Welcome to The Long View—where we peruse the news of the week and strip it to the essentials. Let’s work out what really matters.
This week: Passkeys is getting another big-tech supporter, and the four-day workweek train picks up speed.
1. Passkeys: FIDO2-WebAuthn With Added Cloud
First up this week: Google announces its plans to support Passkeys. Essentially a usability layer atop WebAuthn, Passkeys promises to do away with the password.
Analysis: Beware of the dog?
DevOps people should keep a close eye on this and add support if appropriate. But, as I outlined earlier this year, many tech-heads are naturally cynical about lock-in and letting “privacy invading megacorps” profit from users’ private data.
Adam Conway: Google is bringing passkeys to both Android and Google Chrome
“WebAuthn API can be implemented”
Passwords, while convenient, are inherently flawed. … That’s why passkeys, which Google has announced it’s bringing to both Android and Google Chrome, is important. … Earlier this year, Apple, Google, and Microsoft announced that they will be adopting the FIDO standard for passkeys on all major platforms. … This would make passwordless sign-ins more commonplace.
On Android, it’ll turn your smartphone into a passkey that can be used to log in to a website. These passkeys are then synced through the Google Password Manager for easy access across your devices. … While it will start with support for websites only, the idea is that developers will be able to implement it in their apps. [And] Passkeys are platform-agnostic, meaning that you can even log in to services that support passkeys using a Mac running Safari.
If you want to try it out, developers can enroll in the Google Play Services beta and use Chrome Canary. … The WebAuthn API can be implemented on websites for compatibility with passkeys in Google Chrome, Android, and other platforms. An API is also expected to be released later this year for native Android apps.
Rock me, Ron Amadeo: Death to passwords
Big Tech wants to kill the password. … Passkeys are backed by Google, Apple, Microsoft, and the FIDO Alliance, so expect to see it everywhere soon.
The password manager revolution is all a hack … built on top of that original text box. We don’t really need the text box anymore. … Passkeys just trades WebAuthn cryptographic keys with the website directly. … Your phone will … authenticate with some kind of biometric, like fingerprint unlock. The phone will communicate with the client over Bluetooth, the browser unlocks your passkey and then sends that to the website.
But many people smell lock-in. For example, wnevets:
Passkeys sounds like another way for companies like Google and Apple to lock you into their walled garden. Having each walled garden randomly generating a key for every single domain instead of using the actual domain name as part of the key is a great way to lock regular people into their respective ecosystems.
The artificial problem these walled gardens are creating [is] having every single domain getting its own randomly generated private key. The only practical way to keep all of these randomly generated keys synced across multiple devices is to use the “cloud.” If instead the per site key was generated using a private key and the domain name, users would only need to transport that one private key to another device and would get syncing for free without the requirement of the “cloud.”
If the actual domain name is used to generate the key that would also completely eliminates the ability to do phishing-attacks. Paypal.com and PaypaI.com would generate two completely different keys [and] remove the [need for a] third party cloud service.
Other criticisms point to a lack of trust. Join Jiro:
I don’t trust Google. … There have been a number of infamous cases of Google closing people’s accounts for spurious reasons and allowing them no way to appeal. What’s going to happen if you have passkey support … and then Google locks you out of your account?.
Banished to Planet Aarth, it’s TheThirdDictor: [You’re fired—Ed.]
As a security guy, I’m not convinced that this is the right direction. … I don’t think passwords are outdated or conceptually misconceived. … The answer is multi-factor authentication … coupled to secure authenticator-based MFA.
In the end, there is nothing we can come up with that will stop all identity impersonation attacks. Can’t be done. … But we can dramatically reduce the likelihood without having to use Bluetooth … and without having to rewrite every website in existence. … I don’t think it requires abandoning passwords.
But how is this different from WebAuthn? It isn’t, says u/AndiCui:
It is webauthn. It now syncs and doesn’t require additional hardware to use. That’s the point. “Normal people” are more likely to use it because almost no one wants to buy and carry a key just to log in to websites.
2. Four-day Workweek Pilot: Survey Says …
Would you like an extra day off every week? How about if you still had the same workload? That’s the promise of the “4 Day Week Global” organization.
Analysis: So far, so good
Pilot schemes around the globe are returning similar results: It just works.
Steven J. Vaughan-Nichols: The four-day workweek works
“The writing is on the wall”
Last June, in a UK pilot project, thousands of employees started working a four-day week for the same pay. … Four months later, the results are coming in. And — drumroll, please — people on a four-day-a-week schedule work just as well as those on a traditional schedule. … 95% of companies … say their productivity levels have either stayed the same or improved.
Workers get 100% pay for 80% of the ordinary work time while working with an expectation of 100% productivity. … People come to their work more refreshed and energized. … Staff turnover … burnout, sick days, and … quiet quitting all decreased significantly. … The writing is on the wall for those who can read it.
[But] when Henry Ford introduced the five-day week over his entire business … critics argued that his workers wouldn’t be as productive if they weren’t working 48 hours a week. They were wrong, then. They’re wrong now.
It’s not a new idea, but its time has come, argues Eric Johansson:
Working after the pandemic is different. … The four-day work week is coming … despite companies having opposed the idea of a four-day work week for years.
Bosses have often rejected the notion in the past, but analysts believe they better get used to it. … The tech industry has always been perpetually short on talent and in a candidate-led market, they’d be wise to listen to what workers want.
And there are other advantages for the business. @Wests040 offers one example:
The pros are even stronger right now … for energy crunched Europe! We need to stop empowering terrorist regimes.
The Moral of the Story:
I am not bound to please thee with my answer
You have been reading The Long View by Richi Jennings. You can contact him at @RiCHi or [email protected].
Image: Ashley Smith (via Unsplash; leveled and cropped)