hertg

hertg, 4 months ago to security

Question for the #identity and #authentication people.

For user accounts that have enabled multifactor authentication, how do you handle self-service password resets? On online platforms, it is usually possible to reset the password via email. I think that is fine for accounts that don't use multifactor authentication. But what if a user logs in with their phone number (They have no email, just the phone) and use text message as their second factor? Sending a password reset code via text message would be a bit stupid. This would mean that the user doesn't really have two-factor authentication if you can reset the first-factor with the second-factor.

I do currently not allow self-service password resets if a user has multifactor enabled. They are required to get in contact with customer support in that case. For our use-case this is ok, but it's obviously not very user-friendly. However, I don't really see a solution in the case where the phone number is the primary identifier and second-factor. I am interested in some thoughts on the topic.

#iam #openid #oauth2 #security

hertg, 5 months ago to Neoliberal

Elinor Ostrom, writing about some foundational assumptions of #neoliberal #economics. (Applying the tragedy of the commons, prisoner's dilemma, etc. to macroeconomics)

No, #privatization is not the solution to prevent degradation of common pool resources. Obviously.

But our politicians, education, and media corporations continue to listen to and perpetuate the bullshit of conservative think tanks and their so-called "experts", instead of actual economists.

Also, a previous post from @pluralistic comes to mind.

https://pluralistic.net/2023/05/04/analytical-democratic-theory

#politics #economy #ostrom

publicvoit, 5 months ago to passkeys German

#FIDO-Tokens: Login ohne Smartphone
https://help.orf.at/stories/3222650/

Hier wird auch auf #Passkeys referenziert. Ich persönlich bevorzuge #FIDO2 gegenüber Passkeys, wenn ich sowieso schon einen FIDO2-Token besitze und ich nicht will, dass mein Passkeys-Geheimnis ausgelesen werden kann, was bei FIDO2 nicht der Fall ist.

Wenn man keinen FIDO2-Token hat, hat Passkeys durchaus Vorteile, da es (wie FIDO2) auch gegen Phishing schützt

#IDAustria

hertg, 5 months ago to random

When implementing #WebAuthn on an Identity Provider's side. Where exactly should one draw the line between #SecurityKey and #Passkey? I see that most platforms make a distinction between those. Can anyone link me some article or blog post on this topic? If I were to implement security key and passkey support on a provider that does not yet support any WebAuthn, should I go down the same route?

My current assumption is that during passkey registration you'd set "residentKey = required" and "userVerification = required", whereas for a security key you'd set "residentKey = discouraged" and "userVerification = preferred".

Also, I'm assuming that a security key can also function as a form of #passwordless multi-factor authentication if UV was true during registration AND authentication. Obviously without the neat part of Passkeys where you don't have to manually enter the username.

#IAM #Authentication

hertg, 6 months ago to opensource

When I heard that Teleport ist gonna change their license, I almost had a "aight, here we go again" moment after being fucked with by #Lightbend and #HashiCorp recently. Thankfully they switched to AGPL and not BSL (which I think stands for bullshit license).

The common tactics of companies "promoting #opensource" to gobble up a larger audience and then pull a bait and switch with the licensing seems to have caused me some serious PTSD.

https://goteleport.com/blog/teleport-oss-switches-to-agpl-v3/

samsteiner, 7 months ago to Switzerland German

Was versprechen sich Leute davon, die die #SVP wählen?

Mehr Sicherheit?

Nicht 10 Millionen Leute in der Schweiz - obwohl wir mehr brauchen?

Von denen kommt keine Innovation, keine neuen Ideen, keinr Impulse für die Wirtschaft, kein Fortschritt.

Ich verstehe nicht, was an den Gestrigen attraktiv sein kann. 🤔

#wahlch23 #Wahlen #WahlenCH23 #wahlen2023 #schweiz

malwaretech, 8 months ago to random

The Paradox Of Intolerance
(And The Case For Leaving Twitter)

https://throwawayopinions.io/the-paradox-of-intolerance.html

hertg, 11 months ago to random

@digiges Habe mich kürzlich beim BAKOM via Kontaktformular darüber beschwehrt dass offizielle Kanäle der Schweizer Regierung auf der geschlossenen Plattform Twitter geführt werden aber keine Präsenz in offenen Netzwerken wie dem Fediverse bestehen.

Als positive Beispiele erwähnte ich Deutschland und die EU.

https://social.bund.de
https://social.network.europa.eu

Ich finde es etwas fragwürdig dass sich heute öffentliche Kanäle des Bundes hinter einem Twitter Login-Fenster befinden. Wird von mir erwartet ein Twitter Konto einzurichten und meine persönlichen Informationen ggü. dem Tech-Konzern preiszugeben um Inhalte meiner Regierung einsehen zu können?

Habt Ihr bei der Digitalen Gesellschaft dieses Thema auch auf dem Radar?

hertg, 11 months ago to random

Question about implementation of #Passkeys. As I understand it, having a user login with passkey but without UV (User Verification) is not necessarily MFA as it could just be a stolen security key (Something you have).

How is (or should) #MFA with Passkeys implemented in practice? By setting UV as "required"? Or by setting UV as "preferred" and then based on the user response prompt for another factor (eg. #TOTP) in case there was no UV? I am a bit confused about how to fit Passkeys into the current #authentication logic.

#passwords #fido #fido2 #webauthn #identitymanagement #iam #oauth #openid

mttaggart, 1 year ago to random

Thinking about ditching Docker Hub for GHCR. Anyone gone this route? Thoughts?