Author(s):	Ewen McNeill
Location	Room 6
Date	jan Tue 14	Days Raw Files
Start	14:05	First Raw Start	error-in-template
Duration	0:35:0	Offset	None
End	14:40	Last Raw End
Chapters
Total cuts_time	None min.

https://lca2020.linux.org.au/schedule/presentation/118/
raw-playlist raw-mp4-playlist encoded-files-playlist mp4 svg png

assets release.pdf Authentication_Afterlife_the_dark_side_of_making_lost_password_recovery_harder.json
logs
Admin: episode episode list cut list raw files day marks day marks day image_files

State:	--------- borked edit encode push to queue post richard review 1 email review 2 make public tweet to-miror conf done
Locked:	clear this to unlock
Locked by:	user/process that locked.
Start:	initially scheduled time from master, adjusted to match reality
Duration:	length in hh:mm:ss
Name:	Video Title (shows in video search results)
Emails:	email(s) of the presenter(s)
Released:	Unknown Yes No has someone authorised pubication
Normalise:
Channelcopy:	m=mono, 01=copy left to right, 10=right to left, 00=ignore.
Thumbnail:	filename.png
Description:	Historically authentication was by username and password, perhaps with email as a password reset flow. Users often wrote down their passwords (particularly older users), and possibly they only had a few passwords and it was pretty easy to try all of them. Modern times have proven that passwords, particularly reused passwords, are insufficient security for any slightly valuable account. So lots of people are using password managers, randomised passwords, and 2FA (hardware tokens, TOTP, etc). Some accounts also require an additional authentication flow (email, SMS) for "new device" logins. "Security Aware" users are using randomised answers to security challenge questions, perhaps also stored in their password managers. This "security improvement" has a flip side: it's gone from being unlikely users will forget their passwords or get locked out, to being more likely users will lose access to their accounts through loss of 2FA or additional authentication paths (eg, phone number, or email), and more likely that users will struggle with lost password recovery. And there's a darker side still: if the user is incapacitated, or has passed away, often someone else close to them will need to act "on their behalf" with those accounts (for legitimate transactions, send out notifications, or just to archive the account), and will likely struggle to gain access to them without the original users full set of password manager / 2FA / etc. How do we balance the need to improve authentication security, and reduce the simplicity of malicious account takeover, with the need for there to be a way for legimate account use by bereaved family members, or other trusted associates? There are no easy answers here, but considering the questions is important. markdown
Comment:	production notes