South Africa On Lockdown - Coronavirus - Update!

Keith Medcalf kmedcalf at dessus.com
Mon Mar 23 21:59:49 UTC 2020


Both Fido and OAuth2 are inherently insecure.  

While they may be better than nothing at all, they are only very slightly better than proper password selection and management.

-- 
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.

>-----Original Message-----
>From: NANOG <nanog-bounces at nanog.org> On Behalf Of Eric Tykwinski
>Sent: Monday, 23 March, 2020 15:55
>To: Mark Tinka <mark.tinka at seacom.mu>
>Cc: nanog at nanog.org
>Subject: Re: South Africa On Lockdown - Coronavirus - Update!
>
>I think that’s the major sticky point, I would hope we could all agree on
>one thing, but that also leaves one entry point of failure.  Hopefully we
>can all agree that FIDO2, OAUTH2, et al, with be a winner in the long run
>so everything can just use one simple authentication mechanism.
>
>
>Sincerely,
>
>Eric Tykwinski
>TrueNet, Inc.
>P: 610-429-8300
>
>
>	On Mar 23, 2020, at 5:23 PM, Mark Tinka <mark.tinka at seacom.mu
><mailto:mark.tinka at seacom.mu> > wrote:
>
>
>
>	On 23/Mar/20 22:39, Keith Medcalf wrote:
>
>
>
>		Hardware tokens are nothing more than dedicated hardware TOTP
>devices with perhaps a few additional parameters programmed at
>manufacturing time.  Example, RSAID keyfobs are nothing more than TOTP
>generators with manufacturer programmed secrets and dedicated clock and
>display hardware with no external interface which permits access to the
>secret.
>
>
>
>	For some of my banks, OTP tokens are issued via their device apps. I
>	used to have physical key fobs for that; those are now gone.
>
>	Admittedly, not all of my banks have made the transition. On the
>other
>	hand, many of the banks have moved on to support Face ID and QR code
>	verification via device apps.
>
>	Not specific to VPN access management, but in the same vein.
>
>	Mark.
>
>







More information about the NANOG mailing list