Using passwordsafe with yubikey11/18/2023 At the end of the day, symmetric shared auth is just insanity and asymmetric is simply fundamentally superior. But I think that will fade in effectiveness as time goes on, so might as well get to it. Backup codes could certainly be phished in principle, social engineering tech support that "so and so lost access to their devices!", etc. I guess for a while the other "phishing" that might linger will simply be trying to use the inevitable legacy workarounds that you yourself asked about. But that's far more limited a threat surface than right now, and also will have more tractable technical counters. Stuff like getting people to run programs or waiting for them to access something sensitive on a rooted system such that they do a completely legitimate authentication flow but then additional actions are performed using it. But online hot attacks still will be, so I'd expect that will be that path taken (though it'll be harder). Pure remote "phishing" as it currently exists just isn't going to be possible with hardware based keys. > I wonder what phishing attempts will look like. I don't see the problem though as much different, than having hundreds/thousands of passwords to deal with. In the future, there could be optional hardware solutions that allowed backing up exclusively to another key. ![]() Some places that have a personal connection may simply have an IRL fallback, ie., your employer would just have you go to IT, or your bank might have you go into a branch in person with ID for a reset. Alternatively or in addition, good old backup codes (printed keys, either whole or n-of-m splits) on paper are a reasonable choice in some cases IMO. Ideally in general everyone would have multiple tokens, with at least one serving as a backup. As I said, in many cases there is a natural fallback in the form of local access console, same as if somehow all SSH keys or the like were lost. There is no one answer to this and I'm sure UX will evolve over time. Externalizing authentication on a shared system into something owned by the user is a pure win IMO for those who need to use them, and if anything is a particular win in that case compared to those who get to use only their own computers. ![]() Easy, somewhat safer if the system is compromised vs any given password (since an attacker would only be able to perform an online hot attack, and only on things the user was also doing assuming touch is required), much safer and easier compared to a password manager. Plugging a token into a shared system is superior to passwords as well. > What’s your take on accessing systems accepting passkeys on a shared computer? With "internal" applications it's already a lot more acceptable to slap heavier access requirements on them, only exposing them via VPN, but it'd be nice to be able to require hardware bound passkeys (to use Yubico's terminology) for web auth (recovery can be done via console if ever required). We run things like OPNsense for firewall/gateway needs, TrueNAS, various controllers, hardware that these days has a web UI etc. One place I'm kind of sorry hasn't been on the forefront of adoption though and gets into gear soon is web UIs, which often control some pretty important stuff. Really looking forward to the day of all that fading into an (admittedly very) long tail of legacy. Somehow though the right combination of UI and broad support never happened despite the endless ridiculousness of leaks due to inevitable server side compromise, and then ever more bandaids on top like adaptive hash functions and password managers. It's been frustrating because there were various potential efforts going back to the 00s at least, I remember logging into some sites with client certs. It's great to see ending the insanity of symmetric authentication (with passwords) is finally, finally gathering momentum.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |