webauthn post on NANOG

FYI.

---------- Forwarded message ----------
Date: Fri, 22 Mar 2019 17:50:29 -0700
From: Michael Thomas <mike@mtcc.com>
To: NANOG list <nanog@nanog.org>
Subject: webauthn


I know it's a little tangential, but it's a huge operational issue for network
operations too. Have any NANOG folks been paying attention to webauthn? i didn't
know about until yesterday, though i wrote a proof of concept of something that
looks a lot like webauthn in 2012. The thing that is kind of concerning to me is
that there seems to be some amount of misconception (I hope!) that you need
hardware or biometric or some non-password based authentication on the user
device in the many write ups i've been reading. i sure hope that misconception
doesn't take hold because there is nothing wrong with *local* password based
authentication to unlock your credentials. i fear that if the misconception takes
hold, it will cause the entire effort to tank. the issue with passwords is
transmitting them over the wire, first and foremost. strong *local* passwords
that unlock functionality is still perfectly fine for many many applications,
IMO.

Which isn't to say that hardware/biometric is bad, it's just to say that they are
separable problems with their own set of tradeoffs. NANOG folks sound like prime
examples of who should be using 2 factor, etc. But we don't want to discourage,
oh say, Epicurious to implement webauthn to get to my super-secret recipe box
because they don't think people will buy id dongles.

Mike

Received on Saturday, 23 March 2019 10:30:16 UTC