On Mon, Mar 23, 2020 at 7:34 PM George Michaelson <g...@algebras.org> wrote: > > I don't see SKEY style OTP lists as inherently bad. "its how you do > it" which concerns me, not that it is done. >
trust your users to always ALWAYS find the worst way to use the product. Note the label on bleach bottles: "Do not lick" or coffee cups: "Caution: contents hot" :( I agree that 'consenting adults' can do this properly, it's when people really want to find their own way that....we end having this dicsussion :( > -G > > On Tue, Mar 24, 2020 at 9:33 AM Christopher Morrow > <morrowc.li...@gmail.com> wrote: > > > > On Mon, Mar 23, 2020 at 7:00 PM Michael Thomas <m...@mtcc.com> wrote: > > > > > > On 3/23/20 3:53 PM, Sabri Berisha wrote: > > > > > > Hi, > > > > > > In my experience, yubikeys are not very secure. I know of someone in my > > > team who would generate a few hundred tokens during a meeting and save > > > the output in a text file. Then they'd have a small python script which > > > was triggered by a hotkey on my macbook to push "keyboard" input. They > > > did this because the org they were working for would make you use yubikey > > > auth for pretty much everything, including updating a simple internal > > > Jira ticket. > > > > > > > this is not: "yubikey is bad" as much as: "The user using the yubikey is > > bad" > > Admittedly perhaps: "every time new token" sucks, and that's what (I > > think michael thomas is saying below), but certainly the yubikey could > > have been used for TOTP instead of HOTP and the user in question would > > have been out of luck, right? :) > > > > Almost all security 'features' are a trade-off between: "get stuff > > done" and "get stuff done with an extra hop", making the 'extra hop' > > as simple and natural as possible makes people less likely to do dumb > > things like: > > 1) pregen a crapload of tokens, store them on their probably > > compromised laptop... > > 2) aim a webcam at their rsa token and watch the change remotely > > 3) hot-dog and sipping-bird toy to touch the thingy on their yubikey > > token every X seconds... > > > > > > > > One of the things that got lost in the Webauthn stuff is that passwords > > > per se are not bad. It's passwords being sent over the wire. In > > > combination with reuse, that is the actual problem. Webauthn supposedly > > > allows use of passwords to unlock a local credential store, but it is so > > > heavily focused dongles that it's really hard to figure out for a normal > > > website that just want to get rid of the burden of remote passwords. > > > > > > Mike