webauthn
Michael Thomas
mike at mtcc.com
Sat Mar 23 19:02:09 UTC 2019
On 3/23/19 5:18 AM, Mauricio Rodriguez wrote:
> My understanding is that 2-factor is one of the primary drivers for
> webauthn. I feel that hardware dongles are the thing of the past,
> with software now being available that runs on your smartphone and
> serves the same function. Example - Google Authenticator.
2FA is fine, but the real problem is one factor passwords going over the
wire. If we did nothing than get rid of that, it would be a massive
upgrade to security on the net.
Mike
>
> ______
> Regards,
> Mauricio Rodriguez
> Founder / Owner
> Fletnet Network Engineering (www.fletnet.com <http://www.fletnet.com/>)
> 1951 NW 7th Ave #600, Miami, FL 33136
>
> Mauricio.Rodriguez at fletnet.com <mailto:Mauricio.Rodriguez at fletnet.com>
> Office: +1-786-309-5493
> Mobile: +1-305-978-6884
>
> Schedule a Meeting with me
> <http://scheduling.fletnet.com/mauricio_rodriguez>
>
>
>
>
>
> On Fri, Mar 22, 2019 at 8:52 PM Michael Thomas <mike at mtcc.com
> <mailto:mike at mtcc.com>> wrote:
>
> I know it's a little tangential, but it's a huge operational issue
> for network operations too. Have any NANOG folks been paying
> attention to webauthn? i didn't know about until yesterday, though
> i wrote a proof of concept of something that looks a lot like
> webauthn in 2012. The thing that is kind of concerning to me is
> that there seems to be some amount of misconception (I hope!) that
> you need hardware or biometric or some non-password based
> authentication on the user device in the many write ups i've been
> reading. i sure hope that misconception doesn't take hold because
> there is nothing wrong with *local* password based authentication
> to unlock your credentials. i fear that if the misconception takes
> hold, it will cause the entire effort to tank. the issue with
> passwords is transmitting them over the wire, first and foremost.
> strong *local* passwords that unlock functionality is still
> perfectly fine for many many applications, IMO.
>
> Which isn't to say that hardware/biometric is bad, it's just to
> say that they are separable problems with their own set of
> tradeoffs. NANOG folks sound like prime examples of who should be
> using 2 factor, etc. But we don't want to discourage, oh say,
> Epicurious to implement webauthn to get to my super-secret recipe
> box because they don't think people will buy id dongles.
>
> Mike
>
>
> /This message (and any associated files) may contain confidential
> and/or privileged information. If you are not the intended recipient
> or authorized to receive this for the intended recipient, you must not
> use, copy, disclose or take any action based on this message or any
> information herein. If you have received this message in error, please
> advise the sender immediately by sending a reply e-mail and delete
> this message. Thank you for your cooperation./
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190323/e4e59974/attachment.html>
More information about the NANOG
mailing list