I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)

656 points EthanHeilman | 2 comments | 27 Jan 22 15:06 UTC | HN request time: 0.526s | source

Show context

staticassertion ◴[27 Jan 22 15:56 UTC] No.30102061[source]▶

This is pretty incredible. These aren't just good practices, they're the fairly bleeding edge best practices.

1. No more SMS and TOTP. FIDO2 tokens only.

2. No more unencrypted network traffic - including DNS, which is such a recent development and they're mandating it. Incredible.

3. Context aware authorization. So not just "can this user access this?" but attestation about device state! That's extremely cutting edge - almost no one does that today.

My hope is that this makes things more accessible. We do all of this today at my company, except where we can't - for example, a lot of our vendors don't offer FIDO2 2FA or webauthn, so we're stuck with TOTP.

replies(15): >>30103088 #>>30103131 #>>30103846 #>>30104022 #>>30104121 #>>30104716 #>>30104840 #>>30105344 #>>30106941 #>>30107798 #>>30108481 #>>30108567 #>>30108916 #>>30111757 #>>30112413 #

1. vmception ◴[27 Jan 22 19:16 UTC] No.30104840[source]▶

>>30102061 #

Force banks to do this, immediately. They can levy it on any organization with a banking license or wants access to FEDWire or the ACH system. Force it for SWIFT access too, if the bank has an online banking system for users.

replies(1): >>30106552 #

2. criddell ◴[27 Jan 22 20:57 UTC] No.30106552[source]▶

>>30104840 (TP) #

I asked my bank about their 16 character limit on password length because it suggests they are saving the password rather than some kind of hash. Their response - don't worry about it, you aren't responsible for fraud.

Banks aren't going to want to implement any changes that cost more (in system changes and customer support) than the fraud they prevent.

↑