|
Maybe they should have a backup biometric method instead? They could call it windows hello. ... well you get the idea
|
#
?
Dec 22, 2022 01:41
|
|
|
|
| # ? Apr 27, 2024 03:52 |
|
|
Jabor posted:If your threat model includes "a hit team monitors you for weeks, then breaks into your house to steal your laptop", I'm not sure a security key is going to save you. if you never leave your house its probably not a problem, but if you work in an office or you have some kind of portable computer theres a risk you dont have complete physical control over your workstation at all times.
|
|
#
?
Dec 22, 2022 01:42
|
|
|
You might not have complete physical control over the computer, but don't worry, you definitely have complete control over the security key that permanently occupies one of its usb ports!
|
|
#
?
Dec 22, 2022 01:45
|
|
|
The security keys that people are talking about for os authentication now all of a sudden are just fido2 keys right? I haven't actually been paying attention but would be slightly annoyed if there's a new standard again.
|
|
#
?
Dec 22, 2022 01:45
|
|
|
Jabor posted:You might not have complete physical control over the computer, but don't worry, you definitely have complete control over the security key that permanently occupies one of its usb ports! yeah, honestly i dont really like those either. i would prefer either complex passwords with as-needed-MFA (with an external device that uses biometrics) or biometrics built into the device
|
|
#
?
Dec 22, 2022 01:48
|
|
|
Shaggar posted:yeah, honestly i dont really like those either. i would prefer either complex passwords with as-needed-MFA (with an external device that uses biometrics) or biometrics built into the device
|
|
#
?
Dec 22, 2022 01:51
|
|
|
mystes posted:The security keys that people are talking about for os authentication now all of a sudden are just fido2 keys right? I haven't actually been paying attention but would be slightly annoyed if there's a new standard again. iirc feds have their own special thing for this, but that might be just the card as a form factor and still using fido2 inside. normal people and private sector should still be using the same old fido2 yes
|
|
#
?
Dec 22, 2022 01:52
|
|
|
mystes posted:I think yubikey has a fido2 key with a built in fingerprint reader which seems like a good idea yeah that would be pretty good imo
|
|
#
?
Dec 22, 2022 01:52
|
|
|
cinci zoo sniper posted:iirc feds have their own special thing for this, but that might be just the card as a form factor and still using fido2 inside. normal people and private sector should still be using the same old fido2 yes CAC Cards are one form, yes. Shaggar posted:yeah, honestly i dont really like those either. i would prefer either complex passwords with as-needed-MFA (with an external device that uses biometrics) or biometrics built into the device This has been an annoyance, it seems like it'd be easy to add AzureAD Token MFA to AD logon and add a simple two factor. Seems like they've chosen to make it harder.
|
|
#
?
Dec 22, 2022 02:38
|
|
|
I bet if you're using Azure AD join in windows and not local domain join you can probably use some of the access rules to require azure ad MFA for os login
|
|
#
?
Dec 22, 2022 03:20
|
|
|
Sickening posted:We are all friends here but some of you really are talking out of your rear end about some topics you don't seem to understand lmao. would you mind sharing? it's not your job to educate us, but i literally read this thread to learn, so it'd be appreciated
|
|
#
?
Dec 22, 2022 04:42
|
|
|
Shaggar posted:I bet if you're using Azure AD join in windows and not local domain join you can probably use some of the access rules to require azure ad MFA for os login azure mfa requires an internet connection though, so there are some definite limitations if you need to be able to use the device offline, ever
|
|
#
?
Dec 22, 2022 04:55
|
|
|
all password input systems should require clicking with a mouse on virtual keyboard buttons a la treasurydirect
|
|
#
?
Dec 22, 2022 04:58
|
|
|
the location of the buttons should be randomized too not for security, just to make it absolutely clear how much you hate your users
|
|
#
?
