August 2024 (1 month ago)

Authentication and security in the modern era

§
9 min read (1644 words)
· · ·

Overview

First, digital authentication and best practices with password managers will be reviewed. Next, different ways of constructing a digital presence: anonymous, pseudonymous, and real are reviewed. Finally, physical security: passwords for login, encrypted drives, 2FA codes, and digital ID scans are considered. Cross-linking of data: your email with your real name or your password for one account with other accounts is one of the most significant questions.

Digital presence

Digital presence can be anonymous, psuedo-anonymous, or real. Having a psuedo-anonymous or real presence allows for the establishment of reputation in a field, which is beneficial to one’s career and means of income generation.

Generally, being anonymous is a privilege only the rich can have without trade-offs. They enjoy all the benefits and don’t need to establish themselves in any way. Being anonymous while being nobody of importance is like being a bum hiding in the woods.

People may want a psuedo-anonymous identity if the content they talk about is controversial for the current time.

  • For example, American separation from the British during the 1700s. The Federalist Papers used a psuedo-anonymous identity, “Publius,” which was actually three people.
  • Authors may publish under a psuedonym, such as women publishing as men, if the circumstances are hostile to their background.
  • Alternatively, philosophers have crouched their ideas in obscure language to avoid retribution from the sovereign, as advocated by Strauss.
  • A leader may want to propose an idea so as not to influence others by their background itself because few would openly dismiss the leader. - Or someone well-known in a field wants their ideas to stand on their own merit.
  • Some things such as HIV infection, drug usage experiences, or engaging in risky behavior is not something that is advantageous to the self when revealed.
  • Whistleblowers and hackers also operate under these identities.

There are many valid reasons to have a psuedo-anonymous identity or brand. However, it comes with certain risks such as being revealed if the content you publish is controversial. Impersonation is a risk of both pseudo-anonymous and real identities. If you ever decide to go by your real identity, the accumulation reputation may not transfer over easily.

A real identity can be good because it enforces reasonably polite behavior. But downsides include telegraphing too much information (your location, which makes you target for break-ins) and the inability to say certain things without harm.

Platforms

While the internet was originally used so that most people had a blog or personal page, the difficulty of software engineering means that communities have fractured across the web based on content type: YouTube, Instagram, TikTok, Hacker News, podcast sites, etc. are all specialized for a certain type of information. Link aggregators have become popular so that people can centralize all their digital presences inside of these websites’ silos.

However, I’d say link aggregators don’t go far enough. People can make their username their domain name. That way, whenever they chat in Discord or make a comment online, they advertise their presence. My username is often kaiwenwang.me or kaiwenwang_dot_me in websites where periods are not allowed.In Twitter comments, people won’t need to click on the profile to see a personal link.

Adding the www. or https:// overcomplicates things. Without the _dot_, I think people wouldn’t realize it is a website.

How do most people live?

Most people possess not a complex digital setup. They probably have some email provider, a list of people in contacts, apps installed on their default home screen, a Google account and/or Apple account with a bunch of random sign-ins,

If they don’t use their password manager, they probably have a bunch of repeated passwords like TableChair1500!@#111 just to satisfy the password requirements.

Regardless of your background, you were probably a kid with various digital accounts like Tumblr and emails named XxXMinecraftMan3000XxX@gmail.com along with a bunch of duplicated passwords. You probably want to keep access to these old accounts while still starting fresh. You haven’t implemented all of these changes because of the effort of migration.

I’m going to propose an “ideal set-up” and a “good-enough” set-up. I may go into recommended specifics later on.

Ideal

Good-enough

  • Your usernames point to your domain name, and you have a personal website with some digital presence
  • You use a password manager
  • You have one email to secure your primary accounts, financial information, and so on. You have one email for purchasing goods and communicating with other people. You have one email that is literally just spam/to try out different sites.

Authentication

Navigating digital systems is essential to survival in large cities. One can call transport (rideshare apps), make food magically appear (delivery apps), navigate unfamiliar environments (map apps), pay for things.

However, each app and website has its own authentication method. The lazy would use their Apple or Google account as their method of signing into everything. But you end up needing multiple different accounts: Waymo only accepts Google, Instagram only lets you log on with Facebook, and some development websites ask for GitHub.

Invariably, someone will forget which “Log in with” provider they used. Your list of signed in accounts resides on niche menus inside the Google or Apple settings pages rather than inside one central authority.

For Google, the URL is https://myaccount.google.com/connections. For Apple, it lives at https://appleid.apple.com/account/manage, the Settings Sign in with Apple section under your main profile account, and inside the new iOS 18/MacOS Sequoia (15) Passwords app. GitHub also has common sign-ins at https://github.com/settings/applications.

alt text alt text

Although the risk of losing your main accounts is low, for personal UX I prefer to have every email and password inside a password manager instead.

It’s very seamless for someone to just log-in with one of their existing accounts as opposed to typing in their email and generating a password (regardless of whether they use something like Chrome’s in-built or KeePassXC).

App builders also realized people forget which OAuth provider they used. There’s a variety of authentication types (OAuth, SAML, SSO) that I won’t get into detail here. Authorization refers to the things a person can access after authentication.

alt text

Authentication Practices

The most secure and most private practice would be something like this:

  • Every account has a random email and random password generated

Picking an email name

Had government been responsible for building out the digital communications technologies, it’s likely that ID cards would be more strongly linked to email addresses and phone numbers.

However, we now have to claim an identity in a world of billions. So few will know us by real name. In fact, many people have our same name! That’s why German authorities use name/date of birth/birth location as a unique identifier.

We seem to be a combination of things: an in-person name, a domain name or online pseudo-nym, a number such as a passport ID, a series of relations to other people. Some serve the state and some functions serve the network.

We already decided that linking your usernames to a domain name based on your identity makes sense. But what about email? Ideally, you don’t want everyone to know your email or phone number—you’ll open a surface for spam and phishing attacks.

I feel like the best option is to always hide your email since even Equifax or financial instituions can get breached. Yet I haven’t found a good UX for using Apple’s hide my email.

For credit cards, it helps to have changing card numbers such as with Apple Card, Revolut, or privacy.com.

Back to emails. Don’t inlcude any personal information such as birth year or addresses in the email.

firstname.lastname variants

  • firstname.lastname@gmail | icloud | outlook.com
  • firstname_lastname@
  • first.lastname1234@
  • lastname.firstname@
  • firstnamelastname@ (hard to read)

I generally think firstname should be first, unless you live in a country where family name comes first. People feel comfortable with emails like this. Use these types of

There are variants that use initials that are okay as well that offer marginally more privacy. A lot of universities have emails like this.

  • kwang2042
  • kw123123
  • kw024

Why does it matter if your name is in your email or not? For privacy, you ideally want as little linkage between data points as possible. You’d want a random name and email when ordering things from online. Having your actual name or initials in this email defeats the purpose.

When communicating with people, you’d want an actual email with a display name set. For communciating with people you want something that is as easy to remember as possible.

Random numbers and letters

  • cnvpnifen@
  • 9nZ4jW6y@
  • 380947209@

Number-based emails are common with @qq but rare in US + EU. Using this for a spam email works. If you’re just using this to buy things online, it doesn’t matter.

Digital Security

Digital security is tough because of the sheer number of entry points.

One has to secure their PINs and passwords across a variety of devices:

  • Computer password
  • Tablet/Phone PIN
    • Your old electronic devices that are probably a different password but that you still keep around
  • eReader PIN
  • Watch PIN
  • PINs for SIM cards
  • PINs for credit cards
  • External and USB drives and their encryption passwords
  • Password Manager master passwords (which should handle all your website authentication)
  • Encrypted drive passwords

Along with a variety of digital documents such as:

  • 2FA recovery phrases
  • Cryptocurrency wallet phrases
  • 1Password security phrases
  • IDs
  • Health or financial documents
  • Verification keys for paid apps

All the while not forgetting their own password and locking themselves out. I find it’s easy to forget one’s PIN if the length is variable.

I wouldn’t recommend giving each device a different password. It’s too easy to forget. Instead, separate the items: never walk around with all your electronic devices together. Don’t enter your password in public. The biggest liability is entering the phone PIN in public. An alphanumeric phone password helps a bit.

You could try and hash the password to each of the devices, but what would the seed be? The color? The device name, which varies and has different versions and that you might misremember? The weight in grams? It’s too hard to find a seed to generate a hashed password in your mind for each device that is consistent.

My advice is that all the PINs should be the same. And passwords should guard against theft or eavesdropping rather than wrench attacks. The most likely situation is someone sees you type in your password from a camera or behind your back and then accesses your device. Make sure the password manager passwords are slightly different.