Authentication

29 Apr, 2026

Authentication is quite a large mess of half-finished ideas.

Passwords were bad, so we added SMS codes. Those got phished. Then came TOTP, better, but still phishable. Then passkeys. Phishing-resistant in theory. But when they sync through cloud accounts, things become cloudy. They lock you into one vendor. Services support them inconsistently.

And there is a hole. If you are not technical, you might ask someone to set up fingerprints for you. But if they add one of their own, they say, it's because supporting you becomes frustrating. I would need your finger chopped off so I can press it on the reader!

Now what? I felt stuck and confused. What does authentication mean. I thought about it hard and I found out something. It's several things put into a mixer. Mix strawberries with chicken. No thanks. So I tried to fish out the fruits and the meats and I found six aspects: authentication, setup, intent, inspectability, channel and recovery. Let me tell about them.

Authentication doesn't mean that you need to say who you are. It suffices that the open pool knows that it's your membership. But sometimes it's needed to know who you are for legal reasons: banks, taxes, contracts. So we have two types of identity: an abstract one for memberships and accounts, for Google and Anthropic. They don't need to know exactly who you are. Only that you are the same person who showed up before. The other identity is personal. The state vouches for you. Keeping these two roles separate keeps daily life out of the state's view.

Setup (also called enrollment) is some act to reify and store "trust". There are two facets: First factors like your fingerprint or your PIN, and secondly the service facet where access to some service is paired with your identity. Once set up my Yubikey Bio 5 with my fingerprints and my passkeys, I log on Google with my Yubikey by first inserting it, then touching the fingerprint reader on the Yubikey. The passkey then unlocks Google for me. Setup is important and very confusing. And it opens up security holes like chopped-off fingers.

Intent is the guarantee that the item only acts when the holder wants it to. Possession alone isn't enough. Someone who steals the card, or holds it briefly, or waves a reader near your pocket, must not be able to authenticate as you. The item stays inert until the holder provides an extra factor: a fingerprint or a PIN. No factor, no action. This is what makes carrying the item safe. It also closes off remote and silent attacks: the item never acts on its own, never authenticates in the background, never signs without a fresh and deliberate signal from the person holding it.

Inspectability means you can see what the item actually contains. Which fingerprints are enrolled. Whether a PIN is set. Which services the item is registered with, when, and under what account name. Without this, you can't notice that a stranger added a finger, can't audit which old accounts still trust the item, can't make informed choices about revocation. The item becomes opaque, and opacity is where silent compromise lives. A well-designed item shows its state clearly, in one place and on hardware the holder controls.

Channel is how the item communicates with the verifier. The verifier is the thing that checks your identity and lets you in or not. NFC for taps at turnstiles and payment terminals. USB for computer logins. QR codes for cross-device hand-offs. I can imagine special cards that have a tiny screen and camera embedded. The advantage of QR codes is that it makes communication visible. No invisible radio waves or electric currents sailing past you.

Recovery is how access is restored when it is lost. I imagine there are three tiers. Self-managed: write the recovery secret on paper, lock it in a safe, take full responsibility. Private provider: pay a regulated company, separate from the services themselves, to hold an escrowed recovery hook on your behalf. State office: walk in, prove who you are, get your abstract identities restored without the services ever learning the state was involved. Choose what you like best.

So let me end with a list:

• Authentication — personal or abstract.
• Setup — create and install factors and passkeys.
• Intent — proven by an extra factor: fingerprint or PIN.
• Inspectability — factors and passkeys are visible.
• Channel — NFC, USB, QR via on-card camera and screen.
• Recovery — self-managed, private provider, or state office.

A real authentication item is a set of choices across these six. The current stack phone, fingerprint, synced passkey chooses badly on setup, inspectability, and recovery. Strong cryptography covers or perhaps better, hides some weaknesses, though.

Now, this is a simple and opinionated summary. By writing it I understood authentication better. There's a vision behind it. One aspect of this vision is using the state ID card as a simple authentication item, a bit like a Yubikey. I hope that both the summary and the vision are useful.