Jump to content
Welcome, welcome! Come in and register, and have some developer coffee. 👨‍💻 ×

Recommended Posts

We use a simple lock to protect some important keys.

Saved private keys stored somewhere for SSH "to use it automatically".
User have to secure their device / app to avoid unauthorized access.

No matter password, fingerprint, iris to open some local stored key,
This only available if most of the users have the "input device".

Beside how to secure data and connection,
Service provider have to think how could user change their devices without technical help,
how to ensure that is a real user.

The current accepted solution is password, additional with OTP.
 

🤔

 

Link to post
Share on other sites
12 minutes ago, flashang said:

Saved private keys stored somewhere for SSH "to use it automatically".
User have to secure their device / app to avoid unauthorized access.

Yup.. This is essential for the users.. However.. this is something that users have to think themselves..
How can they secure their device/app? The simplest solution was to use an antivirus/something similar

The best was for them to practice "OpSec"
 

14 minutes ago, flashang said:

fingerprint, iris

I know that this do seem like convenient for most people.. However.., using these information.., based on my point of view.., is not that good and poses some ethical questions and have some drawbacks.. Like what we have seen in recent US devices left with biometric lock in the Afghanistan.
 

16 minutes ago, flashang said:

how to ensure that is a real user.

That's why I said .. it's a pick a poison solution .. if there's no real personal/private credentials involved.. Safely to say, we can't know that is a real user. This is also the problem that PKI intends to solve or we can try to mimic how Signal does things between 2 users, these 2 options don't exist in what I was trying to do.. Users can pick for security .. but not privacy and vice versa. 
 

31 minutes ago, flashang said:

Service provider have to think how could user change their devices without technical help

This is something I am working on at the moment.., to be honest my application is not that friendly to public. I can do something to make it more friendly.. At the end of the day.., learning the applications will consider a difficult learning process.
 

19 minutes ago, flashang said:

The current accepted solution is password, additional with OTP.

I won't argue that as I believe that it's true. Passwords can also allow for both account/data recovery. To further ensure it's the user, OTP can be used..

OTP and password.. I would believe that they are the most stable and effective solutions at the moment as they involve with user's secret and credential. However.., I won't implement them by default as what I am doing was aiming for post-data leakage/breaches security rather than pre-data leakage/breaches security(MFA,OTP,PKI falls under this category). There're exceptions of course.., if the users understand the risks and able to accept the risks.. I will be providing OTP or private credentials binding..

Throughout the conversation.., you might start to understand what I am trying to do.. there's no perfect solutions.. and there's no bad solutions either..
If public are fine with stuffs involving with their secrets and credentials.. so be it.. I want to focus on post-data leakage/breaches security. 
I don't want to keep on patching loopholes or security holes that caused by user's secret and credentials. However, what I am doing also had loopholes.

Based on my understanding.., the damage received by users will be reduced to maximum potential if I do it with the way I stated as no secrets/credentials are involved.. 

We are not living in an utopia world, regardless how one choose.., there're always drawbacks.. Some experts on LinkedIn do start to research on how to make passwords better(A japanese security expert). I believe that what they are doing suits public interests. I will take a look at that if it's possible. 

@flashang I do think you clearly understand the risks and the pros in what I am doing. Do you mind help me in describing the drawbacks and cons in what I am doing and also describe the drawbacks and cons in what normal people does? 😂🤣

Link to post
Share on other sites
6 minutes ago, chrono_legionnaire said:

 I do think you clearly understand the risks and the pros in what I am doing. Do you mind help me in describing the drawbacks and cons in what I am doing and also describe the drawbacks and cons in what normal people does? 😂🤣

Correction: Do you mind help me in describing the pros and cons in what I am doing and also describe the pros and cons in what normal people does?

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...