(no title)
brianwski | 4 years ago
Gotcha. I'll file a Jira ticket to see if we can easily and quickly raise it to 200 characters (round number). I think we can handle that easily and safely.
> standalone hardware token support (like Yubikeys or Nitrokeys).
I'll run the idea by a few groups and see what people say. For feature requests NOT related to security, traditionally it's kind of a customer voting system. If enough customers want a certain feature it sorts to the top of the priority list and gets done sooner.
For security things it is obviously different, like if a big exploit like Heartbleed is released in the world we drop everything else and focus on that.
This is sort of somewhere in the middle, it's security related so it gets some additional boost up the priority list for that, but it's also a security feature not all customers would choose to use, so it is still affected by whether our sales and support teams are hearing requests for it.
xoa|4 years ago
Thanks so much for the reply, and yeah that's done-forever territory. Even "just" tripling to 150 as you earlier suggested would almost certainly be plenty, into pathologic edge cases.
>I'll run the idea by a few groups and see what people say. For feature requests NOT related to security, traditionally it's kind of a customer voting system. If enough customers want a certain feature it sorts to the top of the priority list and gets done sooner.
>For security things it is obviously different, like if a big exploit like Heartbleed is released in the world we drop everything else and focus on that.
Sensible way to do it. And yeah I agree this is kind of a hybrid of both. It's not a flaw per se, but it's more than a feature enhancement as there are genuine security implications. If you haven't looked into it, there have been cases of SMS hijacking for example, you can find plenty of discussions on HN alone with a quick "sms hijack" search. It's better than nothing but SMS infra just is fundamentally not very secure. One time tokens with a seed are better, but less convenient or secure then a blackbox that can enforce operator presence requirements or at least completely sequester keys.
Even a couple of years ago it would have been more annoying to integrate but the standards are progressing well enough now that it's probably worth another look. Adoption of hardware keys in business also finally seems to be hitting critical mass, though if we're in an S-curve at last this time around it's well before the steep slope.
Anyway, thanks again and best of luck with everything! As it happens plan to link up a new TrueNAS installation with B2 starting tonight :).