nanog mailing list archives
Re: How to fix authentication (was LinkedIn)
From: AP NANOG <nanog () armoredpackets com>
Date: Fri, 22 Jun 2012 10:24:15 -0400
I used the example I did based on YubiKey, I own one and use it on a regular basis. The real issue I am trying to make is the fact that even in the scenario I placed forward it still requires trust. Trust of a person or trust of a company. This reminds me of a quote:
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
- Albert EinsteinBy no means am I saying any of us, or the majority of the world is stupid or uneducated. However, the inherent nature behind trust is just that, relying on some sort of other party is the weak link here. It only takes a single person who has a bad day, or just wants to slack off for that day, to create a vulnerability in any password, key, encryption, or authentication process hundreds if not thousands of people work so hard to solve.
While I used YubiKey as my original example, and use it on a regular basis, it still has its downfalls. It cannot be used with Active Sync, so ultimately you can not use it for your Active Directory log in because of a small thing called Exchange. There have been other areas were YubiKey has failed but not by it's design, but by the design of the application itself.
How can any of our solutions over come the human factor? -- - Robert Miller (arch3angel) On 6/21/12 10:53 PM, Christopher Morrow wrote:
On Thu, Jun 21, 2012 at 10:48 PM, Randy Bush <randy () psg com> wrote:That's basically the Yubikey. It uses a shared key, but since you're relying on a trusted third party anywaythere are no trustable third partiesnote that yubico has models of auth that include: 1) using a third party 2) making your own party 3) HOTP on token 4) NFC they are a good company, trying to do the right thing(s)... They also don't necessarily want you to be stuck in the 'get your answer from another' -chris
Current thread:
- Re: How to fix authentication (was LinkedIn), (continued)
- Re: How to fix authentication (was LinkedIn) Kyle Creyts (Jun 20)
- Re: How to fix authentication (was LinkedIn) valdis . kletnieks (Jun 20)
- Re: How to fix authentication (was LinkedIn) Kyle Creyts (Jun 20)
- RE: How to fix authentication (was LinkedIn) Drew Weaver (Jun 20)
- Re: How to fix authentication (was LinkedIn) Aaron C. de Bruyn (Jun 20)
- Re: How to fix authentication (was LinkedIn) Alexander Harrowell (Jun 21)
- Re: How to fix authentication (was LinkedIn) AP NANOG (Jun 21)
- Re: How to fix authentication (was LinkedIn) Ben Jencks (Jun 21)
- Re: How to fix authentication (was LinkedIn) Randy Bush (Jun 21)
- Re: How to fix authentication (was LinkedIn) Christopher Morrow (Jun 21)
- Re: How to fix authentication (was LinkedIn) AP NANOG (Jun 22)
- Re: How to fix authentication (was LinkedIn) Leo Bicknell (Jun 22)
- Re: How to fix authentication (was LinkedIn) Kyle Creyts (Jun 23)
- Re: How to fix authentication (was LinkedIn) AP NANOG (Jun 25)
- Re: LinkedIn password database compromised Rich Kulawiec (Jun 21)
- Re: LinkedIn password database compromised Dave Hart (Jun 21)
- Re: LinkedIn password database compromised Robert Bonomi (Jun 22)
- Re: LinkedIn password database compromised AP NANOG (Jun 22)
- RE: LinkedIn password database compromised Keith Medcalf (Jun 23)
- Re: LinkedIn password database compromised Joe Maimon (Jun 08)