Welcome to The Long View—where we peruse the news of the week and strip it to the essentials. Let’s work out what really matters.

This week: The Passkeys authentication standard gets a huge boost, and IBM’s Arvind Krishna wants workers back in the office.

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

1. It’s Time to Get on With Passkeys

First up this week: Now that Google’s on board, this WebAuthn/FIDO standard has support from all three of the biggest names in tech. So why isn’t it in your plans?

Analysis: Time to start migrating from SMS, OTP and other broken forms of 2FA

2FA is good. We all know this. But simple codes can be intercepted. If only there was a way to automate a challenge/response exchange, with the secret being protected by biometrics. Enter: Passkeys.

David Hamilton: Hate passwords? You’re in luck

“You’ll simply get a message on your phone”
Google has taken a big step toward making them an afterthought by adding “Passkeys” … a safer alternative to passwords and texted confirmation codes. … All you’ll have to do is verify your identity on the device using a PIN unlock code, biometrics such as your fingerprint or a face scan or a more sophisticated physical security dongle.
…
First step is to enable them for your Google account: … Visit the page g.co/passkeys. … signing into Google will only require you to enter your email address. If you’ve gotten passkeys set up properly, you’ll simply get a message on your phone or other device asking you to for your fingerprint, your face or a PIN.

Lily Hay Newman: Passkeys gets its first massive boost

The passkey scheme is specifically designed to address phishing attacks by relying on … cryptographic keys stored on your devices for account authentication. … The next step toward passkey adoption is for services to actually offer passkeys as a login option for user accounts. So far, companies like PayPal, Shopify, CVS Health, Kayak, and Hyatt have taken the plunge. Today’s launch of passkeys for Google’s users is noteworthy given the company’s … sheer scale.
…
Google … is betting that once people get used to passkeys, they’ll like them better and find them easier to manage than passwords. And once you’ve set up a passkey on a device, Google will automatically detect it and prompt you to log in that way.

Will it work? adamsc says yes:

Here’s why I’m bullish on Passkeys: Right now, logging into Google on any of my Apple devices means a quick Face ID/Touch ID check—it’s faster and completely phishing-proof, and you never have to worry about password rotation, complexity, etc. … It doesn’t get any easier than looking at your phone.
…
This doesn’t disable passwords or prevent use of a Windows Hello or Google Chrome passkey. There’s also no reason to believe that it will remain limited to a particular platform as all of the major players have indicated that they’re already working on synchronization, but [anyway] you can register multiple devices.

“Completely phishing-proof”? Sora2566:

[The] device won’t ever send that “password” to a typosquatting domain, which kills entire swathes of attacks right there. Also, as they’re a public/private key pair, you have pretty much no chance running dictionary, brute-force, or credential stuffing attacks.

So if the need for a password goes away, how is this 2FA? One factor is something you have (the phone) and the other is something you are (your biometrics). im_thatoneguy explains more:

You store a key-pair on your TPM chip. Then you retrieve the token on your TPM and send that. Hackers would need your biometric data and your keystore/TPM hardware to retrieve the token, and even then as soon as you lost your device … you can invalidate all keys.
…
This is exactly how almost every web-api works these days: You authenticate and generate an API-Key that then can renew itself to request a new API key. If an API key is compromised, it’s blacklisted and the password is still safe.

In summary, dcow milks it: [You’re fired—Ed.]

Passkeys is a formalization of the idea that you should be using a password manager where all the passwords are random uncrackable 32 character strings. And if we add this constraint then we can crazy secure things like employ asymmetric crypto to prevent phishing and MITM attacks.

2. Arvind Krishna Says Remote Workers Will ‘Suffer’

The CEO of formerly-relevant tech firm IBM (ask your parents) thinks your career is toast if you work from home. But he admits the reason might be because he doesn’t know how to do it.

Analysis: Armonk PR team grinding teeth

This interview is right there in the box labeled, “Examples of dumb things to say to a reporter.”

Matthew Boyle: IBM Chief’s Message to Remote Workers

“I don't understand”
The CEO of IBM, whose hybrid-cloud computing business has benefited from the rise of remote work, said … those who don’t … come into the office … would be hard-pressed to get promoted, especially into managerial roles: “Being a people manager when you’re remote is just tough because if you’re managing people, you need to be able to see them once in a while.”
…
“It seems to me that we work better when we are together in person,” said Krishna, who described the company’s return-to-office policy as “we encourage you to come in, we expect you to come in, we want you to come in.” … “In the short term you probably can be equally productive, but your career does suffer,” he said. “Moving … to another role is probably less likely because nobody’s observing them in another context.”
…
Remote workers, he said, don’t learn how to do things like deal with a difficult client, or how to make trade-offs when designing a new product. “I don’t understand how to do all that remotely,” he said.

Well, I dunno, perhaps you could learn how? Or employ someone else who does? ulrashida knows what it means:

Translation: IBM Chief doesn’t feel like learning how to develop or properly leverage remote employees. He says it right there in the article. … Disappointing that these leaders are able to stick their feet in the mud so deeply without any journalistic criticism.

He sounds terrified and out of touch, thinks monkeyxpress:

This guy is absurdly shortsighted. How can IBM’s board allow someone with so little vision to run a technology company? All the problems … with remote working (and fair enough, there are problems) are massive business opportunities.
…
There is … a huge competitive advantage for businesses that figure out how to make remote working successful, and this should terrify anyone in a senior leadership role. … This guy would probably have been bleating on about how there was nowhere to fill or repair the first automobiles, and everyone should just stick with horses.

With a neat summary, here’s toomuchtodo:

Advice taken from management in their 60s, 70s, and 80s should be evaluated with a critical eye, considering the time horizon of their experiences.

The Moral of the Story:
The two most important days in your life are the day you are born and the day you find out why

—Mark Twain

You have been reading The Long View by Richi Jennings. You can contact him at @RiCHi or tlv@richi.uk.

Image: NEOM (via Unsplash; leveled and cropped)