Re: webauthn

[Roxanna Cieplinska <roxanna.cieplinska () gmail com>]

Keep it short!

Roxanna I. Cieplinska
M: + 1 (415) 412-7699

Sent from my iPhone

> On Mar 22, 2019, at 5:50 PM, Michael Thomas <mike () mtcc com> wrote:
>
> I know it's a little tangential, but it's a huge operational issue for network operations too. Have any NANOG folks 
> been paying attention to webauthn? i didn't know about until yesterday, though i wrote a proof of concept of 
> something that looks a lot like webauthn in 2012. The thing that is kind of concerning to me is that there seems to 
> be some amount of misconception (I hope!) that you need hardware or biometric or some non-password based 
> authentication on the user device in the many write ups i've been reading. i sure hope that misconception doesn't 
> take hold because there is nothing wrong with *local* password based authentication to unlock your credentials. i 
> fear that if the misconception takes hold, it will cause the entire effort to tank. the issue with passwords is 
> transmitting them over the wire, first and foremost. strong *local* passwords that unlock functionality is still 
> perfectly fine for many many applications, IMO.
>
> Which isn't to say that hardware/biometric is bad, it's just to say that they are separable problems with their own 
> set of tradeoffs. NANOG folks sound like prime examples of who should be using 2 factor, etc. But we don't want to 
> discourage, oh say, Epicurious to implement webauthn to get to my super-secret recipe box because they don't think 
> people will buy id dongles.
>
> Mike