I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)

656 points EthanHeilman | 1 comments | 27 Jan 22 15:06 UTC | HN request time: 0.224s | source

Show context

staticassertion ◴[27 Jan 22 15:56 UTC] No.30102061[source]▶

This is pretty incredible. These aren't just good practices, they're the fairly bleeding edge best practices.

1. No more SMS and TOTP. FIDO2 tokens only.

2. No more unencrypted network traffic - including DNS, which is such a recent development and they're mandating it. Incredible.

3. Context aware authorization. So not just "can this user access this?" but attestation about device state! That's extremely cutting edge - almost no one does that today.

My hope is that this makes things more accessible. We do all of this today at my company, except where we can't - for example, a lot of our vendors don't offer FIDO2 2FA or webauthn, so we're stuck with TOTP.

replies(15): >>30103088 #>>30103131 #>>30103846 #>>30104022 #>>30104121 #>>30104716 #>>30104840 #>>30105344 #>>30106941 #>>30107798 #>>30108481 #>>30108567 #>>30108916 #>>30111757 #>>30112413 #

meepmorp ◴[27 Jan 22 18:05 UTC] No.30103846[source]▶

>>30102061 #

Also, “Password policies must not require use of special characters or regular rotation.”

They even call out the fact that it's a proven bad practice that leads to weaker passwords - and such policies must be gone from government systems in 1 year from publication of the memo. It's delightful.

replies(5): >>30104317 #>>30104644 #>>30104914 #>>30106431 #>>30108010 #

1. xoa ◴[27 Jan 22 19:20 UTC] No.30104914[source]▶

>>30103846 #

Yeah, while the clear and correct focus overall is on moving away from passwords entirely (FINALLY!!!!!) it's still nice to see something immediately actionable on at least improving policies in the mean time since those should be very low hanging fruit. Although one thing one thing I don't see is a mention of is doing away with (or close enough) password max character limits and requiring that everything get hashed step 1. Along with rotation and silly complex rules, stupid low character limits is the other big irritation with common systems. If passwords must be used they should be getting hashed client-side anyway (and then again server-side) so the server should be getting a constant set of bits no matter what the user is inputting. There isn't really any need at all for character limits at this point. If anything it's the opposite, minimums should be a lot higher. If someone is forced to use at least 20-30 characters say that essentially requires a password manager or diceware. And sheer length helps even bad practices.

But maybe they didn't bother giving much more effort to better passwords because they really don't want those to stick around at all and good for them. Password managers themselves are a bandaid on the fundamentally bad practice of using a symmetric factor for authentication.

↑