<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;color:#444444">My understanding is that 2-factor is one of the primary drivers for webauthn. I feel that hardware dongles are the thing of the past, with software now being available that runs on your smartphone and serves the same function. Example - Google Authenticator.</div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div><br></div><div>______</div><div>Regards,<div>Mauricio Rodriguez</div><div>Founder / Owner</div><div>Fletnet Network Engineering (<a href="http://www.fletnet.com/" target="_blank">www.fletnet.com</a>)</div><div><span style="font-family:Roboto,arial,sans-serif">1951 NW 7th Ave #600, Miami, FL 33136</span><br></div><div><br></div><div><a href="mailto:Mauricio.Rodriguez@fletnet.com" target="_blank">Mauricio.Rodriguez@fletnet.com</a></div><div>Office: +1-786-309-5493</div><div>Mobile: +1-305-978-6884</div><div><br></div><div><a href="http://scheduling.fletnet.com/mauricio_rodriguez" target="_blank">Schedule a Meeting with me</a><br></div><div><br></div><div><br></div><div><br></div></div></div></div></div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 22, 2019 at 8:52 PM Michael Thomas <<a href="mailto:mike@mtcc.com">mike@mtcc.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p><span style="color:rgb(29,33,41);font-family:Helvetica,Arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">I know it's a
little tangential, but it's a huge operational issue for network
operations too. Have any NANOG folks been paying attention to
webauthn? i didn't know about until yesterday, though i wrote a
proof of concept of something that looks a lot like webauthn in
2012. The thing that is kind of concerning to me is that there
seems to be some amount of misconception (I hope!) that you need
hardware or biometric or some non-password based authentication
on the user device in the many write ups i've been reading. i
sure hope that misconception doesn't take hold because there is
nothing wrong with *local* password based authentication to
unlock your credentials. i fear that if the misconception takes
hold, it will cause the entire effort to tank. the issue with
passwords is transmitting them over the wire, first and
foremost. strong *local* passwords that unlock functionality is
still perfectly fine for many many applications, IMO.</span></p>
<p><span style="color:rgb(29,33,41);font-family:Helvetica,Arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Which isn't
to say that hardware/biometric is bad, it's just to say that
they are separable problems with their own set of tradeoffs.
NANOG folks sound like prime examples of who should be using 2
factor, etc. But we don't want to discourage, oh say, Epicurious
to implement webauthn to get to my super-secret recipe box
because they don't think people will buy id dongles.<br>
</span></p>
<p><span style="color:rgb(29,33,41);font-family:Helvetica,Arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Mike<br>
</span></p>
</div>
</blockquote></div>
<br>
<em style="color:rgb(55,58,60);font-family:OpenSans,Arial,sans-serif;font-size:14px;background-color:rgb(250,250,250)">This message (and any associated files) may contain confidential and/or privileged information. If you are not the intended recipient or authorized to receive this for the intended recipient, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by sending a reply e-mail and delete this message. Thank you for your cooperation.</em>