|
|
|
|
|
|
by jrockway
978 days ago
|
|
|
> The service has no way to know whether my browser is talking with a hardware token or emulating one It does. It can request that the key do attestation, which involves providing a certificate that proves who the manufacturer is. |
|
|
I mean, I’d be okay that if I’m working for some company, I have to use the company issued hardware token that can deliver a company issued attestation that the company servers can then check. In some sense, the company is the user here, and the fact that employees have no say in this matter is not a big deal.
For individual however, I believe it is important that the user be in control. If they don’t want (or can’t afford) to buy a hardware token emulation should be an option. And if they prefer the hardware token they should be able to buy it from any company.
Picture how anti-competitive it would be that to use AWS you must use a security token issued by Yubico (or a list of approved companies): how does a small non-approved company like Tillitis enters the market? They have to ask every relevant cloud provider to add them to their list? This is both impractical and unfair.
An alternative that wouldn’t be anti-competitive is for AWS to mandate an Amazon provide key to use their services. And that key must not be usable for anything else. Note the e-waste and impracticality if every cloud provider did this however. It’s much better to let users use one hardware token for all services.
The worst thing is, I’m pretty sure companies will try and mandate such attestations, they will say it is to "protect the user", while in fact it will be yet another tool in their lock-in toolbox. As I said, it’s evil and I want nothing to do with it.