So the South African president has just announced - full country lockdown from midnight this Thursday, 26th March (SAST).
If any of you have any work that needs to be done out here, please bear that in mind.
Mark.
And oh, it’s for 21 days…
Mark.
But also:
"The categories of people who will be exempted from this lockdown
are... those involved in the production, distribution and supply
of... telecommunications services"
https://www.cnbcafrica.com/news/2020/03/23/breaking-nationwide-lockdown-announced-in-south-africa/
I think most anyone on this list could be considered exempt.
I do hope the same will be true should our respective local and national
governments take similar action.
Yes, a number of "essential services" have been identified as needing to
continue to operate under special dispensation during the lockdown, and
telecoms falls within that.
The details of the implementation of the dispensation may be nuanced.
Experience will tell us more in the coming days.
Mark.
I dont know where are people about supporting VPN and one-time passwords on tokens.
At my work place a few people dont have tokens (OTP - One Time PAsswords). The reserve of these tokens has been exhausted. NEw ones are being on order. Until then some people cant get on VPN.
Some people forgot their token on their desk and had to to travel to office to get it, a thing not good to do to go to office now.
Some (not sure) might have issues with syncing these devices. An OTP token has a certain skew about clock, and a battery that lasts long. Hopefully, one’s token has been synchronised recently and the battery is new. The length of time one cant go to office might be anywhere between 21 days (announced) and 2 months (experrience eg in Wuhan still closed). Some times the synching of clock can be performed remotely, and some ‘coin’ batteries can be replaced by the person with skill and tools, could be extracted from a quartz watch for example.
An OTP device can be of many kinds. Some people keep OTPs on paper (I did some time ago). Some OTP devices are like Japanese ‘tamaguchi’ format, others like a credit card format.
Alex, LF/HF 3
Software-based TOTP offer more security than no one-time passwords, but
admittedly less than the physical tokens. Google Authenticator, Authy,
1Password, LastPass all support TOTP.
I’ve already been playing with YubiKeys, but sadly Google Titan wouldn’t work with Windows Hello.
Might be something I was doing wrong…
Hardware tokens are nothing more than dedicated hardware TOTP devices with perhaps a few additional parameters programmed at manufacturing time. Example, RSAID keyfobs are nothing more than TOTP generators with manufacturer programmed secrets and dedicated clock and display hardware with no external interface which permits access to the secret.
For some of my banks, OTP tokens are issued via their device apps. I
used to have physical key fobs for that; those are now gone.
Admittedly, not all of my banks have made the transition. On the other
hand, many of the banks have moved on to support Face ID and QR code
verification via device apps.
Not specific to VPN access management, but in the same vein.
Mark.
I think that’s the major sticky point, I would hope we could all agree on one thing, but that also leaves one entry point of failure. Hopefully we can all agree that FIDO2, OAUTH2, et al, with be a winner in the long run so everything can just use one simple authentication mechanism.
Both Fido and OAuth2 are inherently insecure.
While they may be better than nothing at all, they are only very slightly better than proper password selection and management.
I see no possible future outcome in which “one simple authentication mechanism” could ever be remotely close to reasonably secure.
I don't know about Fido, but i've been making that point about Oauth for a very long time. As a browser mechanism which implements a sandbox it's fine. But when you have apps that can reach out of the sandbox it is definitely not fine.
Mike
I guess I wasn’t as detailed as should be, multi factor authentication should hopefully have 1 standard which will work for everything. So we have an app on our phone to authenticate after a username/password which give a 6 digit key, or we use a hardware based key to sign a OTP. Really either doesn’t matter, but trying to get endu sers to switch between each for every login is going to hamper acceptance in the large scale.
MailOps, would probably the best example, as the spam is generated simply from usually not having anything because it’s just too difficult to implement.
how did 'africa on lockdown' get sidetracked into OTP conversations?
Hi,
In my experience, yubikeys are not very secure. I know of someone in my team who would generate a few hundred tokens during a meeting and save the output in a text file. Then they’d have a small python script which was triggered by a hotkey on my macbook to push “keyboard” input. They did this because the org they were working for would make you use yubikey auth for pretty much everything, including updating a simple internal Jira ticket.
One of the things that got lost in the Webauthn stuff is that passwords per se are not bad. It's passwords being sent over the wire. In combination with reuse, that is the actual problem. Webauthn supposedly allows use of passwords to unlock a local credential store, but it is so heavily focused dongles that it's really hard to figure out for a normal website that just want to get rid of the burden of remote passwords.
Mike
Hi,
In my experience, yubikeys are not very secure. I know of someone in my team who would generate a few hundred tokens during a meeting and save the output in a text file. Then they'd have a small python script which was triggered by a hotkey on my macbook to push "keyboard" input. They did this because the org they were working for would make you use yubikey auth for pretty much everything, including updating a simple internal Jira ticket.
this is not: "yubikey is bad" as much as: "The user using the yubikey is bad"
Admittedly perhaps: "every time new token" sucks, and that's what (I
think michael thomas is saying below), but certainly the yubikey could
have been used for TOTP instead of HOTP and the user in question would
have been out of luck, right? 
Almost all security 'features' are a trade-off between: "get stuff
done" and "get stuff done with an extra hop", making the 'extra hop'
as simple and natural as possible makes people less likely to do dumb
things like:
1) pregen a crapload of tokens, store them on their probably
compromised laptop...
2) aim a webcam at their rsa token and watch the change remotely
3) hot-dog and sipping-bird toy to touch the thingy on their yubikey
token every X seconds...
I don't see SKEY style OTP lists as inherently bad. "its how you do
it" which concerns me, not that it is done.
-G
This is an artifact of a poor implementation, not of a yubikey or any
other security. Yubikeys support MANY methods of authentication. I
have a number of them, a couple of them are setup for TOTP (using
yubico authenticator), FIDO (native), and use the GPG functionality
for ssh public key auth via agent. Pre-generating or replaying will
not work with any of those methods.
So saying "Yubikeys are not very secure" is very incorrect. The
specific deployment decisions weren't great in your specific case.
Any OTP system based on incrementing counters could be abused in this
manner if the OTP keys can be generated rapidly and saved. TOTP is
the common method for solving this with 2FA. Yubikeys also support a
number of challenge/response type authentications (which is
effectively what my GPG setup does, and what FIDO sort of does)