| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by oarsinsync 2326 days ago

It does look very nice. It's a shame that it depends on third parties for authentication, and that they have gems like this in their documentation:

> No app-level integration or reconfiguration is required, because security is built into the network itself. If you configure your network to require Tailscale, every one of your internal services will be subject to multi-factor authentication.

Which is simply not true. I've had 2FA for my Cisco AnyConnect VPN for years. That does not mean my applications I access through the VPN are now magically subject to MFA.

Maybe in time this may end up being viable for me, and maybe it already is for other people. For now, I'd rather my VPN didn't depend on Google, Microsoft, Okta, etc.

2 comments

yencabulator 2314 days ago

The idea of a vulnerability in any app I run having access to all my things is quite scary. Status quo is that they at least have to reach the file storing browser cookies before they "become me"; the way Tailscale is talking about their system sounds like fewer barriers.

gowld 2326 days ago

> That does not mean my applications I access through the VPN are now magically subject to MFA.

Why not? Doesn't the VPN authenticate you via VPN before you can access the apps?

oarsinsync 2325 days ago

Network authentication is not the same as application authentication.

If I plug a cable into your LAN, I am not subject to MFA to login to a server on your LAN.

If you have a lock on the network port that requires me to type in a PIN code and stick in a key to unlock, and expose the port, that then results in MFA to connect to your network. Your applications behind your network remain without MFA.

MFA VPN is essentially the same thing as the above, but for remote access to the LAN. Applications should still be properly secured.

I suppose it could be argued that this provides a client-side agent to authenticate the end user as well (mumble mumble 802.1x), and if so, then it's arguable whether or not you need another layer of authentication on the application, or if this qualifies as SSO to authenticate you to everything you have access to in the network (so passwordless login to servers, desktops, webapps, etc)