Dec 22, 2022 05:02
|
|
|
I'm currently beta testing libpam support for USB-D penile authentication. It's been really solid experience so far. Difficult on some of the colder days (dongle detection can be flaky) and it can take a couple minutes to log in sometimes if you're always locking your workstation, but overall I'd recommend it
|
|
#
?
Dec 22, 2022 06:18
|
|
|
when did we decide that biometrics are good, actually?
|
|
#
?
Dec 22, 2022 06:31
|
|
|
cinci zoo sniper posted:iirc feds have their own special thing for this, but that might be just the card as a form factor and still using fido2 inside. normal people and private sector should still be using the same old fido2 yes feds have a whole suite of things for this. cac is department of defense, piv is general federal employees, and piv-i is for non-employees that need to interact with piv auth systems. these are all primarily pkcs11 based when it comes to using them for auth on a computer, and are incompatible with fido separately there exist fips versions of hardware tokens like yubikeys. these *can* support fido2, but the required enrollment process depends on the level of assurance required for the token, and can be wonky (i.e. require in person presentation of identity documents) https://ldapwiki.com/wiki/Level%20Of%20Assurance loa has nothing to do with the hardware itself, but the processes in which the hardware is used. tl;dr: NIST 800-63
|
|
#
?
Dec 22, 2022 06:34
|
|
|
redleader posted:when did we decide that biometrics are good, actually? we did?
|
|
#
?
Dec 22, 2022 06:36
|
|
|
infernal machines posted:i literally read this thread to learn lol
|
|
#
?
Dec 22, 2022 06:37
|
|
|
I would actually have less of a problem with PIN numbers or whatever if Windows had built-in two-factor FIDO2 or U2F authentication with yubikeys and phones instead of just using a less secure password.
|
|
#
?
Dec 22, 2022 06:39
|
|
|
by the way, I am looking at all of this through the lens of my dad with windows 10 home or whatever azure ad mfa supports fido2, I think
|
|
#
?
Dec 22, 2022 06:40
|
|
|
For what it's worth, the Windows hello/yubikey "PIN" is actually a password, it's not just a series of numbers so the name is misleading. It does let you enter incredibly simple 4-character pins though and most people probably would when prompted to create a "PIN". It's also super easy to add yubikey natively to 365 accounts in the sign in options. You just click the options below the login screen, choose key, type "PIN" then touch yubikey and choose account if you have multiple stored on the key. Dr_0ctag0n fucked around with this message at 06:50 on Dec 22, 2022 |
|
#
?
Dec 22, 2022 06:44
|
|
|
worse than that, the name encourages people to specifically reuse their banking pin, because that’s what most people think of as their pin i am positive that is what my dad would do (if he had a password on his computer at all)
|
|
#
?
Dec 22, 2022 06:54
|
|
|
Buck Turgidson posted:I'm currently beta testing libpam support for USB-D penile authentication. It's been really solid experience so far. Difficult on some of the colder days (dongle detection can be flaky) and it can take a couple minutes to log in sometimes if you're always locking your workstation, but overall I'd recommend it buddy if the concern about pins was insufficient length that sure ain’t gonna work either.
|
|
#
?
Dec 22, 2022 07:06
|
|
|
post hole digger posted:buddy if the concern about pins was insufficient length that sure ain’t gonna work either. yeah libpam_sounding has strict requirements that must be adhered to for a successful authentication
|
|
#
?
Dec 22, 2022 07:22
|
|
|
I haven't heard this one before. Crypto scams on the job market. https://www.linkedin.com/feed/update/urn:li:activity:7011049036350668800
|
|
#
?
Dec 22, 2022 09:22
|
|
|
Cybernetic Vermin posted:either way my org has configured everything to require full auth on everything, so doing it 50 times a day you can walk up to me in the street, say "no", and hold up a hand-scrawled two-digit number, and i will have entered it in authenticator before reflecting on anything. I like how the solution to MFA fatigue is not fixing the MFA system, it's forcing the user to go through ever more byzantine activities to perform the same number of MFAs. One day when I'm bored I'm going to count how many MFAs I have to do.
|
|
#
?
