I'm now a Researcher at @carnegiemellon.bsky.social within the CyLab and HCII, where I'll be tackling security and privacy challenges in emerging technologies from a human-centered lens, to further my vision of Usable PETs. If you're in the area or share my interests, I'd love to meet up!
Is that Elsa? Itβs funny, she taught PL in OCaml for years at UIUC!
+1
To add to your list: dependable, conscientious, diligent, tactful, interpersonal, warm, and helpful. Nothing is a solo endeavor!
An orthogonal problem is coercion-- how do you prove someone took an action uncoerced (authenticated or not)? This is one of the (currently unsatisfied) requirements for secure electronic voting, and for systems that protect against intimate partner abuse. usenix.org/conference/u...
I could say the same about decentralized key management. Secret keeping by humans seems intractable in the general case, except for this one scheme I'm aware of -- "Neuroscience meets cryptography: Crypto primitives secure against rubber hose attacks"
usenix.org/conference/u...
Device passwords are still user-generated, need to be easy to remember, and suffer from all the same problems that password managers were built to solve.
Cryptography relies on secrets, so I don't see us getting rid of them one way or anotherπ-- but what about the UX?
It seems like we're going forward in one direction -- we've lowered the risk of account compromise (e.g. credential stuffing / data breach / phishing are less impactful and less probable). We haven't done away with passwords overall though.
Question for security folks given Chrome's latest passkey push: don't passkeys just massively increase the trust assumptions on your device password, just like a password manager with the master password? Is one device or master password harder to compromise than all other ones?
