Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> That includes even things like Yubikeys, which are things that can be cloned and stuck in a password manager. They're just really, really hard to clone, and that's a valid step up from "a password".

That's reductionist way past the point of being a useful model of authentication factors.

By that logic, even biometric factors are "something you know", as you can always (with a lot of effort) physically replicate a fingerprint/retina/genome you have a sufficiently high fidelity recording of.



"By that logic, even biometric factors are "something you know","

You clearly mean that as a reduction to absurdity, but, yes, I mean exactly that. Pretty much said so.

It is "reductionist" if you insist the only valid framework is "what have have/know/are", and you view what I'm saying as the intersection of what I'm actually saying and that model. I am claiming the have/know/are is reductionist, and to a large degree outright wrong, because it is focusing on the wrong thing. Look at it the way I'm looking at it and the authentication questions become richer and easier to understand.

Unfortunately, it also means that there's more things that are either hard or impossible than the have/know/are methodology promises, because two of the things that methodology promises effectively don't exist. (Unless you are controlling physical access, and willing to spend a lot of money on hardware and human verification of the correct use of the hardware.) But since I believe that is an accurate reflection of reality, blame reality, not the model.


I suppose then we have to agree to disagree.

While the "something you x" model has many limitations (and I practically disagree with some regulatory bodies on what does and does not constitute a "true" expression of one of these factors), I don't think that these limitations refute it in the abstract.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: