[Cryptography] [FORGED] Re: So please tell me. Why is my solution wrong?

[James A. Donald]

On 2/10/2017 4:07 AM, Theodore Ts'o wrote:
> Or you set a domain-level policy that says Google will only accept the
> user's password in combination with a tap on a FIDO Universal 2nd
> Factor device which just barely juts out of the user's USB port.  If
> John Podesta had one of those, maybe we wouldn't be enjoying spoofs of
> Press Secretary Spicer being played by Mellissa McCarthy in drag....
>
>
> Best of all, this is available today.  Unfortunately it requires that
> users pay anywhere from $10[1] to $50[2] dollars for a U2F key, which is why
> it probably really only works at companies who can set a security
> policy requiring users to use it.  (And then the companies can pay the
> cost of supplying all of their employees with the U2F security key.)
>
> [1] https://www.amazon.com/HyperFido-K5-FIDO-U2F-Security/dp/B00WIX4JMC/
> [2] https://www.amazon.com/Yubico-Y-159-YubiKey-4-Nano/dp/B018Y1XXT6

The key works with google gmail, not any old email server, and chrome 
browser, not any old email client.

I am pretty sure that if Clinton had used google gmail, Obama's team 
would still have been able to read her team's mail.  Remember that her 
primary security concern was not Russia, the chans, or wikileaks, but 
Obama.  Recall what happened to Petraeus.  Google actively and 
aggressively takes sides in politics and Washington power struggles. 
One would be better off using a KGB mail server.

Now if the 2nd factor device worked on your own server today and with 
your own email client today, then it would be useful today.