<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 3/23/19 5:18 AM, Mauricio Rodriguez
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CA+2w3wTqNe5hd676m6whMyU-vHw+ZvjjUYbWPYnbAdoOBonbFw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:#444444">My
understanding is that 2-factor is one of the primary drivers
for webauthn. I feel that hardware dongles are the thing of
the past, with software now being available that runs on your
smartphone and serves the same function. Example - Google
Authenticator.</div>
</div>
</blockquote>
<p>2FA is fine, but the real problem is one factor passwords going
over the wire. If we did nothing than get rid of that, it would be
a massive upgrade to security on the net.</p>
<p>Mike<br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:CA+2w3wTqNe5hd676m6whMyU-vHw+ZvjjUYbWPYnbAdoOBonbFw@mail.gmail.com">
<div dir="ltr">
<div>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div><br>
</div>
<div>______</div>
<div>Regards,
<div>Mauricio Rodriguez</div>
<div>Founder / Owner</div>
<div>Fletnet Network Engineering (<a
href="http://www.fletnet.com/" target="_blank"
moz-do-not-send="true">www.fletnet.com</a>)</div>
<div><span
style="font-family:Roboto,arial,sans-serif">1951
NW 7th Ave #600, Miami, FL 33136</span><br>
</div>
<div><br>
</div>
<div><a
href="mailto:Mauricio.Rodriguez@fletnet.com"
target="_blank" moz-do-not-send="true">Mauricio.Rodriguez@fletnet.com</a></div>
<div>Office: +1-786-309-5493</div>
<div>Mobile: +1-305-978-6884</div>
<div><br>
</div>
<div><a
href="http://scheduling.fletnet.com/mauricio_rodriguez"
target="_blank" moz-do-not-send="true">Schedule
a Meeting with me</a><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Mar 22, 2019 at 8:52
PM Michael Thomas <<a href="mailto:mike@mtcc.com"
moz-do-not-send="true">mike@mtcc.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p><span
style="color:rgb(29,33,41);font-family:Helvetica,Arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">I
know it's a little tangential, but it's a huge
operational issue for network operations too. Have any
NANOG folks been paying attention to webauthn? i didn't
know about until yesterday, though i wrote a proof of
concept of something that looks a lot like webauthn in
2012. The thing that is kind of concerning to me is that
there seems to be some amount of misconception (I hope!)
that you need hardware or biometric or some non-password
based authentication on the user device in the many
write ups i've been reading. i sure hope that
misconception doesn't take hold because there is nothing
wrong with *local* password based authentication to
unlock your credentials. i fear that if the
misconception takes hold, it will cause the entire
effort to tank. the issue with passwords is transmitting
them over the wire, first and foremost. strong *local*
passwords that unlock functionality is still perfectly
fine for many many applications, IMO.</span></p>
<p><span
style="color:rgb(29,33,41);font-family:Helvetica,Arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Which
isn't to say that hardware/biometric is bad, it's just
to say that they are separable problems with their own
set of tradeoffs. NANOG folks sound like prime examples
of who should be using 2 factor, etc. But we don't want
to discourage, oh say, Epicurious to implement webauthn
to get to my super-secret recipe box because they don't
think people will buy id dongles.<br>
</span></p>
<p><span
style="color:rgb(29,33,41);font-family:Helvetica,Arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Mike<br>
</span></p>
</div>
</blockquote>
</div>
<br>
<em
style="color:rgb(55,58,60);font-family:OpenSans,Arial,sans-serif;font-size:14px;background-color:rgb(250,250,250)">This
message (and any associated files) may contain confidential
and/or privileged information. If you are not the intended
recipient or authorized to receive this for the intended
recipient, you must not use, copy, disclose or take any action
based on this message or any information herein. If you have
received this message in error, please advise the sender
immediately by sending a reply e-mail and delete this message.
Thank you for your cooperation.</em>
</blockquote>
<p><br>
</p>
</body>
</html>