I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)

656 points EthanHeilman | 1 comments | 27 Jan 22 15:06 UTC | HN request time: 0.209s | source

Show context

unethical_ban ◴[27 Jan 22 21:06 UTC] No.30106682[source]▶

TOTP is not going anywhere for much of the Internet. Hold on while I get a Yuibikey to my dad who thinks "folders can't be in other folders" because that's not how they work in real life.

TOTP is a great security enhancement, and while phishable, considerably raises the bar for an attacker.

The fact that TOTP is mentioned as a bad practice in this document is an indicator that this should not be considered a general best practices guide. It is a valid best practice guide for a particular use case and particular user base.

replies(3): >>30106810 #>>30106859 #>>30110488 #

tptacek ◴[27 Jan 22 21:19 UTC] No.30106859[source]▶

>>30106682 #

Yubikeys aren't the serious long-term alternative to TOTP; software keys embedded in phones are what we're going to end up with.

replies(2): >>30108684 #>>30118196 #

takumif ◴[28 Jan 22 18:04 UTC] No.30118196[source]▶

>>30106859 #

I have a newbie question: Can't we embed a hardware key into a phone, and that'd be just as good as a Yubikey? Do we already do this, or is there a reason why we don't?

replies(1): >>30123769 #

1. totony ◴[29 Jan 22 04:22 UTC] No.30123769[source]▶

>>30118196 #

Laptops can have smart cards so there's no reason a phone couldn't

↑