[Cryptography] [FORGED] Re: So please tell me. Why is my solution wrong?

Theodore Ts'o tytso at mit.edu
Fri Feb 10 10:34:28 EST 2017


On Fri, Feb 10, 2017 at 06:01:52PM +1000, James A. Donald wrote:
> On 2/10/2017 4:07 AM, Theodore Ts'o wrote:
> > Or you set a domain-level policy that says Google will only accept the
> > user's password in combination with a tap on a FIDO Universal 2nd
> > Factor device which just barely juts out of the user's USB port.  If
> > John Podesta had one of those, maybe we wouldn't be enjoying spoofs of
> > Press Secretary Spicer being played by Mellissa McCarthy in drag....
> > 
> > 
> > Best of all, this is available today.  Unfortunately it requires that
> > users pay anywhere from $10[1] to $50[2] dollars for a U2F key, which is why
> > it probably really only works at companies who can set a security
> > policy requiring users to use it.  (And then the companies can pay the
> > cost of supplying all of their employees with the U2F security key.)
> > 
> > [1] https://www.amazon.com/HyperFido-K5-FIDO-U2F-Security/dp/B00WIX4JMC/
> > [2] https://www.amazon.com/Yubico-Y-159-YubiKey-4-Nano/dp/B018Y1XXT6
> 
> The key works with google gmail, not any old email server, and chrome
> browser, not any old email client.

There is open source code available so it can be made to work with any
e-mail client and server.  And given that it doesn't depend on
civilians recognizing the presence (or absence) of the correct image
on one of hundreds of web sites that they need to log into (and for
the high value accounts, probably only once a month or); and given
that the user experience is *way* less complicated than Joseph
Kilcullen's Rube Goldberg machine (apologies to Rube Goldberg; but
*not* to Joseph Kilcullen); and given that:

	* GMail, PayPal, and Salesforce.com already support it
	* Security keys are cheap ($6-18 USD) and available from many vendors
	* Users can use a single security key on any number of sites
	* ...without installing drivers or typing random numbers
	* ...and reusing a key doesn't let sites track the user betwen them
	* Sites don't have to authenticate any external service
	* ...or pay a licensing fee to FIDO or a patent holder

(note that Joseph paper's claims some number of patents and patents
pending)

.... why are we wasting time discussing his solution (other than he's
acting like an obnoxious boor?)

> Now if the 2nd factor device worked on your own server today and with your
> own email client today, then it would be useful today.

It could be made to work with your server and your own e-mail client
today, if you're willing to take the effort.

       	  	 	    	     - Ted


More information about the cryptography mailing list