That is not true. If you lose the key, anyone else can use the device - which is why there is usually an additional requirement beyond the hardware key - I am referring to hardware dongles given to users.
By LOSE I meant unknowingly lost - not that once I lose it and KNOW I’ve lost it I deactivate the keys - and by then the system may be compromised anyway (think murder to steal the hardware device - the victim is not reporting the device stolen). Now sometimes that secondary info might be a retina or fingerprint scan, but the point is if the machine providing the information has been compromised (root access granted), they are free to alter the binaries and the OS itself, to compromise these procedures, meaning they probably already captured these elements already (prior to the crime). It is the coupling of the two scenarios - the security cannot be based on the hardware device alone (since it can be lost/stolen), and when there is backup identifying information, that can be compromised (if the machine is compromised). I know very well how the hardware devices work. > On Oct 15, 2018, at 7:12 PM, Christopher Nielsen <m4dh4t...@gmail.com> wrote: > > On Mon, Oct 15, 2018 at 4:33 PM robert engels <reng...@ix.netcom.com> wrote: >> >> To clarify, this is for a hardware device that protects a local resource - a >> network based protocol that challenges the device for access is a different >> story, and yes, when properly implemented is secure (unless someone steals >> your device! - which is why it is usually password + device, and then you >> are back to the same problem of compromising passwords when root access has >> been compromised). > > This statement indicates to me you don't understand how hardware > security tokens work. It doesn't matter if you have root access. You > cannot obtain key material from it. If you lose it, you lose the set > of keys on it. That's it. Revoke them and issue new ones using your > root cert/key that never touches a networked system and lives in a > safe. > > -- > Christopher Nielsen > "They who can give up essential liberty for temporary safety, deserve > neither liberty nor safety." --Benjamin Franklin > "The tree of liberty must be refreshed from time to time with the > blood of patriots & tyrants." --Thomas Jefferson > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
