[Cryptography] On the deployment of client-side certs

Tony Arcieri bascule at gmail.com
Tue Nov 15 22:09:23 EST 2016

On Tue, Nov 15, 2016 at 6:39 PM, Ron Garret <ron at flownet.com> wrote:

> Why not?  They are not very expensive.  You can get one on Amazon for $10.

I am quite aware of the low cost: I probably have a dozen or so in my
possession. There are a dizzying array of U2F tokens available, which in
and of itself is an obstacle for newcomers. Which one should they buy? This
is a question I have strong opinions about, but an obstacle for newcomers.

2FA adoption in general remains quite low, so low most companies seem
embarrassed to even publish numbers. Some estimates put 2FA adoption on
Google at 6.5%:

Even among my technically savvy friends who have adopted 2FA, U2F use seems
quite low: perhaps 5% of the people I've talked to about it? Most others
are using TOTP or SMS. I have thought about blogging about U2F for just
this purpose.

U2F doesn't improve user experience, except over other 2FA solutions, and
2FA is still quite tricky. Users STILL have to enter a password. The token
just bolsters their security.

UAF is an entirely different animal altogether: it's a "passwordless
experience". No more passwords to remember! It's the dream we keep hoping
for. It's not something else you have to do in addition to a password; it's
a bona fide password *replacement*

Plus, there's nothing to buy if you already own a smartphone. If and when
UAF ships (it's likely to ship on Android devices at some point. iOS seems
much more uncertain), anyone with a UAF-capable phone will be able to take
advantage of it without having to figure out which token to buy.

Only time will tell I guess. Maybe I'm wrong and we'll see everyone with
hardware tokens on their keychains soon. But I think it's far more likely
we'll see smartphones leveraged for this purpose, rather than widespread
usage of dedicated tokens.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161115/72c7eaed/attachment.html>

More information about the cryptography mailing list