How to fix authentication (was LinkedIn)

Kyle Creyts kyle.creyts at gmail.com
Sun Jun 24 00:02:25 CDT 2012


I would suggest that multiple models be pursued (since each appears to have
a champion) and that the market/drafting process will resolve the issue of
which is better (which is okay by me:  widespread adoption of any of the
proposed models would advance the state of the norm; progress beats the
snot out of stagnation in my book)

My earlier replies were reprehensible. This is not a thread that should
just be laughed off. Real progress may be occurring here, and at the least,
good knowledge and discussion is accumulating in a way which may serve as a
resource for the curious or concerned.
On Jun 22, 2012 7:25 AM, "Leo Bicknell" <bicknell at ufp.org> wrote:

> In a message written on Thu, Jun 21, 2012 at 04:48:47PM -1000, Randy Bush
> wrote:
> > there are no trustable third parties
>
> With a lot of transactions the second party isn't trustable, and
> sometimes the first party isn't as well. :)
>
> In a message written on Thu, Jun 21, 2012 at 10:53:18PM -0400, Christopher
> Morrow wrote:
> > note that yubico has models of auth that include:
> >   1) using a third party
> >   2) making your own party
> >   3) HOTP on token
> >   4) NFC
> >
> > they are a good company, trying to do the right thing(s)... They also
> > don't necessarily want you to be stuck in the 'get your answer from
> > another'
>
> Requirements of hardware or a third party are fine for the corporate
> world, or sites that make enough money or have enough risk to invest
> in security, like a bank.
>
> Requiring hardware for a site like Facebook or Twitter is right
> out.  Does not scale, can't ship to the guy in Pakistan or McMurdo
> who wants to sign up.  Trusting a third party becomes too expensive,
> and too big of a business risk.
>
> There are levels of security here.  I don't expect Facebook to take
> the same security steps as my bank to move my money around.  One
> size does not fit all.  Making it so a hacker can't get 10 million
> login credentials at once is a quantum leap forward even if doing
> so doesn't improve security in any other way.
>
> The perfect is the enemy of the good.
>
> --
>       Leo Bicknell - bicknell at ufp.org - CCIE 3440
>        PGP keys at http://www.ufp.org/~bicknell/
>


More information about the NANOG mailing list