22 Jun
2012
22 Jun
'12
10:24 a.m.
I used the example I did based on YubiKey, I own one and use it on a regular basis. The real issue I am trying to make is the fact that even in the scenario I placed forward it still requires trust. Trust of a person or trust of a company. This reminds me of a quote: Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. - Albert Einstein By no means am I saying any of us, or the majority of the world is stupid or uneducated. However, the inherent nature behind trust is just that, relying on some sort of other party is the weak link here. It only takes a single person who has a bad day, or just wants to slack off for that day, to create a vulnerability in any password, key, encryption, or authentication process hundreds if not thousands of people work so hard to solve. While I used YubiKey as my original example, and use it on a regular basis, it still has its downfalls. It cannot be used with Active Sync, so ultimately you can not use it for your Active Directory log in because of a small thing called Exchange. There have been other areas were YubiKey has failed but not by it's design, but by the design of the application itself. How can any of our solutions over come the human factor? -- - Robert Miller (arch3angel) On 6/21/12 10:53 PM, Christopher Morrow wrote: > On Thu, Jun 21, 2012 at 10:48 PM, Randy Bush <randy@psg.com> wrote: >>> That's basically the Yubikey. It uses a shared key, but since you're >>> relying on a trusted third party anyway >> there are no trustable third parties > note that yubico has models of auth that include: > 1) using a third party > 2) making your own party > 3) HOTP on token > 4) NFC > > they are a good company, trying to do the right thing(s)... They also > don't necessarily want you to be stuck in the 'get your answer from > another' > > -chris