webauthn

• Previous message (by thread): webauthn
• Next message (by thread): webauthn
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I will personally always prefer hardware based methods where the private
key data is never exposed over pure software based methods.

On Mon, Mar 25, 2019 at 9:32 AM Mauricio Rodriguez <mrodriguez at fletnet.com>
wrote:

> My understanding is that 2-factor is one of the primary drivers for
> webauthn.  I feel that hardware dongles are the thing of the past, with
> software now being available that runs on your smartphone and serves the
> same function.  Example - Google Authenticator.
>
> ______
> Regards,
> Mauricio Rodriguez
> Founder / Owner
> Fletnet Network Engineering (www.fletnet.com)
> 1951 NW 7th Ave #600, Miami, FL 33136
>
> Mauricio.Rodriguez at fletnet.com
> Office: +1-786-309-5493
> Mobile: +1-305-978-6884
>
> Schedule a Meeting with me
> <http://scheduling.fletnet.com/mauricio_rodriguez>
>
>
>
>
>
> On Fri, Mar 22, 2019 at 8:52 PM Michael Thomas <mike at mtcc.com> wrote:
>
>> I know it's a little tangential, but it's a huge operational issue for
>> network operations too. Have any NANOG folks been paying attention to
>> webauthn? i didn't know about until yesterday, though i wrote a proof of
>> concept of something that looks a lot like webauthn in 2012. The thing that
>> is kind of concerning to me is that there seems to be some amount of
>> misconception (I hope!) that you need hardware or biometric or some
>> non-password based authentication on the user device in the many write ups
>> i've been reading. i sure hope that misconception doesn't take hold because
>> there is nothing wrong with *local* password based authentication to unlock
>> your credentials. i fear that if the misconception takes hold, it will
>> cause the entire effort to tank. the issue with passwords is transmitting
>> them over the wire, first and foremost. strong *local* passwords that
>> unlock functionality is still perfectly fine for many many applications,
>> IMO.
>>
>> Which isn't to say that hardware/biometric is bad, it's just to say that
>> they are separable problems with their own set of tradeoffs. NANOG folks
>> sound like prime examples of who should be using 2 factor, etc. But we
>> don't want to discourage, oh say, Epicurious to implement webauthn to get
>> to my super-secret recipe box because they don't think people will buy id
>> dongles.
>>
>> Mike
>>
>
> *This message (and any associated files) may contain confidential and/or
> privileged information. If you are not the intended recipient or authorized
> to receive this for the intended recipient, you must not use, copy,
> disclose or take any action based on this message or any information
> herein. If you have received this message in error, please advise the
> sender immediately by sending a reply e-mail and delete this message. Thank
> you for your cooperation.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190325/d4d08533/attachment.html>

• Previous message (by thread): webauthn
• Next message (by thread): webauthn
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]