Keep it short! Roxanna I. Cieplinska M: + 1 (415) 412-7699
Sent from my iPhone > On Mar 22, 2019, at 5:50 PM, Michael Thomas <m...@mtcc.com> wrote: > > I know it's a little tangential, but it's a huge operational issue for > network operations too. Have any NANOG folks been paying attention to > webauthn? i didn't know about until yesterday, though i wrote a proof of > concept of something that looks a lot like webauthn in 2012. The thing that > is kind of concerning to me is that there seems to be some amount of > misconception (I hope!) that you need hardware or biometric or some > non-password based authentication on the user device in the many write ups > i've been reading. i sure hope that misconception doesn't take hold because > there is nothing wrong with *local* password based authentication to unlock > your credentials. i fear that if the misconception takes hold, it will cause > the entire effort to tank. the issue with passwords is transmitting them over > the wire, first and foremost. strong *local* passwords that unlock > functionality is still perfectly fine for many many applications, IMO. > > Which isn't to say that hardware/biometric is bad, it's just to say that they > are separable problems with their own set of tradeoffs. NANOG folks sound > like prime examples of who should be using 2 factor, etc. But we don't want > to discourage, oh say, Epicurious to implement webauthn to get to my > super-secret recipe box because they don't think people will buy id dongles. > > Mike
