I found myself asking How did I get here
with apologies to Talking Heads
And you may find yourself
In another part of the world
And you may find yourself
Behind the wheel of a large automobile
And you may find yourself in a beautiful house
With a beautiful wife
And you may ask yourself
"Well ... how did I get here?"
And you may ask yourself
"How do I work this?"
And you may ask yourself
"Where is that large automobile?"
And you may tell yourself
"This is not my beautiful house!"
And you may tell yourself
"This is not my beautiful wife!"
Letting the days go by
Water flowing underground
Into the blue again
After the money's gone
Once in a lifetime
Water flowing underground
Seriously.
I woke up one day in the summer of the year of our Lord 2025, to realize I had not one, not two, but three Authenticator apps on my phone. Each securing a shard of my digital life.
(Not to mention all the dusty crypto wallets.)
The apps:
Authy. Once gold standard, acquired by Twilio, desktop app removed, became a more appealing honeypot for hackers than they were able to secure
Google Authenticator. Certainly capable of securing their app. Data is encrypted in transit and at rest, but not end-to-end
2FAS. Open-source, no data collection necessary to use
It all just crept up on me. I had gone with Google many years ago, as they offered the most secure and trustworthy backup and recovery. Then I discovered Authy (pre-Twilio) which didn't want anything to do with my data. I painfully migrated most things over.
Then Authy got acquired and clearly had hacker appeal lol. And I was lazy/uninformed to migrate. Not knowing enough about the landscape, I didn't want to jump out of the frying pan and into the fire. But before I realized what had happened, Authy's desktop export functionality, which had been a selling point as an exit option, disappeared.
I started setting up new accounts on 2FAS, in order to kick the tires for a bit, but had no easy way to do a wholesale migration.
In the meantime, all important password managers got TOTP features, meaning my authenticator app no longer had to be a single source of horrendous loss if I lost access to my phone.
The tipping point for me was when a few accounts removed TOTP MFA altogether, requiring passkeys instead.
So I finally bit the bullet and cleaned up the old accounts, and set up new credentials in 2FAS backed up in my password manager.
Closely related in theme to my previous post (On Forever Data) and my next post (Mad Lads and Dev Freedom), technology goes through a lifecyle. I want my life to be easy and safe through the entire cycle, which means demanding some principles of the software:
- transparency
- discipline and focus. Accepting the tradeoff between convenience, and respecting the user's right to leave with the data they brought
- sustainable software model. Do less, cost less
What's not in there:
- accountability. Can't be enforced if you allow human freedom, even in a blockchain world
- shifting sand tech foundations
Tech complexity is a bad sign, especially if simple alternate approaches can produce 80+% of the user outcomes, perhaps mostly with a hit to the developer's ability to deliver features quickly.
For this reason I am suspicious of:
Next.js. Express, Hono and Bun Elysia are simple, elegant, clean
WordPress/Gatsby. They do so much to lock you in, when a SSG can be 200 lines-of-code. Modular alternatives like Astro, and for-purpose platforms like Gitbook, Docusaurus, Vitepress, vocs get you 110% of the way there
the arc of React 17, 18, 19, which feels like it's influenced by corporate paymasters selling server calc time. JSX + Preact get you 99% of the way there on frontend
Ethereum's scaling roadmap. It's complex and risky. They could focus instead on unblocking increases to the gas limit, as BNB Chain and Base are demonstrating, instead of opening up the kimono for parasitic L2 corpchains to suck all the value out. Or, revving up compute resource usage intensity, a la Solana. The risks of the scaling roadmap are technical, as well as political and econo-incentive related.