nanog mailing list archives

Re: How to fix authentication (was LinkedIn)

From: Kyle Creyts <kyle.creyts () gmail com>
Date: Sat, 23 Jun 2012 22:02:25 -0700

I would suggest that multiple models be pursued (since each appears to have
a champion) and that the market/drafting process will resolve the issue of
which is better (which is okay by me:  widespread adoption of any of the
proposed models would advance the state of the norm; progress beats the
snot out of stagnation in my book)

My earlier replies were reprehensible. This is not a thread that should
just be laughed off. Real progress may be occurring here, and at the least,
good knowledge and discussion is accumulating in a way which may serve as a
resource for the curious or concerned.
On Jun 22, 2012 7:25 AM, "Leo Bicknell" <bicknell () ufp org> wrote:

In a message written on Thu, Jun 21, 2012 at 04:48:47PM -1000, Randy Bush
wrote:

there are no trustable third parties


With a lot of transactions the second party isn't trustable, and
sometimes the first party isn't as well. :)

In a message written on Thu, Jun 21, 2012 at 10:53:18PM -0400, Christopher
Morrow wrote:

note that yubico has models of auth that include:
  1) using a third party
  2) making your own party
  3) HOTP on token
  4) NFC

they are a good company, trying to do the right thing(s)... They also
don't necessarily want you to be stuck in the 'get your answer from
another'


Requirements of hardware or a third party are fine for the corporate
world, or sites that make enough money or have enough risk to invest
in security, like a bank.

Requiring hardware for a site like Facebook or Twitter is right
out.  Does not scale, can't ship to the guy in Pakistan or McMurdo
who wants to sign up.  Trusting a third party becomes too expensive,
and too big of a business risk.

There are levels of security here.  I don't expect Facebook to take
the same security steps as my bank to move my money around.  One
size does not fit all.  Making it so a hacker can't get 10 million
login credentials at once is a quantum leap forward even if doing
so doesn't improve security in any other way.

The perfect is the enemy of the good.

--
      Leo Bicknell - bicknell () ufp org - CCIE 3440
       PGP keys at http://www.ufp.org/~bicknell/

Current thread:

Re: How to fix authentication (was LinkedIn), (continued)
- - - Re: How to fix authentication (was LinkedIn) Kyle Creyts (Jun 20)
    - RE: How to fix authentication (was LinkedIn) Drew Weaver (Jun 20)
    - Re: How to fix authentication (was LinkedIn) Aaron C. de Bruyn (Jun 20)
    - Re: How to fix authentication (was LinkedIn) Alexander Harrowell (Jun 21)
    - Re: How to fix authentication (was LinkedIn) AP NANOG (Jun 21)
    - Re: How to fix authentication (was LinkedIn) Ben Jencks (Jun 21)
    - Re: How to fix authentication (was LinkedIn) Randy Bush (Jun 21)
    - Re: How to fix authentication (was LinkedIn) Christopher Morrow (Jun 21)
    - Re: How to fix authentication (was LinkedIn) AP NANOG (Jun 22)
    - Re: How to fix authentication (was LinkedIn) Leo Bicknell (Jun 22)
    - Re: How to fix authentication (was LinkedIn) Kyle Creyts (Jun 23)
    - Re: How to fix authentication (was LinkedIn) AP NANOG (Jun 25)
    - Re: LinkedIn password database compromised Rich Kulawiec (Jun 21)
    - Re: LinkedIn password database compromised Dave Hart (Jun 21)
    - Re: LinkedIn password database compromised Robert Bonomi (Jun 22)
    - Re: LinkedIn password database compromised AP NANOG (Jun 22)
    - RE: LinkedIn password database compromised Keith Medcalf (Jun 23)
- Re: LinkedIn password database compromised David Walker (Jun 07)
  - Re: LinkedIn password database compromised Joe Maimon (Jun 08)