Here is the text of the NIST sp800-63b Digital Identity Guidelines.

  • TBi@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    2 months ago

    My company blocked ssh keys in favour of password + 2FA. Honestly I don’t mind the 2FA since we use yubikeys, but wouldn’t ssh key + 2FA be better?

    • jj4211@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      All well and good when ssh activity is anchored in a human doing interactive stuff, but not as helpful when there’s a lot of headless automation that has to get from point a to point b.

    • JasonDJ@lemmy.zip
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      2 months ago

      Just store your keys on the yubikey. Problem solved.

      Or use a smart card profile and go that route.

    • dan@upvote.au
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      2 months ago

      We use keys + Yubikey 2FA (the long alphanumeric strings when you touch the Yubikey) at work, alhough they want to move all 2FA to Yubikey FIDO2/WebAuthn in the future since regular numeric/text 2FA codes are vulnerable to phishing. All our internal webapps already require FIDO2, as does our email (Microsoft 365).