"password re-use across an environment is endemic..." What is the solution against this? I just can't identify with the "D’OH!". People want to get their work done. They will use whatever gets the job done. If there is an easier, better way they will use that. So how can we provide them systems where the easier, better way is also safer? What is the current best practice in this area?
A simple password or a pin code does mitigate quick attacks of opportunity using lost or stolen physical factor; and adds non-repudiation if someone uses someone else's token - you can't just say "oh we must have accidentally swapped our cards at lunch" if you had to enter their pin as well.
Given the existing password hygiene, I think it's more likely that any new PIN or password would be treated in the same manner as the existing ones, and would just be an additional hassle.
I would love to know this as well. The rise of 2FA has made everything more secure for sure, but it has made usability plummet like a rock on Jupiter. Especially in a corporate environment where you have multiple layers of tokens, authenticators and passwords.
Password managers do help, but you still need to click and enter and copy paste many many times a day.
If only someone like apple / microsoft / google came up with a comprehensive solution to all this - as they seem to be the only entities big enough to shoulder such a monumental task.
I mean Apple sorta kinda does, but only for its own services. I have an apple watch, it knows that its me and its authenticated. The proximity with my laptop unlocks it automatically - so far so good, but why can’t I use the same thing for github/google/microsoft websites? Why can’t safari send some sort of token through to then authenticating that its me? I mean if you’re afraid it might be someone else at the computer - _check the damn watch proximity again_!
And if there’s a need for personas - sure but they are all still linked to me. I would imagine there could be like a system dialog where I choose which persona to send to a specific site/app.
/rant
I can't imagine 2FA on something like a ship at sea, that may or may not have a working uplink to high latency satellite internet, and probably not SMS that many 2FA providers use.
Which is why your second factor would be a physical key, authenticated locally. 2FA doesn't have to require internet access, it just needs two factors!
Security and access aren't separate concerns. They are opposite sides of the spectrum. Security reduces access. That is what it is designed to do. Anything that makes a system more accessible makes it less secure.
For some threat models, that is okay. Indeed, for many manufacturing machines, there is no need for a login screen -- it is simply something intrinsic to modern OS design.
In any case, I still find myself removing sticky notes on monitors with passwords. One time, I caught them mass producing login credentials on avery label sheets. I nearly lost it on the poor reception staff.
It would take some work, but I'd really love to have a password that, if entered, would trigger an alert (and maybe power off the machine or something). Then put that booby-trapped password on a bit of paper and stick it under your keyboard or wherever.
One of the competitions in Hack the Machine[0] brings in a copy of the setup of the bridge[1] of a ship and you're allowed to attack in a lot of ways. It was impressive.
Information Technology (IT): “The entire spectrum of technologies for information processing, including software, hardware, communications technologies and related services. In general, IT does not include embedded technologies that do not generate data for enterprise use.”
Operational Technology (OT): “Is hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.”
Yes, think of OT as the device that connects sensors to actions: When this limit switch is tripped, that servo is activated. You may also want to know how many times each switch is activated, and the status of the servo, so the information gets sent over to IT for logging and display in a HMI.
