←back to thread

I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)
656 points EthanHeilman | 6 comments | 27 Jan 22 15:06 UTC | HN request time: 0.498s | source | bottom
Show context
staticassertion ◴[27 Jan 22 15:56 UTC] No.30102061[source]
This is pretty incredible. These aren't just good practices, they're the fairly bleeding edge best practices.

1. No more SMS and TOTP. FIDO2 tokens only.

2. No more unencrypted network traffic - including DNS, which is such a recent development and they're mandating it. Incredible.

3. Context aware authorization. So not just "can this user access this?" but attestation about device state! That's extremely cutting edge - almost no one does that today.

My hope is that this makes things more accessible. We do all of this today at my company, except where we can't - for example, a lot of our vendors don't offer FIDO2 2FA or webauthn, so we're stuck with TOTP.

replies(15): >>30103088 #>>30103131 #>>30103846 #>>30104022 #>>30104121 #>>30104716 #>>30104840 #>>30105344 #>>30106941 #>>30107798 #>>30108481 #>>30108567 #>>30108916 #>>30111757 #>>30112413 #
1. codemac ◴[27 Jan 22 21:25 UTC] No.30106941[source]
Google does 1, 2, and 3 internally. If you join https://landing.google.com/advancedprotection/ you can get something similar for personal public accounts.
replies(2): >>30109005 #>>30110761 #
2. withinboredom ◴[28 Jan 22 00:17 UTC] No.30109005[source]
I prefer to keep my email as dumbly secured as possible. I’ll never forget this one time I was on my sailboat with no cell service and only an open WiFi connection from shore. I couldn’t login to anything via sms auth. Same thing with FIDO keys when traveling. Lost luggage? No logging in for you until you get home to get your backup? Cut your finger while cooking? No logging in for you! Have to wear a face mask? No logging in for you!

To be clear, I don’t have a better solution. But all the second factor stuff is fundamentally broke when you are likely to need access to the service most.

replies(2): >>30109473 #>>30112608 #
3. tialaramex ◴[28 Jan 22 01:08 UTC] No.30109473[source]
So, I'm somebody who thinks about contingencies a lot and to my mind, there's just not a lot of gap between situations where you don't need credentials (e.g. satellite beacons don't care who you are) and where you don't have credentials (oh no, I lost all the gear) so it doesn't represent a big worry for me.

I don't want the consular officials to be unable to authenticate me in a foreign country because I lost my phone, or for my bank to be unable to release funds because I don't have their card or my Security Key, but I feel 100% OK with losing access to Gmail or Hacker News, or whatever for say a few days until I can secure replacement credentials.

4. staticassertion ◴[28 Jan 22 04:42 UTC] No.30110761[source]
My company is built on GSuite. We use APP and CAA for everything.
replies(1): >>30125129 #
5. philjohn ◴[28 Jan 22 09:44 UTC] No.30112608[source]
The SMS point is part of why moving to FIDO keys is a good idea - the NFC enabled ones work with modern smartphones and allow you to login.

As for lost luggage, I carry mine on my keychain, another one in the laptop itself (USB-C Yubikey) and one in my safe at home - if all three are ever destroyed or lost I also have backup codes available as password protected notes on several devices.

6. unixhero ◴[29 Jan 22 09:51 UTC] No.30125129[source]
What do you guys do?