I will personally always prefer hardware based methods where the private key data is never exposed over pure software based methods.
On Mon, Mar 25, 2019 at 9:32 AM Mauricio Rodriguez <mrodrig...@fletnet.com> wrote: > My understanding is that 2-factor is one of the primary drivers for > webauthn. I feel that hardware dongles are the thing of the past, with > software now being available that runs on your smartphone and serves the > same function. Example - Google Authenticator. > > ______ > Regards, > Mauricio Rodriguez > Founder / Owner > Fletnet Network Engineering (www.fletnet.com) > 1951 NW 7th Ave #600, Miami, FL 33136 > > mauricio.rodrig...@fletnet.com > Office: +1-786-309-5493 > Mobile: +1-305-978-6884 > > Schedule a Meeting with me > <http://scheduling.fletnet.com/mauricio_rodriguez> > > > > > > On Fri, Mar 22, 2019 at 8:52 PM Michael Thomas <m...@mtcc.com> wrote: > >> I know it's a little tangential, but it's a huge operational issue for >> network operations too. Have any NANOG folks been paying attention to >> webauthn? i didn't know about until yesterday, though i wrote a proof of >> concept of something that looks a lot like webauthn in 2012. The thing that >> is kind of concerning to me is that there seems to be some amount of >> misconception (I hope!) that you need hardware or biometric or some >> non-password based authentication on the user device in the many write ups >> i've been reading. i sure hope that misconception doesn't take hold because >> there is nothing wrong with *local* password based authentication to unlock >> your credentials. i fear that if the misconception takes hold, it will >> cause the entire effort to tank. the issue with passwords is transmitting >> them over the wire, first and foremost. strong *local* passwords that >> unlock functionality is still perfectly fine for many many applications, >> IMO. >> >> Which isn't to say that hardware/biometric is bad, it's just to say that >> they are separable problems with their own set of tradeoffs. NANOG folks >> sound like prime examples of who should be using 2 factor, etc. But we >> don't want to discourage, oh say, Epicurious to implement webauthn to get >> to my super-secret recipe box because they don't think people will buy id >> dongles. >> >> Mike >> > > *This message (and any associated files) may contain confidential and/or > privileged information. If you are not the intended recipient or authorized > to receive this for the intended recipient, you must not use, copy, > disclose or take any action based on this message or any information > herein. If you have received this message in error, please advise the > sender immediately by sending a reply e-mail and delete this message. Thank > you for your cooperation.*
