It’s a different way of looking at things—Anyone* who steals ANY KEY can use it. So there’s benefit to attackers, just going after badly protected keys. The approach looks like an inversion of the way you’re looking at it.
(That doesn’t mean I’m always a fan of using multiple factors, or verifying new machines—but I understand the point in terms of security, and sometimes wish there were more (opt in) options, say periodic ones. For example, ‘machines expire after X time or Y logins’.)
Both things are true. An attacker can find poorly protected keys that are easier to steal (although key protection may weakly correlate with key value). And a defender can invest to make their own key much harder to steal.
That’s true. But a well-protected key is much, much harder to steal than it is to fake an ID. (We were not discussing stealing IDs.)
It’s a different way of looking at things—Anyone* who steals ANY KEY can use it. So there’s benefit to attackers, just going after badly protected keys. The approach looks like an inversion of the way you’re looking at it.
(That doesn’t mean I’m always a fan of using multiple factors, or verifying new machines—but I understand the point in terms of security, and sometimes wish there were more (opt in) options, say periodic ones. For example, ‘machines expire after X time or Y logins’.)
*with the skills.
Both things are true. An attacker can find poorly protected keys that are easier to steal (although key protection may weakly correlate with key value). And a defender can invest to make their own key much harder to steal.