Dec 22, 2022 09:23
|
|
|
Carbon dioxide posted:I haven't heard this one before. I wouldn't even call this a crypto scam, this is just a regular "WORK FROM HOME!!!! $366K PER MONTH!!!! BE YOU'RE OWN BOSS" scam where they use you as a money mule or as an outright mark. Crypto companies being shady as gently caress is the only real wrinkle here.
|
|
#
?
Dec 22, 2022 09:40
|
|
|
Buck Turgidson posted:I'm currently beta testing libpam support for USB-D penile authentication. nudgenudgetilt posted:feds have a whole suite of things for this. […] piv is general federal employees this is all taking security fucks far too literally
|
|
#
?
Dec 22, 2022 11:51
|
|
|
rjmccall posted:worse than that, the name encourages people to specifically reuse their banking pin, because that’s what most people think of as their pin this isnt a defect, its literrally intentional. they want people to think of PINs as reusable easy to remember passwords because thats what they are. The second you make them non-simple, they become actual passwords and now you just have 2 passwords for no reason. PINs are bad.
|
|
#
?
Dec 22, 2022 13:58
|
|
|
~Coxy posted:I like how the solution to MFA fatigue is not fixing the MFA system, it's forcing the user to go through ever more byzantine activities to perform the same number of MFAs. i do 1 or 2 a day, mostly just when i get on the VPN.
|
|
#
?
Dec 22, 2022 14:01
|
|
|
imo, you can learn almost as much from terrible advice as you can from good, as long as you can distinguish the two
|
|
#
?
Dec 22, 2022 15:03
|
|
|
Pins themselves are not a great solution, ideally using Multifactor Tokens as randomized, ever changing pins would make far more sense, not to mention completing the idea of MFA - Your password is a token that must be generated on a device that you control that is not your actual computer.
|
|
#
?
Dec 22, 2022 15:29
|
|
|
CommieGIR posted:Pins themselves are not a great solution, ideally using Multifactor Tokens as randomized, ever changing pins would make far more sense, not to mention completing the idea of MFA - Your password is a token that must be generated on a device that you control that is not your actual computer. I worked in a place that was almost there. Except handing out mfa devices and enrolling them takes time and money so they just had a program on the computer to generate the tokens.
|
|
#
?
Dec 22, 2022 15:32
|
|
|
champagne posting posted:I worked in a place that was almost there. Except handing out mfa devices and enrolling them takes time and money so they just had a program on the computer to generate the tokens. Literally defeating the purpose of a separate token, lol. My current company was doing that when I joined, I quickly had them roll back on machine MFA apps, pointing out that it basically destroyed the entire purpose of having MFA if an attacker who had gained access to a machine could just....generate a token on the machine. We also demonstrated the folly as part of our first Red Team exercise. CommieGIR fucked around with this message at 15:39 on Dec 22, 2022 |
|
#
?
Dec 22, 2022 15:36
|
|
|
infernal machines posted:imo, you can learn almost as much from terrible advice as you can from good, as long as you can distinguish the two yeah, this thread is unironically full of gold
|
|
#
?
Dec 22, 2022 17:28
|
|
|
sb hermit posted:yeah, this thread is unironically full of gold It has certainly made me look poo poo up Also gives me fodder to use to gently caress with my company security team
|
|
#
?
Dec 22, 2022 19:36
|
|
|
Word of advice, the fingerprint yubikey requires a pin to be selected during enroll so that if the fingerprint is not viable you can still use it. Most people we seen them use it had stupid simple pins on those since "they always use fingerprints" so they were actually worse than WHfB.
|
|
#
?
Dec 22, 2022 20:34
|
|
|
all this authentication is a real pain in the assword if you ask me
|
|
#
?
Dec 22, 2022 22:19
|
|
|
|
| # ? Apr 27, 2024 03:52 |
|
|
when do we get OTPs that you have to make up yourself every time
|
|
#
?
Dec 22, 2022 22:25
|
|
