Biometry in general may be acceptable, but fingerprints should be considered weak protection, because you share that key with your environment all day, every day. Getting someone's fingerprint is *really* easy. If your phone gets stolen, chances are, the fingerprint needed to unlock it is right on there already.
And faking fingerprints is really easy, too.
https://www.theguardian.com/technology/2013/sep/22/apple-iphone-fingerprint-...
Am 30.09.2017 um 20:21 schrieb Bryan Davis:
On Sat, Sep 30, 2017 at 9:28 AM, Roy Smith roy@panix.com wrote:
What’s the current best practice for auth on ToolForge?
I have a passphrase on my public ssh key. I’ll be accessing toolforge from my MacBook which is protected with Apple’s Touch ID fingerprint scanner. I’ll be nailing up a tmux session.
So, most of the time, there will be an active ssh session into wfmlabs protected only by my fingerprint touch. If the ssh session goes down (i.e. reboot or network change), it’ll be a touch plus my ssh passphrase.
Is this considered an appropriate level of protection for this environment?
Having a strong passphrase on your private ssh key is recommended. Using an ssh-agent to hold your ssh key when decrypted is reasonable. Keeping an ssh session open via screen or tmux is acceptable. I would expect these three things to be in common use by a number of Toolforge / Cloud VPS users and administrators.
The only thing that is semi-unique about the setup you describe is the use of biometric auth for unlocking your laptop. I don't see that that makes your key handling practices inherently weaker (or stronger) than having a passphrase for unlocking.
Bryan