[Info-vax] OpenVMS x64 Atom project

Richard Maher maher_rjSPAMLESS at hotmail.com
Mon Jun 7 22:40:21 EDT 2021 

On 8/06/2021 3:12 am, Arne Vajhøj wrote:
> On 6/7/2021 2:11 PM, Dave Froble wrote:
>> On 6/7/2021 1:45 PM, Bill Gunshannon wrote:
>>> On 6/6/21 11:42 AM, Arne Vajhøj wrote:
>>>> It has now become public that the pipeline got hit because: - a
>>>> user had the same password at another site as for VPN to them -
>>>> that other site got compromised and the password database got
>>>> stolen and cracked - MFA not used
>>>> 
>>>> Rather trivial, but a lot of breaches are considered trivial -
>>>> after the fact.
>>> 
>>> As I have said before, the only breach we had when I was the 
>>> administrator of the CS Department was one user account and that
>>> was because he used his department password for a WordPress 
>>> account on the Web somewhere and we all know how good their 
>>> security is.
>>> 
>>> Humans are the biggest threat to IT Systems and, so far, no one 
>>> has figured out how to patch them fix the problem.
>> 
>> First, do away with passwords.  Don't some phones now need a 
>> fingerprint to access?  Guess that data could be copied, and used.
>>  Remote access is always an issue, and it just ain't going away.
> 
> Finger print check and password check is not the same type of check.
> 
> If you sit at your PC and login at a server 1000 miles away, then 
> finger print may make sense for the PC to verify that you are who you
> are because the PC trust itself, but finger print is just a long and
> fuzzy password for the server because it does not trust the PC.
> 

FIDO2/Webauthn uses public/private key and not a long and fuzzy password.

It *is* supported by Google,Apple,Microsoft and a shit load of payment 
providers.

As Hoff says you still need to start with a username/password but then 
you use bio-metrics/pin/yubikey etc.

Unlike JWT session less, you can always force a password change or 
cancel an account if the dongle is lost or PIN/password compromised.

> I believe current fashion in server side authentication is login with
> username + password + some MFA like using your phone (text message
> with code, app notification with code, app approval etc.).

Text messages are also being deprecated.

> 
> Arne
> 
> 
> 
> 
>

More information about the Info-vax mailing list