Re: webauthn

[Michael Thomas <mike () mtcc com>]

On 3/23/19 5:18 AM, Mauricio Rodriguez wrote:
> My understanding is that 2-factor is one of the primary drivers for 
> webauthn.  I feel that hardware dongles are the thing of the past, 
> with software now being available that runs on your smartphone and 
> serves the same function.  Example - Google Authenticator.

2FA is fine, but the real problem is one factor passwords going over the 
wire. If we did nothing than get rid of that, it would be a massive 
upgrade to security on the net.

Mike


> ______
> Regards,
> Mauricio Rodriguez
> Founder / Owner
> Fletnet Network Engineering (www.fletnet.com <http://www.fletnet.com/>)
> 1951 NW 7th Ave #600, Miami, FL 33136
>
> Mauricio.Rodriguez () fletnet com <mailto:Mauricio.Rodriguez () fletnet com>
> Office: +1-786-309-5493
> Mobile: +1-305-978-6884
>
> Schedule a Meeting with me 
> <http://scheduling.fletnet.com/mauricio_rodriguez>
>
>
>
>
>
> On Fri, Mar 22, 2019 at 8:52 PM Michael Thomas <mike () mtcc com 
> <mailto:mike () mtcc com>> wrote:
>
>     I know it's a little tangential, but it's a huge operational issue
>     for network operations too. Have any NANOG folks been paying
>     attention to webauthn? i didn't know about until yesterday, though
>     i wrote a proof of concept of something that looks a lot like
>     webauthn in 2012. The thing that is kind of concerning to me is
>     that there seems to be some amount of misconception (I hope!) that
>     you need hardware or biometric or some non-password based
>     authentication on the user device in the many write ups i've been
>     reading. i sure hope that misconception doesn't take hold because
>     there is nothing wrong with *local* password based authentication
>     to unlock your credentials. i fear that if the misconception takes
>     hold, it will cause the entire effort to tank. the issue with
>     passwords is transmitting them over the wire, first and foremost.
>     strong *local* passwords that unlock functionality is still
>     perfectly fine for many many applications, IMO.
>
>     Which isn't to say that hardware/biometric is bad, it's just to
>     say that they are separable problems with their own set of
>     tradeoffs. NANOG folks sound like prime examples of who should be
>     using 2 factor, etc. But we don't want to discourage, oh say,
>     Epicurious to implement webauthn to get to my super-secret recipe
>     box because they don't think people will buy id dongles.
>
>     Mike
>
>
> /This message (and any associated files) may contain confidential 
> and/or privileged information. If you are not the intended recipient 
> or authorized to receive this for the intended recipient, you must not 
> use, copy, disclose or take any action based on this message or any 
> information herein. If you have received this message in error, please 
> advise the sender immediately by sending a reply e-mail and delete 
> this message. Thank you for your cooperation./