I know it's a little tangential, but it's a huge operational issue for
network operations too. Have any NANOG folks been paying attention to
webauthn? i didn't know about until yesterday, though i wrote a proof of
concept of something that looks a lot like webauthn in 2012. The thing
that is kind of concerning to me is that there seems to be some amount
of misconception (I hope!) that you need hardware or biometric or some
non-password based authentication on the user device in the many write
ups i've been reading. i sure hope that misconception doesn't take hold
because there is nothing wrong with *local* password based
authentication to unlock your credentials. i fear that if the
misconception takes hold, it will cause the entire effort to tank. the
issue with passwords is transmitting them over the wire, first and
foremost. strong *local* passwords that unlock functionality is still
perfectly fine for many many applications, IMO.
Which isn't to say that hardware/biometric is bad, it's just to say that
they are separable problems with their own set of tradeoffs. NANOG folks
sound like prime examples of who should be using 2 factor, etc. But we
don't want to discourage, oh say, Epicurious to implement webauthn to
get to my super-secret recipe box because they don't think people will
buy id dongles.
Mike
