Earth 2.0’s soft launch was met with modest success, but some far-right critics claim the day 1 patch, which removed racism, bigotry, and hate based on identity, makes the game “unplayable.”

Perspective: shoebox.

Values: likely shoebox-based, or perhaps worshipping the ever-present AC

Science: science as a set of principles and methods for understanding the physical world wouldn’t be affected by a man or men in a shoebox.

I wasn’t really sure what you were talking about, so I looked them both up, and I think there’s a really good chance your optician gave you Nazi-tinted lenses by mistake.

Gotcha, point taken. Ultimately, I think there needs to be a better identity proofing process overall. But that may rely on a total infrastructure overhaul, which seems unlikely.

I get what you’re saying, but it’s not about getting locked out. It’s about other people using recovery methods to take over your account. Why would anyone try to break through durable public-key encryption when you can just phish a victim’s email account password?

And it’s not like real-time phishing for 2FA/MFA isn’t widespread—it’s just not automated to the same level as other methods. That said, two- or multi-factor is going to stop 99% of automated hacks. It’s the determined ones that I’m concerned about.

In regards to the Apple thing… Apple passwords can be reset using a recovery email. That means the security of the account leaves Apple’s ecosystem and relies on the email provider. So, if I’m a cybercriminal determined to hack your account, I start there.

Then, if you’ve got your keychain all set up, it’s time for a SIM swap. I clone your SIM or convince your mobile carrier to give me a SIM with your number. And even if recovery contacts and keys are alternatives, the use of SMS is problematic. If you really can turn it off, then I’m all for it. But if you can’t be sure, neither can I.

SMS is a very low-security option that is showing its age. It was never intended to be a secure verification method, yet it’s become incredibly popular due to its availability. Unfortuantely, telecom companies are simply not interested in upping their security.

All SIM swap protection is opt-in at this point. Verizon and the gang might wise up considering the lawsuits leveled at them by victims—many of whom lost millions in cryptocurrency due to the carriers’ negligence—but it’s not likely.

The point here isn’t that passkeys are bad for consumers. They’re convenient and about as secure as existing methods. The problem is that they’re being sold on average folks as a security upgrade even though they’re more of a sidegrade. PKI/FIDO already existed before the whole passkeys buzz did, and it had the same limitations. This is mostly just branding and implementation.

I’d anticipate that most providers will do something similar. I just mentioned Apple because they’ve been pushing their “cloud backup” hard while still using SMS as a fallback.

I’d be interested to hear which provider, if any, has managed to get around the usual (vulnerable) channels for recovery.

Glad this is being discussed. Having worked adjacent to the authentication market, I have mixed feelings about it, though.

There are a few problems with passkeys, but the biggest one is that no matter what, you will always need a fallback. Yes, Apple promises a cloud redundancy so you can still log in even if you lose every device.

But that’s just Apple’s ecosystem. Which, for what its worth, is still evolving. So the passkey itself is phishing-resistant, but humans still aren’t. Fallbacks are always the weakest link, and the first target for bad actors. Email, or sometimes phone and SMS, are especially vulnerable.

Passkeys in their current iteration are “better” than passwords only in that they offload the fallback security to your email provider. Meanwhile, SIM swapping is relatively ready easy for a determined social engineer, and mobile carriers have minimal safeguards against it.

Usability? Great, better than knowledge-only authentication. Security? Not actually that much better as long as a parallel password, email, or SMS can be used as a recovery or fallback mechanism.

I’m not saying passkeys are bad, but I’m tired of the marketing overstating the security of the thing. Yes, it’s much more user-friendly. No one can remember reasonably complex passwords for all 100 of their online accounts. But selling this to the average consumer as a dramatic security upgrade, especially when so many still run passwords in parallel or fall back to exploitable channels, is deceptive at best.

Maybe, idk, let Taiwan decide what is best for Taiwan?