lou's post here resonated with me and my attempts to get my family to use better security practices (i.e. 2FA, password managers). They're very difficult to wrap your brain around to the average user, and they have the ability to create catastrophic failstates if used incorrectly. Furthermore, even when they work well, they can still be kind of clunky (different sites use different methods; writing down/printing recovery codes feels like a dated solution alongside other tech-forward things).

Also, outside of this, password requirements are their own bugbear, with nearly every site having different criteria. Even as someone who uses a password generator and manager on the regular, I still have to adjust the password creation criteria to do things like fit character limits or specific requirements (and don't get me started on forced resets!). I totally get why so many people reuse passwords, or have a default one that they sort of modify as needed to fit a given site's needs.

From my (admittedly super limited) perspective of a lay user: usernames, passwords, 2FA and the whole stack seems like something that's suffering under the technical debt of decades' worth of web development and networking. It seems like things have inched forward and many new layers have been added to address emergent problems, but the whole system gives a sort of barely-held-together-by-tape feel.

What if we could use what we know now and redesign things from the ground up? If we could start fresh, today, what might username authentication look like beyond the usual username/password combos that we're so used to?

I'm interested in any ideas -- not necessarily just feasible ones.

Also, despite me being the one prompting this thread, don't feel the need to simplify technical explanations or anything. I'm mostly interested in lurking and seeing what all you very smart techy people have to say about the topic. :)

Edit:

This was resolved by @tomf (cf. this comment).

Google’s account authentication appears to broken for me for some reason.

I have several devices and several Google accounts accumulated over the years.

Accounts:

1. Work Google account (this was set up by IT staff at the company where I work as they are a paying enterprise Google services customer)
2. Undergraduate University account (this was set up when I attended undergrad, where the University is a paying Google services customer)
3. Graduate University account (this was set up when I attended for grad school, where the University is a paying Google services customer)
4. Personal Google account (this was set up a long time ago, it’s just a non-paid, consumer Google account)

Under iOS and iPad OS, Google apparently asks you to download the official Google app in order to sign in and “trust” devices, so that they can send you prompts to acknowledge when you sign in on other devices. There is also the Google Authenticator app that lets you do traditional 2FA.

Further background, I got an iPhone 12 Pro circa October 2020. I gave my old iPhone handset to my dad (after signing out of everything and resetting it according to Apple’s instructions). Ever since, I’ve been having issues with logging into my Google accounts from the new iPhone, my iPad, and my Mac (provided by work). I’m actually afraid to log out of my work Google account on my work Mac, because I’m afraid I won’t be able to log in again, and that would prevent me from being able to get work done.

For example, let me walk through the steps I would normally take to log in to my Undergraduate University Google account on my iPad:

1. Open the Google app
2. Tap user icon in top right corner
3. From the modal menu, tap the downward chevron (circled in red)
4. Tap “Add another account” (circled in red)
5. Tap “Continue” on the confirmation widget when prompted
6. Enter the Gmail address for the account in the provided “Email or phone” input box and tap “Next”
7. At this point, I wait for the progress indicator (the blue bar with the red arrow pointing to it) to indefinitely traverse from left to right over and over again and I cannot progress further.

Virtually the same steps can be reproduced from my iPhone by going to accounts.google.com from any browser (I’ve tried Safari and Chrome).

The same sort of authentication redirect from accounts.google.com happens when trying to add my associated Gmail accounts to my iOS devices from the Settings > Mail > Accounts > Add Account, and similarly stalls at the same point.

I’ve tried logging out of my accounts from my personal Mac where I can still log in from google.com, and also tried going into the security settings for the accounts and disabling, then re-enabling 2FA (I can receive the text message with the code to associate my iPhone as a second factor authenticator, so Google knows my phone number).

Google’s support documents don’t provide any guidance on this situation where the accounts.google.com authentication hangs, and there seems to be no way to contact a human being at Google to provide technical support. I’ve searched their help portal/forums, and found nothing similar to my issue. They point me down a tree that ends here, which is not useful to me.

If Google’s services don’t work for you, it seems to be your problem, not theirs. I get that I’m not paying for their services, so it is totally unreasonable for me to expect any sort of technical support from Google. But, at the same time, it seems very strange that I am alone in my use case of simply trying to log into my accounts that have worked for years in the past without issue.

Anyone have advice on next steps?

Hi,

I found an SQRL client on F-Droid, it seems like a pretty good concept, any thoughts on this?

Here are the docs https://www.grc.com/sqrl/sqrl.htm

I also opened a issue on gitlab so it can be commented also there https://gitlab.com/tildes/tildes/issues/304