HACKER Q&A
📣 talbo888

Do you think there is internet bloat? Will it continue?


Anecdotally I have been experiencing more and more friction when it comes to accessing corporate and goverment online services. The general trend of the internet making things easier to access seems to be reversing. I'll give three examples:

1. To log into my bank I need to do username, password, a few digits of a special codeword, and MFA. This is not in itself a problem as your bank account should very secure; but every time I make an online transaction with my card I need to log into my bank account to confirm it adding lots of hassle for small purchases.

2. Everyone has added MFA, even for small utility sites like our municiapl transport authority's website. Not only does everyone now collect my phone number, but now for basic administrative tasks I need multiple emails, an easily accessible and secure password manager, my phone to be on me and have signal.

3. The UK have now removed the ability to download the tax form PDF to hand fill in. If you want the latest tax forms you need to call them and pass through multiple layers of security and 'sales' before you can request to get the tax forms sent to your house.

Hackernews is one of the few sites which has such a frictionless experience - I just made this account with just a username and password and I can post immediately. My questions to you are:

Do you think this is broadly true and not just anecdotal? If so do you think we will continue to see friction like this increase (beyond cookie pop ups) when it comes to accessing content/utility on the internet? How can I as a user manage/circument this bloat?

  👤 version_five Accepted Answer ✓
It's the rise of an administrator class as services get decoupled from any real market pressure. You're citing mostly government and banks where it's worse. Bureaucrats can add friction almost infinitely without ever feeling the consequence, and without a countervailing force, it just keeps progressing.
👤 hackermatic
Basically, this is because web authentication has been very weak for far too long, and it's gotten to the point where attackers literally operate as a business, with human resource departments, call centers, and all.

Unfortunately, the extra security measures are basically bolted on, and I mean that in terms of the existing architecture of websites/applications, the user interface flows (as you've noticed), and the authentication schemes themselves, like using SMS for two-factor.

The good news is that with standards like WebAuthn, a lot of authentication flows will become faster, more automated, and more secure, because your browser or OS will manage really strong credentials for you, and maybe prompt you for a PIN or biometric scan to unlock your local device's credential store. The bad news is that it will take awhile to roll this out, and it still won't replace things like passwords or in-person processes in all cases.

One intro to WebAuthn is here: https://webauthn.guide/

👤 tacostakohashi
Authentication/2FA/verification codes is one annoyance, obviously a password manager helps, but having to do some verification code _every time_ even for low risk stuff is sucky.

Even putting that aside though, the websites for most, say, banks, airlines, utilities, etc, have all the basic, obvious information you would want hidden behind layers of advertising, marketing and tracking.