|
|
|
|
|
|
by tacotuesday
3891 days ago
|
|
|
I've arrived at the opinion that users simply cannot be trusted to keep their own credentials safe. It's literally impossible to secure a system based on trusting the user. There are very successful businesses (mint.com) built around the concept of sharing extremely sensitive credentials for some reward. In the tutum intro video I watched yesterday, the pitchman is asking developers within the first minute of video to enter AWS credentials into his website I've never heard of. If anyone would balk at that suggestion, I would expect it to be developers, yet they are so successful, Docker is buying them for meeellions of dollars. I'm really surprised no one in the thread has yet mentioned yubico as a solution. I like yubikeys because they are something users can't upload. Keys are a concept everyone understands, and despite what I'm told by friends, I've yet to lose mine. I've never lost my car/house/mailbox keys either though. Maybe I'm odd in both respects. I keep my credentials and keys close to me. |
|
|
Sadly, I've been unable to convince my wife that it's worth it. She won't wear it as a necklace or bracelet, almost never has pockets, and rarely has her keys near her when at home. I might just have to stick an Edge-N in her laptop and slip an Edge onto her keychain, so that when she inevitably calls complaining she can't log into GMail from a friend's computer, I'll be prepared...
From a development perspective, I've read through the U2F spec, and it seemed quite reasonable. I haven't had a chance to try implementing it in anything, though.