Dan Moore

69 seconds with username and password slash MFA to eight seconds with pass keys. And so if you can get someone into Adobe quicker, especially someone who doesn't like, doesn't have your depth of experience, Adam, right. And like, doesn't really understand kind of the big thing and they just want to get to Adobe and you can, you know, decrease it by 10 X that's, that's a big win for everybody.

69 seconds with username and password slash MFA to eight seconds with pass keys. And so if you can get someone into Adobe quicker, especially someone who doesn't like, doesn't have your depth of experience, Adam, right. And like, doesn't really understand kind of the big thing and they just want to get to Adobe and you can, you know, decrease it by 10 X that's, that's a big win for everybody.

Right. So, um,

Right. So, um,

I will say that I totally understand the user experience benefits of that. It scares the crap out of me, right? Because the whole point of MFA is that you have a separate... And my guess is 1Password kind of segregates that stuff inside their own system, right? So that an attacker coming in, getting access to the passwords would have a harder time getting access to the TOTPs.

I will say that I totally understand the user experience benefits of that. It scares the crap out of me, right? Because the whole point of MFA is that you have a separate... And my guess is 1Password kind of segregates that stuff inside their own system, right? So that an attacker coming in, getting access to the passwords would have a harder time getting access to the TOTPs.

Again, just to push on this a little bit, it doesn't worry you at all that like this thing that is supposed to be a separate factor is all wrapped up in one place.

Again, just to push on this a little bit, it doesn't worry you at all that like this thing that is supposed to be a separate factor is all wrapped up in one place.

Well, and obviously it depends on your account, right? Like there are probably accounts that you don't care about, right? Like, but let's say your bank account, like how, how much is that? Were you on a scale where 10 is like, I better go change this right now. My hair's on fire. And zero is like, eh, you know, I don't really, I trust everything's fine.

Well, and obviously it depends on your account, right? Like there are probably accounts that you don't care about, right? Like, but let's say your bank account, like how, how much is that? Were you on a scale where 10 is like, I better go change this right now. My hair's on fire. And zero is like, eh, you know, I don't really, I trust everything's fine.

And I just want to say, and I just want to disclaimer, I don't know anything about 1Password, right? Like, I'm not, like, attacking them in general. It's, like, the general principle of, like... I think we should.

And I just want to say, and I just want to disclaimer, I don't know anything about 1Password, right? Like, I'm not, like, attacking them in general. It's, like, the general principle of, like... I think we should.

Yeah, I mean, I think that it does depend. I actually wrote a blog post about this, about the different kinds of MFA for customers. Again, employees are a different world because you can force them to do all kinds of stuff and you can spend money on it.

Yeah, I mean, I think that it does depend. I actually wrote a blog post about this, about the different kinds of MFA for customers. Again, employees are a different world because you can force them to do all kinds of stuff and you can spend money on it.

Totally, totally. But for customers, I think an important thing is that it is – going to at least a different piece of software, right? So, um, you know, using them in passwords being pulled from password manager and then using a different software authenticator app, like Google authenticator off the, um, There's some open source ones out there, even sending SMS.

Totally, totally. But for customers, I think an important thing is that it is – going to at least a different piece of software, right? So, um, you know, using them in passwords being pulled from password manager and then using a different software authenticator app, like Google authenticator off the, um, There's some open source ones out there, even sending SMS.

I know SMS is problematic in some ways because it's attackable in certain circumstances for high value accounts, but it's still landing in a different place on the phone. Email address, one thing that I think I wish everybody who allowed email as MFA would do is have the multiple email addresses and have those email addresses not be tied to the email address you use to log in, right?

I know SMS is problematic in some ways because it's attackable in certain circumstances for high value accounts, but it's still landing in a different place on the phone. Email address, one thing that I think I wish everybody who allowed email as MFA would do is have the multiple email addresses and have those email addresses not be tied to the email address you use to log in, right?

So I could set up, you know, Dan, if you're not, the IO is my login identifier, then Dan and example.com is my MFA. And, again, you're just separating things out and you're not, you know, every step you take to do this makes things just a little bit harder for attackers. Right.

So I could set up, you know, Dan, if you're not, the IO is my login identifier, then Dan and example.com is my MFA. And, again, you're just separating things out and you're not, you know, every step you take to do this makes things just a little bit harder for attackers. Right.