|
|
|
@ -0,0 +1,15 @@ |
|
|
|
|
# [MFA Isn't Moving](MFAIsntMoving.html) |
|
|
|
|
|
|
|
|
|
Clickbait Title: Stop trying to make MFA happen, it's not going to happen |
|
|
|
|
|
|
|
|
|
Authentication sucks. And computers suck at authentication. Shadow identities and conceptual identities are complicated. You can't put a person into a computer so identification of a person ends up being by proxy. We have a pretty standard set of proxies - a random number you can remember, a random number on a USB device or phone, and a random number made out of a scan of part of our body. We call these Something You Know, Something You Have, and Something You Are, because it's less depressing this way. We also use exceedingly larger amounts of math to make these numbers harder to guess, and harder to take out of their contexts. These values also get slippery - is your SSH key something you *have* or something you *know*? What about a password that's equivalently long and you store in a file on your computer? Despite their edge cases, it's pretty easy to distinct most of these however, so I wont get too caught up in the weeds. |
|
|
|
|
|
|
|
|
|
The important thing is that there's a lot of hatred of Something You Know credentials of late. This generally comes down to someone saying Passwords Are Dead or Passwords Should Die. This generally ends with a call for replacing them with Passkeys, in effect, replacing Something You Know with Something You Have. This almost entirely is justified with chain of custody around credentials. If people don't have passwords, they can't make weak passwords, they can't share passwords, and they can't write them down. This basically comes down to Something You Know being limited by the ease of sharing knowledge, and the limitations of forgetfulness. People make bad passwords. This is a true statement I don't want to argue against. |
|
|
|
|
|
|
|
|
|
Despite this, Something You Have has its own set of issues. If there's a shared build user, or an email address that manages support cases, or a user who manages network services, then you already don't have a 1:1 mapping between users and identities. As a sysadmin I might need to be several different identities - some of which do not represent me, but instead represent systems, people, and projects, and what I would rather do is to have access to admin rights and the tools to make the changes to other users without changing my assumed identity, but that's very rarely an option. If my build pipeline can only be invoked by the build user, and I need to become the build user to make that pipeline starts at a weird time. This means that I need credentials for that user. |
|
|
|
|
|
|
|
|
|
These alternate credentials are often managed by the idea of chain of custody. If you know what SSH key logged into the build user, you can map that to identities. But what if the system doesn't offer this. AWS only allows one root user, only allows one MFA token on that user. Now you need to manage that MFA credential. If you are in a situation with an AWS root user, then you need to have an MFA token, and pass it between people, having a specific yubikey that changes hands when people go on vacation, or when their shift as root ends. Lots of places I've seen refuse to put MFA on their AWS root account (this is not the place I work, but I've heard of the pattern). Similarily, I have BitBucket pipelines that need to pull repos, manipulate them, and then push them (the main things they're doing is changing versions), and I can't create tokens for that user without logging into it. This means I need to login to the build user sometimes, meaning that credentials need to exist for it, and I and others need them. Shared credentials are bad - but systems don't always give you a choice. |
|
|
|
|
|
|
|
|
|
Now, someone I envison could argue that "bad systems wont integrate passkeys" isn't important. Trying to improve the bad systems isn't important, we should improve the good systems. I don't agree. Security is only as strong as its weakest piece, so I think we should look at how we can reform passwords, improve passwords, and build a future where we accept these these things are needed. Something we can easily share, rotate, and move between peoples. We need to keep our authentications able to be fluid around identities, and accept this as a valid way of managing authentication. |
|
|
|
|
|
|
|
|
|
This isn't my last statement on this, this is just a first item. |