It’s a different way of looking at things—Anyone* who steals ANY KEY can use it. So there’s benefit to attackers, just going after badly protected keys. The approach looks like an inversion of the way you’re looking at it.
(That doesn’t mean I’m always a fan of using multiple factors, or verifying new machines—but I understand the point in terms of security, and sometimes wish there were more (opt in) options, say periodic ones. For example, ‘machines expire after X time or Y logins’.)
Both things are true. An attacker can find poorly protected keys that are easier to steal (although key protection may weakly correlate with key value). And a defender can invest to make their own key much harder to steal.
You don’t need to steal the ID, you just need to see it or collect the info on it. Which is easy since you’re expected to share your ID with people. But the private key never needs to be shared, even in business or other official situations.
Correct me if I’m wrong, but:
Steal a key, any key, and you’re good to go. (Like cash.)
Steal an ID, and it either has to match your face, or you need a a new mask, a new hair color, etc., just for this job.
That’s true. But a well-protected key is much, much harder to steal than it is to fake an ID. (We were not discussing stealing IDs.)
It’s a different way of looking at things—Anyone* who steals ANY KEY can use it. So there’s benefit to attackers, just going after badly protected keys. The approach looks like an inversion of the way you’re looking at it.
(That doesn’t mean I’m always a fan of using multiple factors, or verifying new machines—but I understand the point in terms of security, and sometimes wish there were more (opt in) options, say periodic ones. For example, ‘machines expire after X time or Y logins’.)
*with the skills.
Both things are true. An attacker can find poorly protected keys that are easier to steal (although key protection may weakly correlate with key value). And a defender can invest to make their own key much harder to steal.
You don’t need to steal the ID, you just need to see it or collect the info on it. Which is easy since you’re expected to share your ID with people. But the private key never needs to be shared, even in business or other official situations.