Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Im not sure that they are just using this as a scapegoat but if your working from home, as a DevOps/Platform engineer, your very first ticket should be to activate MFA.

Kubernetes does MFA, all the Clouds do MFA and the company you work for can afford a "cheap android phone as key".

No matter if bare-metal, cloud or managed. If you habe ANY edit rights you need MFA.



MFA wouldnt have helped here. The hacker had the encrypted vault all they needed was the password.


which in turn should not be the end of the world, because its MFA all the way down right?


If you have an encrypted vault file and the master password (or decryption key) you don't need 2FA, there is no known encryption algo that uses a rotating key like TOTP, the implementation of 2FA is always software-sided, and in the case of a vault file (like here), you don't need the software.


MFA is not used when you decrypt your vault on any password platform. It's just to receive the encrypted vault


well i was more thinking along the lines of every service in your vault implementing additional 2fa.

In the kubernetes world it really is not so difficult




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: