undefined | Better HN

0 pointsprima-facie1d ago0 comments

What Google has done is incredibly clunky and only serves its own interests. We already have methods to prove that we're human.

1. lots of laptops have fingerprint readers & TPM2 build-in

2. lots of folks own Yubikeys or FIDO2 keys - if these became the norm then the price would come down significantly.

Both of these methods only require a tap to authenticate to a website. Both provide public-key authentication, and both provide some level of proof of work / require human interaction, without revealing the identity of the end-user.

Why not use or standardise these? because there's no benefit to Google of course.

0 comments

nerdsniper1d ago

Those don't prove that a human is present. A FIDO2 key can be automated by electronic relay. The only way to do this involves device attestation - locking devices down and utilizing hardcoded TPM/Secure Enclave esque chips. The best we can hope for would be an open standard for those chips so that people can use them with their own X.509 certificates that lets them choose their own CA.

nitwit0051d ago

Real hardware doesn't mean a human is present either, unfortunately. It just means that you have to spend on real devices to bypass these defences.

prima-facieOP1d ago

This was exactly my point as well. Everything that can be automated will eventually be automated.

nerdsniper1d ago

Maybe Worldcoin really was the answer after all XD

karlgkk1d ago

neither 1 nor 2 can prove you're a human. sorry

seba_dos11d ago

neither can Google Cloud Fraud Defence, and yet we're here

karlgkk1d ago

ironically, some of the controls in gcfd have a good probability of detecting a human versus a robot!

j / k navigate · click thread line to collapse

0 comments

nerdsniper1d ago

nitwit0051d ago

Real hardware doesn't mean a human is present either, unfortunately. It just means that you have to spend on real devices to bypass these defences.

prima-facieOP1d ago

This was exactly my point as well. Everything that can be automated will eventually be automated.

nerdsniper1d ago

Maybe Worldcoin really was the answer after all XD

karlgkk1d ago

neither 1 nor 2 can prove you're a human. sorry

seba_dos11d ago

neither can Google Cloud Fraud Defence, and yet we're here

karlgkk1d ago

ironically, some of the controls in gcfd have a good probability of detecting a human versus a robot!

j / k navigate · click thread line to collapse