Hi Gerv,
I can send out a million client certificates for negligible
cost.
That is especially attractive cost-wise for an existing system that I
have to increase the security of (say over username and password), but
which has not been identified as needing 2 factor authentication.
Sending out a million anythings by snail-mail is spendy.If you could rely on the user already having the number-sequence widget, or of having a virtual widget on their smartphone (like Google Authenticator) then the cost argument is irrelevant. Regards Robin > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > [email protected]] On Behalf Of Gervase > Markham > Sent: 25 September 2014 13:29 > To: [email protected] > Subject: Client certs > > A question which occurred to me, and I thought I'd put before an > audience of the wise: > > * What advantages, if any, do client certs have over number-sequence > widgets such as e.g. the HSBC Secure Key, used with SSL? > > http://www.hsbc.co.uk/1/2/customer-support/online-banking- > security/secure-key > > It seems like they have numerous disadvantages (some subjective): > > * Client certs can be invisibly stolen if a machine is compromised > * Client certs are harder to manage and reason about for an average > person > * Client certs generally expire and need replacing, with no warning > * Client certs are either single-machine, or need a probably-complex > copying process > > What are the advantages? > > Gerv > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
