eingfoan,

Newbie question: what is best method for networks? I am playing around with a lab environment where I want good mfa inside but don’t want it to connect to the internet. My current point of view is: I can not place there since it „needs“ internet in many ways.. right? . My current way of thinking is i build a PKI into this network and use it with acting as a Smartcard but not or . Am I wrong ? Is there better options?

GuillaumeRossolini,

@eingfoan
TOTP is a good bet
I posted my thoughts on this here
https://infosec.exchange/@GuillaumeRossolini/109967357709487723

GuillaumeRossolini,

@eingfoan
I don't see why you shouldn't be able to use FIDO2, though? Once the auth server is set up in your lab, that's the only thing the frontend will talk to

iamkale,

@GuillaumeRossolini @eingfoan This exactly. You need a server to verify the WebAuthn responses but that can be hosted internally. And you can easily restrict authenticator usage to "only approved models of security keys" for an added layer of security, depending on how far your threat modeling goes into assuming credentials map 1:1 to physical device or not.

(I offer this last point as a solution to going with WebAuthn now that passkeys (i.e. credentials syncing between people's phones by their iCloud/Google accounts) are on the scene. You can still easily get device binding of credentials with security keys.)

mikey,
@mikey@friendsofdesoto.social avatar

@eingfoan If you have good time sync, TOTP is a good contender. After setup it requires no interaction.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • DreamBathrooms
  • mdbf
  • osvaldo12
  • magazineikmin
  • GTA5RPClips
  • rosin
  • thenastyranch
  • Youngstown
  • cubers
  • slotface
  • khanakhh
  • kavyap
  • InstantRegret
  • Durango
  • JUstTest
  • everett
  • ethstaker
  • cisconetworking
  • provamag3
  • Leos
  • modclub
  • ngwrru68w68
  • tacticalgear
  • tester
  • megavids
  • normalnudes
  • anitta
  • lostlight
  • All magazines
    •