How to fix authentication (was LinkedIn)

• Previous message (by thread): How to fix authentication (was LinkedIn)
• Next message (by thread): LinkedIn password database compromised
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Kyle,

I may be mistaken here, but I don't believe anyone is truly laughing the 
matter off.

There may have been some remarks about second or third parties, but the 
fact does remain these are the areas which current concerns still lay.

-- 

Robert Miller
(arch3angel)

On 6/24/12 1:02 AM, Kyle Creyts wrote:
> I would suggest that multiple models be pursued (since each appears to have
> a champion) and that the market/drafting process will resolve the issue of
> which is better (which is okay by me:  widespread adoption of any of the
> proposed models would advance the state of the norm; progress beats the
> snot out of stagnation in my book)
>
> My earlier replies were reprehensible. This is not a thread that should
> just be laughed off. Real progress may be occurring here, and at the least,
> good knowledge and discussion is accumulating in a way which may serve as a
> resource for the curious or concerned.
> On Jun 22, 2012 7:25 AM, "Leo Bicknell" <bicknell at ufp.org> wrote:
>
>> In a message written on Thu, Jun 21, 2012 at 04:48:47PM -1000, Randy Bush
>> wrote:
>>> there are no trustable third parties
>> With a lot of transactions the second party isn't trustable, and
>> sometimes the first party isn't as well. :)
>>
>> In a message written on Thu, Jun 21, 2012 at 10:53:18PM -0400, Christopher
>> Morrow wrote:
>>> note that yubico has models of auth that include:
>>>    1) using a third party
>>>    2) making your own party
>>>    3) HOTP on token
>>>    4) NFC
>>>
>>> they are a good company, trying to do the right thing(s)... They also
>>> don't necessarily want you to be stuck in the 'get your answer from
>>> another'
>> Requirements of hardware or a third party are fine for the corporate
>> world, or sites that make enough money or have enough risk to invest
>> in security, like a bank.
>>
>> Requiring hardware for a site like Facebook or Twitter is right
>> out.  Does not scale, can't ship to the guy in Pakistan or McMurdo
>> who wants to sign up.  Trusting a third party becomes too expensive,
>> and too big of a business risk.
>>
>> There are levels of security here.  I don't expect Facebook to take
>> the same security steps as my bank to move my money around.  One
>> size does not fit all.  Making it so a hacker can't get 10 million
>> login credentials at once is a quantum leap forward even if doing
>> so doesn't improve security in any other way.
>>
>> The perfect is the enemy of the good.
>>
>> --
>>        Leo Bicknell - bicknell at ufp.org - CCIE 3440
>>         PGP keys at http://www.ufp.org/~bicknell/
>>

• Previous message (by thread): How to fix authentication (was LinkedIn)
• Next message (by thread): LinkedIn password database compromised
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]