RE: South Africa On Lockdown - Coronavirus - Update!

["Keith Medcalf" <kmedcalf () dessus com>]

Both Fido and OAuth2 are inherently insecure.

While they may be better than nothing at all, they are only very slightly better than proper password selection and 
management.

--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.

> -----Original Message-----
> From: NANOG <nanog-bounces () nanog org> On Behalf Of Eric Tykwinski
> Sent: Monday, 23 March, 2020 15:55
> To: Mark Tinka <mark.tinka () seacom mu>
> Cc: nanog () nanog org
> Subject: Re: South Africa On Lockdown - Coronavirus - Update!
>
> I think that’s the major sticky point, I would hope we could all agree on
> one thing, but that also leaves one entry point of failure.  Hopefully we
> can all agree that FIDO2, OAUTH2, et al, with be a winner in the long run
> so everything can just use one simple authentication mechanism.
>
>
> Sincerely,
>
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
>
>
>       On Mar 23, 2020, at 5:23 PM, Mark Tinka <mark.tinka () seacom mu
> <mailto:mark.tinka () seacom mu> > wrote:
>
>
>
>       On 23/Mar/20 22:39, Keith Medcalf wrote:
>
>
>
>               Hardware tokens are nothing more than dedicated hardware TOTP
> devices with perhaps a few additional parameters programmed at
> manufacturing time.  Example, RSAID keyfobs are nothing more than TOTP
> generators with manufacturer programmed secrets and dedicated clock and
> display hardware with no external interface which permits access to the
> secret.
>
>
>
>       For some of my banks, OTP tokens are issued via their device apps. I
>       used to have physical key fobs for that; those are now gone.
>
>       Admittedly, not all of my banks have made the transition. On the
> other
>       hand, many of the banks have moved on to support Face ID and QR code
>       verification via device apps.
>
>       Not specific to VPN access management, but in the same vein.
>
>       Mark.