake and being coerced.
What, other than a password, offers that?
Relatedly, I don’t even know most of my passwords these days. I use a password manager (one that doesn’t require internet access) that generated random strings. I only ever see them if I accidentally paste them into the wrong field.
The real problem is there’s not really a better solution that works well for private accounts owned by individuals who only have a single device.
They say that authentication is using either something you know, something you have or something you are, but in the real world it ends up being something you’ve forgotten, something you’ve lost and something that you were at one time but are no longer
It’s the 21c, passwords shouldn’t exist.
What’s the alternative? It would have to be something that wouldn’t work if the user was unconscious and that offered plausible deniability if they were awake and being coerced.
What, other than a password, offers that?
Relatedly, I don’t even know most of my passwords these days. I use a password manager (one that doesn’t require internet access) that generated random strings. I only ever see them if I accidentally paste them into the wrong field.
Certification.
Make once, prove everywhere.
The real problem is there’s not really a better solution that works well for private accounts owned by individuals who only have a single device.
They say that authentication is using either something you know, something you have or something you are, but in the real world it ends up being something you’ve forgotten, something you’ve lost and something that you were at one time but are no longer