About Authentication

Let's lament how fragile the world is. For every main scenario there are always a million edge cases that either nobody tested, or everyone turns a blind eye to, or both. Sometimes it's scary to even think about them. 🚬

Take, for example, authentication on the internet. Almost everywhere it's either OAuth through some corporation or by phone number. And it seems convenient for normal people, but in both cases your eggs end up in far fewer baskets than you'd like.

Got banned on Google — lost access to half the internet. With phone numbers it's even worse. Operators can resell them if you haven't used yours long enough (a few months). If you have one number, you risk everything at once. If you have several numbers, for example in different countries, then as a user you have to build some whole process where you maintain the appearance of life, get several devices for different SIM cards, turn them on periodically, spend money. And you can also lose your phone, but that's a completely different story.

It's even funnier when you end up on the other side — the one who bought a "new" phone number. And (surprise) accounts all over the internet are registered to it. And you suffer too, and there's nothing you can do about it either. I failed the thought experiment trying to figure out what I would do in this hypothetical situation. And the further we go, the more likely this becomes.

2FA on top of all this makes the situation even worse, since you get a point of failure for each factor. And it's clear that proper 2FA is through TOTP or some passkeys with a backup in a third place, not through a phone. But this isn't possible everywhere, and how many people actually do this?