On 7/4/23 5:02 PM, Keith Moore wrote:
On 7/3/23 16:39, Michael Thomas wrote:
As far as what else can be done, I think quite a lot these days can
be done.
Agree. As far as can tell there's a glaring hole in current IETF
authentication protocols in that we don't have general purpose
protocol support (not something that requires or expects a web
browser) for (a) multi-factor authentication and (b) hardware keys.
I think one of the biggest weaknesses of webauthn is that it has made
hardware keys the enemy of software keys. For a huge swath of
authentication needs, software private keys would be completely
sufficient. I don't want to require a hardware frob to log into facebook
or some other lame site. I don't want my laptop being obsoleted because
it doesn't have a camera or finger print detector. The introduction of
hardware with the FIDO stuff in webauthn makes it ridiculously more
complicated and for no appreciable gain in security for the average
case. I'm fine with hardware for my bank accounts whose companies can
afford to figure this out, but the goal should be to make public key
authentication drop dead simple for the rest and webauthn is definitely
not that.
Mike
