‘In a digital context, people are always acting through their computer. While we talk about authenticating a user, the thing that directly gains authority as a result of authenticating is that user’s computer. So if that computer is controlled by an attacker, the authentication system is moot.’
‘Tackling the authentication problem does not solve all security issues, but many security issues are authentication problems, so better authentication systems are necessary part of fixing the world.
WebAuthn, the subject of this book, is such a system.’
https://www.imperialviolet.org/tourofwebauthn/tourofwebauthn.html
@js The opening sentence, "Passwords are rubbish," excludes every person for whom "something you have" is not viable: refugees crossing borders, unhoused persons, children of abusive parents, adults with abusive partners, elders with abusive caregivers, ...
"Mandatory 2FA is rubbish." would be a better start.