How to fix authentication (was LinkedIn)
Leo Bicknell
bicknell at ufp.org
Fri Jun 22 14:25:29 UTC 2012
In a message written on Thu, Jun 21, 2012 at 04:48:47PM -1000, Randy Bush wrote:
> there are no trustable third parties
With a lot of transactions the second party isn't trustable, and
sometimes the first party isn't as well. :)
In a message written on Thu, Jun 21, 2012 at 10:53:18PM -0400, Christopher Morrow wrote:
> note that yubico has models of auth that include:
> 1) using a third party
> 2) making your own party
> 3) HOTP on token
> 4) NFC
>
> they are a good company, trying to do the right thing(s)... They also
> don't necessarily want you to be stuck in the 'get your answer from
> another'
Requirements of hardware or a third party are fine for the corporate
world, or sites that make enough money or have enough risk to invest
in security, like a bank.
Requiring hardware for a site like Facebook or Twitter is right
out. Does not scale, can't ship to the guy in Pakistan or McMurdo
who wants to sign up. Trusting a third party becomes too expensive,
and too big of a business risk.
There are levels of security here. I don't expect Facebook to take
the same security steps as my bank to move my money around. One
size does not fit all. Making it so a hacker can't get 10 million
login credentials at once is a quantum leap forward even if doing
so doesn't improve security in any other way.
The perfect is the enemy of the good.
--
Leo Bicknell - bicknell at ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20120622/b8d19d72/attachment.sig>
More information about the NANOG
mailing list