webauthn

[Michael Thomas <mike () mtcc com>]

I know it's a little tangential, but it's a huge operational issue for 
network operations too. Have any NANOG folks been paying attention to 
webauthn? i didn't know about until yesterday, though i wrote a proof of 
concept of something that looks a lot like webauthn in 2012. The thing 
that is kind of concerning to me is that there seems to be some amount 
of misconception (I hope!) that you need hardware or biometric or some 
non-password based authentication on the user device in the many write 
ups i've been reading. i sure hope that misconception doesn't take hold 
because there is nothing wrong with *local* password based 
authentication to unlock your credentials. i fear that if the 
misconception takes hold, it will cause the entire effort to tank. the 
issue with passwords is transmitting them over the wire, first and 
foremost. strong *local* passwords that unlock functionality is still 
perfectly fine for many many applications, IMO.

Which isn't to say that hardware/biometric is bad, it's just to say that 
they are separable problems with their own set of tradeoffs. NANOG folks 
sound like prime examples of who should be using 2 factor, etc. But we 
don't want to discourage, oh say, Epicurious to implement webauthn to 
get to my super-secret recipe box because they don't think people will 
buy id dongles.

Mike