←back to thread

I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)
656 points EthanHeilman | 1 comments | 27 Jan 22 15:06 UTC | HN request time: 0.217s | source
Show context
staticassertion ◴[27 Jan 22 15:56 UTC] No.30102061[source]
This is pretty incredible. These aren't just good practices, they're the fairly bleeding edge best practices.

1. No more SMS and TOTP. FIDO2 tokens only.

2. No more unencrypted network traffic - including DNS, which is such a recent development and they're mandating it. Incredible.

3. Context aware authorization. So not just "can this user access this?" but attestation about device state! That's extremely cutting edge - almost no one does that today.

My hope is that this makes things more accessible. We do all of this today at my company, except where we can't - for example, a lot of our vendors don't offer FIDO2 2FA or webauthn, so we're stuck with TOTP.

replies(15): >>30103088 #>>30103131 #>>30103846 #>>30104022 #>>30104121 #>>30104716 #>>30104840 #>>30105344 #>>30106941 #>>30107798 #>>30108481 #>>30108567 #>>30108916 #>>30111757 #>>30112413 #
meepmorp ◴[27 Jan 22 18:05 UTC] No.30103846[source]
Also, “Password policies must not require use of special characters or regular rotation.”

They even call out the fact that it's a proven bad practice that leads to weaker passwords - and such policies must be gone from government systems in 1 year from publication of the memo. It's delightful.

replies(5): >>30104317 #>>30104644 #>>30104914 #>>30106431 #>>30108010 #
atuladhar ◴[27 Jan 22 19:01 UTC] No.30104644[source]
Somewhat unrelated, but hopefully this also means TreasuryDirect will get rid of its archaic graphical keyboard that disables the usage of password managers.

(Graphical keyboards are an old technique to try to defeat key loggers. A frequent side effect of a site using a graphical keyboard is that the developer has to make the password input field un-editable directly, which prevents password managers from working, unless you use a user script to make the field editable again.)

replies(1): >>30104677 #
tbirdz ◴[27 Jan 22 19:04 UTC] No.30104677[source]
Just saying in this in case it will help you. For treasurydirect, you can use inspect element and change the value="" field on the password element, and paste in your password from your password manager. It's not as convenient as autofill from your password manager, but it sure beats using the graphical keyboard.
replies(1): >>30178670 #
1. atuladhar ◴[02 Feb 22 15:16 UTC] No.30178670[source]
Thanks! That would definitely be a way to do it. I was hinting at something similar by saying "unless you use a user script to make the field editable again". You could also run a bookmarklet that makes the input editable using JavaScript, and then using the password manager. But it's a pain in any case if you're using the site on a mobile device.