Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
codedokode 4 days ago

Why everyone working with the government doesn't use hardware keys without passwords so that fishing is useless?

ac29 4 days ago | parent | next [-]

I know some people in the US government who definitely need a hardware key to access computing resources including email. They work for the Dept of the Interior on science stuff, nothing related to national security or otherwise sensitive info.

They mentioned this was a pain in the ass, and a very weird restriction since technically any member of the public can ask for a copy of their emails via FOIA.

sulandor 3 days ago | parent [-]

sounds like the primary goal was better attestation

mr_toad 4 days ago | parent | prev | next [-]

A lot of legacy tech doesn’t support hardware keys. Last government job I had still ran an old SVN server with unencrypted username/password auth (relying on the VPN for security).

alt227 4 days ago | parent | prev | next [-]

Surely people can still phish for the user to insert their hardware key to approve something malicious?

4 days ago | parent | next [-]
[deleted]
kbrkbr 4 days ago | parent | prev | next [-]

What is phishing resistant MFA? - https://www.sans.org/blog/what-is-phishing-resistant-mfa

alt227 3 days ago | parent [-]

Exactly. 'Resistant' not 'impenitrable'.

The article itself says that 100% phishing resistance is impossible. So I stand by my arguement that if you give an idiot a Yubikey, it still doesnt save them from themselves.

>Does this technology eliminate all risk? No. As this becomes widely deployed new attacks will be developed, but it will be MUCH harder for the cyber attacker.

> FIDO is extremely resistant to phishing attacks but adopting FIDO does not mean your organization is secure against phishing.

codedokode 4 days ago | parent | prev [-]

Hardware keys (unlike humans) usually check page URL and do not send the data stored by another domain.

bornfreddy 4 days ago | parent | prev [-]

Because hardware keys are so 2000 - we have apps now. With Play Protect Premium Enterprise to make sure the phone is secure. /s