Both Fido and OAuth2 are inherently insecure.
While they may be better than nothing at all, they are only very slightly better than proper password selection and management. -- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume. >-----Original Message----- >From: NANOG <nanog-boun...@nanog.org> On Behalf Of Eric Tykwinski >Sent: Monday, 23 March, 2020 15:55 >To: Mark Tinka <mark.ti...@seacom.mu> >Cc: nanog@nanog.org >Subject: Re: South Africa On Lockdown - Coronavirus - Update! > >I think that’s the major sticky point, I would hope we could all agree on >one thing, but that also leaves one entry point of failure. Hopefully we >can all agree that FIDO2, OAUTH2, et al, with be a winner in the long run >so everything can just use one simple authentication mechanism. > > >Sincerely, > >Eric Tykwinski >TrueNet, Inc. >P: 610-429-8300 > > > On Mar 23, 2020, at 5:23 PM, Mark Tinka <mark.ti...@seacom.mu ><mailto:mark.ti...@seacom.mu> > wrote: > > > > On 23/Mar/20 22:39, Keith Medcalf wrote: > > > > Hardware tokens are nothing more than dedicated hardware TOTP >devices with perhaps a few additional parameters programmed at >manufacturing time. Example, RSAID keyfobs are nothing more than TOTP >generators with manufacturer programmed secrets and dedicated clock and >display hardware with no external interface which permits access to the >secret. > > > > For some of my banks, OTP tokens are issued via their device apps. I > used to have physical key fobs for that; those are now gone. > > Admittedly, not all of my banks have made the transition. On the >other > hand, many of the banks have moved on to support Face ID and QR code > verification via device apps. > > Not specific to VPN access management, but in the same vein. > > Mark. > >