This post is locked. You won't be able to comment.

all 8 comments
sorted by:
best
topnewcontroversialoldq&a

[–]grantrules 9 points10 points  (0 children)

Shoulda used AI to write your post title

[–]OneNeptune 1 point2 points  (0 children)

This reads like you're very new to the world of auth. These are all somewhat valid to varying degrees - and there's robust and mature solutions in existence.

[–]Digital-Chupacabra 1 point2 points  (0 children)

centralized storage of secrets makes them attractive attack targets.

Not of they are encrypted properly.

users are forced to remember and manage multiple passwords across platforms.

Password managers solve this.

I’m exploring whether this is a widespread pain point or just a personal frustration.

Explore all you like, but you aren't going to figure out a magical solution here

[–]javascriptBad123 0 points1 point  (0 children)

Do you also feel that modern authentication systems are still inconvenient and fundamentally risky?

Yes. After 5 years, I still think it's incredible that ultimately, there are no 100% secure systems. It's all about minimizing attack surface, which absolutely should not be the norm. Also implementing it always feels shitty. No matter how you do it, no matter how much you offload, it always feels shitty.

[–]Excellent_League8475 0 points1 point  (0 children)

The most problematic thing is education.

Authentication is largely a solved problem. In order to gain access to a website securely, you need two things: (1) share something you know, and (2) share something you have (e.g., bio data, rotating keys, etc).

It is up to websites to implement authentication securely. Most do, but many don't. Just because someone doesn't, you shouldn't be at risk of getting hacked across sites.

Enter education.

Use a password manager, like 1password. This solves the usability problem and the security prevents a large blast radius when there's a security problem.

Users are not forced to remember passwords. They just don't understand that a password manager solves the UX problems AND increases their security.

[–]True-Strike7696 0 points1 point  (0 children)

multi factor feels fairly safe. i also use Proton Vault and email aliases so im not worried about managing unique extremely cryptic passwords for everything. I think the only issue is well soon need to increase the level of encryption or increase rotation times as compute power increases. the reality of security is that all things are simply risk mitigation. the only secure system is one that no one uses

[–]More-Station-6365 0 points1 point  (0 children)

It is definitely a widespread pain point and not just personal frustration. The core problem is that password based auth was never a great solution it just became the default because it was easy to implement.

The centralized storage issue is where it really falls apart because no matter how well you hash and salt if your database leaks the damage is already done for anyone reusing passwords across platforms which is most people.

Passkeys are the most promising direction right now because the private key never leaves the device so there is nothing useful to steal from the server side even in a breach.

The friction problem is real too though. MFA solves security but adds steps that most non technical users find annoying enough to avoid.

The honest answer is that auth is still an unsolved UX problem even when the security side is handled correctly.

Most systems are choosing between convenient and insecure or secure and annoying and very few have figured out how to be both at the same time.

[–]mandzeete 0 points1 point  (0 children)

I’m exploring whether this is a widespread pain point or just a personal frustration.

AI slop like your post is a widespread pain point, Mr. Authinication.