On 3/23/19 5:18 AM, Mauricio Rodriguez wrote:
My understanding is that 2-factor is one of the primary drivers for
webauthn. I feel that hardware dongles are the thing of the past,
with software now being available that runs on your smartphone and
serves the same function. Example - Google Authenticator.
2FA is fine, but the real problem is one factor passwords going over the
wire. If we did nothing than get rid of that, it would be a massive
upgrade to security on the net.
Mike
______
Regards,
Mauricio Rodriguez
Founder / Owner
Fletnet Network Engineering (www.fletnet.com <http://www.fletnet.com/>)
1951 NW 7th Ave #600, Miami, FL 33136
mauricio.rodrig...@fletnet.com <mailto:mauricio.rodrig...@fletnet.com>
Office: +1-786-309-5493
Mobile: +1-305-978-6884
Schedule a Meeting with me
<http://scheduling.fletnet.com/mauricio_rodriguez>
On Fri, Mar 22, 2019 at 8:52 PM Michael Thomas <m...@mtcc.com
<mailto:m...@mtcc.com>> wrote:
I know it's a little tangential, but it's a huge operational issue
for network operations too. Have any NANOG folks been paying
attention to webauthn? i didn't know about until yesterday, though
i wrote a proof of concept of something that looks a lot like
webauthn in 2012. The thing that is kind of concerning to me is
that there seems to be some amount of misconception (I hope!) that
you need hardware or biometric or some non-password based
authentication on the user device in the many write ups i've been
reading. i sure hope that misconception doesn't take hold because
there is nothing wrong with *local* password based authentication
to unlock your credentials. i fear that if the misconception takes
hold, it will cause the entire effort to tank. the issue with
passwords is transmitting them over the wire, first and foremost.
strong *local* passwords that unlock functionality is still
perfectly fine for many many applications, IMO.
Which isn't to say that hardware/biometric is bad, it's just to
say that they are separable problems with their own set of
tradeoffs. NANOG folks sound like prime examples of who should be
using 2 factor, etc. But we don't want to discourage, oh say,
Epicurious to implement webauthn to get to my super-secret recipe
box because they don't think people will buy id dongles.
Mike
/This message (and any associated files) may contain confidential
and/or privileged information. If you are not the intended recipient
or authorized to receive this for the intended recipient, you must not
use, copy, disclose or take any action based on this message or any
information herein. If you have received this message in error, please
advise the sender immediately by sending a reply e-mail and delete
this message. Thank you for your cooperation./
