Biometry in general may be acceptable, but fingerprints should be considered weak protection, because you share that key with your environment all day, every day. Getting someone's fingerprint is *really* easy. If your phone gets stolen, chances are, the fingerprint needed to unlock it is right on there already.
And faking fingerprints is really easy, too. https://www.theguardian.com/technology/2013/sep/22/apple-iphone-fingerprint-scanner-hacked Am 30.09.2017 um 20:21 schrieb Bryan Davis: > On Sat, Sep 30, 2017 at 9:28 AM, Roy Smith <r...@panix.com> wrote: >> What’s the current best practice for auth on ToolForge? >> >> I have a passphrase on my public ssh key. I’ll be accessing toolforge from >> my MacBook which is protected with Apple’s Touch ID fingerprint scanner. >> I’ll be nailing up a tmux session. >> >> So, most of the time, there will be an active ssh session into wfmlabs >> protected only by my fingerprint touch. If the ssh session goes down (i.e. >> reboot or network change), it’ll be a touch plus my ssh passphrase. >> >> Is this considered an appropriate level of protection for this environment? > > Having a strong passphrase on your private ssh key is recommended. > Using an ssh-agent to hold your ssh key when decrypted is reasonable. > Keeping an ssh session open via screen or tmux is acceptable. I would > expect these three things to be in common use by a number of Toolforge > / Cloud VPS users and administrators. > > The only thing that is semi-unique about the setup you describe is the > use of biometric auth for unlocking your laptop. I don't see that that > makes your key handling practices inherently weaker (or stronger) than > having a passphrase for unlocking. > > > Bryan > -- Daniel Kinzler Principal Platform Engineer Wikimedia Deutschland Gesellschaft zur Förderung Freien Wissens e.V. _______________________________________________ Cloud mailing list Cloud@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/cloud
