Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
frameset 9 days ago

To defend Redmond here, Entra is an enterprise system. If the company you work for or are interfacing with wants to enforce attestation, that's their business.

B2C I would expect more latitude on requiring attestation.

Zak 9 days ago | parent | next [-]

A problem is that once a thing like that exists, it ends up on security audit checklists and then people do it without knowing whether they have any reason to.

technion 9 days ago | parent | prev | next [-]

I would counter argue being the person pushing passkeys in an enterprise: noone in the business knows what attestation is, but we're going to do it because the interface recommends it.

jrockway 9 days ago | parent [-]

I'm not sure it's the standards committee's fault that your employer hires people that don't know how to do their job.

I think it's reasonable to have attestation for the corporate use case. If they're buying security devices from a certain vendor, it's reasonable for their server to check that the person pretending to be you at the other end is using one of those devices. It's an extra bit of confidence that you're actually you.

ori_b 9 days ago | parent | next [-]

It's the standards committees job to design standards that are difficult to misuse.

raxxorraxor 3 days ago | parent | prev [-]

The most common fault of committees is that they overengineer processes and specs wander out of scope. The result is that users (dev & consumers) either neglect the bad parts or the spec doesn't get used at all.

clickety_clack 9 days ago | parent | prev | next [-]

Exactly. For personal authentication, you are at least personally incentivized to do the right things. For corporate auth, people will do whatever it takes to skip any kind of login.

I once knew a guy who refused to let his office computer go to sleep just to avoid having to enter his password to unlock his computer. He was a really senior guy too, so IT bent to allow him do this. What finally made him lock his computer was a colleague sending an email to all staff from his open outlook saying “Hi everyone, it’s my birthday today and I’m disappointed because hardly anyone has come by to wish me happy birthday”. The sheer mortification made him change his ways.

projektfu 9 days ago | parent | next [-]

A culture of harmlessly pranking computers left unlocked goes a long way. ThoughtWorks veterans know what I mean.

tonyhart7 9 days ago | parent | prev [-]

lol this is funny, why he didn't want to sign in more often tho???

clickety_clack 9 days ago | parent | next [-]

He was completely non technical and I guess he figured that IT should be able to work the security system around him.

adam_hn 9 days ago | parent | prev [-]

The most common human trait ever.... laziness

eadmund 9 days ago | parent | prev [-]

Don’t put in place systems which encourage lock-in, even at the B2B level.

lmz 9 days ago | parent [-]

Aren't those usually used inside an enterprise vs B2B between enterprises?