←back to thread

I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)
656 points EthanHeilman | 3 comments | 27 Jan 22 15:06 UTC | HN request time: 0.679s | source
Show context
staticassertion ◴[27 Jan 22 15:56 UTC] No.30102061[source]
This is pretty incredible. These aren't just good practices, they're the fairly bleeding edge best practices.

1. No more SMS and TOTP. FIDO2 tokens only.

2. No more unencrypted network traffic - including DNS, which is such a recent development and they're mandating it. Incredible.

3. Context aware authorization. So not just "can this user access this?" but attestation about device state! That's extremely cutting edge - almost no one does that today.

My hope is that this makes things more accessible. We do all of this today at my company, except where we can't - for example, a lot of our vendors don't offer FIDO2 2FA or webauthn, so we're stuck with TOTP.

replies(15): >>30103088 #>>30103131 #>>30103846 #>>30104022 #>>30104121 #>>30104716 #>>30104840 #>>30105344 #>>30106941 #>>30107798 #>>30108481 #>>30108567 #>>30108916 #>>30111757 #>>30112413 #
1. nextos ◴[27 Jan 22 19:44 UTC] No.30105344[source]
> 1. No more SMS and TOTP. FIDO2 tokens only.

SMS are bad due to MITM and SIM cloning. In EU many banks still use smsTAN, and it leads to lots of security breaches. It's frustrating some don't offer any alternatives.

However, is FIDO2 better than chipTAN or similar? I like simple airgapped 2FAs, but I'm not an expert.

replies(1): >>30105396 #
2. tptacek ◴[27 Jan 22 19:47 UTC] No.30105396[source]
The major advantage of FIDO2 is that it's difficult to phish. SIM cloning is not the primary reason organizations are now advocating against SMS 2FA.
replies(1): >>30109146 #
3. tialaramex ◴[28 Jan 22 00:32 UTC] No.30109146[source]
In particular [Thomas knows this, for anybody else reading], WebAuthn (the way you use FIDO for the web, U2F is a legacy system for doing the same thing that you should not use in greenfield deployments) recruits your web browser to defeat phishing.

When you use WebAuthn to sign into an site the browser takes responsibility for determining which site you're on, cutting out the whole phishing problem of "Humans don't know which site it is". The browser isn't reading that GIF that says "Real Bank Secure Login" at the top of the page or the title "Real Bank - Authenticate" or the part of the URL bar that says "/cgi-bin/login/secure/realbank/" it is looking only at the hostname it just verified for TLS which says fakebank.example

So the browser tells your FIDO authenticator OK, we're signing in to fakebank.example - and that's never going to successfully steal your Real Bank credentials because the correct name is cryptographically necessary for the credentials to work. This is so effective crooks aren't likely to even bother attacking it.