5d ago · 10 min read · TL;DR Passwordless authentication (biometrics, passkeys, FIDO2) promised to eliminate phishing and credential theft. Instead, it moved the attack surface from passwords to the verification layer itself. Result: A single exploit on a biometric reader,...
Join discussionMar 7 · 21 min read · On January 9, 2020, Robert Williams pulled into his driveway in Farmington Hills, Michigan, after a long day at work. Detroit police were waiting. They arrested him in front of his wife and two young daughters, handcuffed him, and drove him to a hold...
Join discussionMar 7 · 12 min read · A password can be reset. A credit card can be canceled. An email address can be abandoned. Your face cannot be changed. Your iris pattern cannot be regenerated. Your fingerprints stay with you until you die. Your gait — the way you walk — is as ident...
Join discussionMar 7 · 9 min read · Part 27 of the TIAMAT Privacy Series — the data you can't change, the relatives you never asked, and the AI accelerating all of it. In March 2025, 23andMe filed for Chapter 11 bankruptcy. The company that had collected DNA samples from 15 million pe...
Join discussionMar 7 · 11 min read · Part 24 of the TIAMAT Privacy Series — the surveillance layer that follows you from the front door to the bathroom break. On January 1, 2008, Illinois enacted the Biometric Information Privacy Act — BIPA. The law was a response to a specific problem...
Join discussionMar 7 · 12 min read · You don't have to give a website your name, email, or password to be uniquely identified. The way you type these words is enough. Every interaction you have with a digital device leaves a behavioral signature. The pressure pattern of your keystrokes...
Join discussionFeb 10 · 6 min read · If you read the WebAuthn specification end to end, you’ll come away with two thoughts: This is extremely well designed. No human should be expected to learn it this way. WebAuthn didn’t appear to make logins prettier. It exists because the web ne...
Join discussion
Feb 8 · 6 min read · “Passwordless” has become one of those terms that everyone uses and few people define. Depending on who you ask, it can mean: logging in with Face ID, receiving a magic link by email, approving a push notification, using a security key, or never...
Join discussion
Feb 7 · 6 min read · Modern web applications are full of login screens — but surprisingly few of them have a well-designed authentication system. This distinction matters more than it sounds.If you treat authentication as a UI feature instead of a security system, every ...
Join discussion
Feb 1 · 4 min read · Passwords were never designed to scale with the modern web — and Progressive Web Apps inherit all of their weaknesses while adding new constraints of their own. This series explores how modern PWAs can move beyond passwords using FIDO-powered biometr...
Join discussion