We don't need fancy new standards at this point [for most use-cases]. What we need are security-focused product and design folks to adopt the things that already exist, and have done for many years. But that means the infosec world pointing to the solutions and saying "use these"
For sure. Two things:
1. I still see lots of people say "password managers are enough", and I profoundly disagree and think that sentiment holds us back.
2. I've been doing this (casually) for ~14 years at this point and while there's been some progress, it's not nearly enough.
This has been an interesting thread to follow for me. I have a question. What makes folks think that the security industry is not building solutions these issues? We can create great new solutions all day long but we can't force product owners to adopt them.
But the likelihood is that most people won't be using Okta, won't just have one password, and will re-use their password. Using one password puts most people at ongoing risk, which for some people (human rights workers, domestic violence survivors) is more extreme than others.
😁 I am 100% okay with one password. It's actually way easier than 2FA or device-based auth (the battery in my phone sucks). I think this is achievable! Frankly, beyond using it every day, I built and deployed it 7 years ago. So I know it's achievable.