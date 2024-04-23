Many IT leaders and engineers remember the earlier days of cloud adoption when cagey executives placed more burden of proof on big cloud providers for security and resiliency than they did on their own server cabinets housed in leaky janitors’ closets.

Putting the spotlight on the implication that the incumbent thing is automatically good has always been a favorite exercise of mine.

The fields of cognitive psychology and behavioral economics conduct studies of some relevant interrelated and overlapping phenomena here. The godfathers of these fields, Daniel Kahneman and Amos Tversky, postulated the availability heuristic, whereby the most easily recallable things are erroneously judged to be the most true.

A closely derived spin-off of this heuristic is the familiarity heuristic. Subjects were shown fewer but more famous female names than the more numerous but non-celebrity male names. The familiarity of the female celebrity names caused them to believe that they were more frequent in the deck.

But the phenomenon that best fits our considerations here is Robert Zajonc’s mere-exposure effect. As fascinating as it is scary, his body of work describes robust evidence that liking/disliking is what really drives our decisions, with cognition playing a startlingly minor role the majority of the time. This effect, in turn, can be hacked simply by repeated exposure to a stimulus.

More insidiously, Zajonc demonstrated that low-level, less noticeable stimuli can get under our radars and cause us to like something via feelings of familiarity without our being conscious of it. More recent scholars of the lineage appear to support the assertion that usually, very little cognition is involved in forming attachments or aversions, with familiarity and repetition being the greatest contributors to them.

In light of this, it’s easy to see what fuels the dynamic whereby a lie told often enough becomes truth. This tendency can cause us to put misplaced trust in the commonplace as a false corollary to our suspicion of the novel.

Nassim Taleb rightly points out in his discussion of the Lindy effect that the tried, the tested and the longstanding are usually those very things for good reason, but that shouldn’t blind us to their weaknesses.

As a result of all these factors, people would likely be reluctant about passkeys even if services communicated their enhanced security benefits. To that end, let’s compare how passwords and passkeys work and examine which ones are more secure.