[Discuss] Password managers
Kent Borg
kentborg at borg.org
Wed May 6 13:15:19 EDT 2020
On 5/6/20 12:03 PM, Doug wrote:
> Am I wrong to presume everyone here uses 2-factor authentication? Yubikey
> is that, plus it has software that does try to figure out if the servers
> being contacted are the right ones, and not ones that just look right to a
> casual observer.
You are wrong in the case of me. I am willing to consider trusting
something like the old SecurID (was it called?). It has the virtue of
being manual, so I know what it is doing and that it isn't automatically
doing things without my knowing. The catch is even something that simple
couldn't be trusted: RSA was an idiot organization and they had a
systemic breach.
Yubikey feels more "Isn't this cool!?" to me than it feels secure. Why
should I trust it will only let me in? Why should I trust it *will* let
me in? (What the hell do I do if I damage it? Exactly how screwed am I?)
I do understand the the value of two-factor stuff to fight against
compromised endpoints, but it doesn't solve, just hobbles them a little.
Two-factor can be extremely valuable to protect high value stuff, but it
does not scale well, and the other things needed to protect such high
value targets is too burdensome for slightly normal people.
-kb
More information about the Discuss
mailing list