← Back to context

Comment by pheggs

1 day ago

if you dont mind asking, what dont you like about kerberos? I personally like it quite with certs / hardware token

to be honest, most things you list can be setup with some research. The only one I am not sure about is integrated storage, but then I am also not entirely sure what that even is supposed to mean exactly

2 comments

pheggs

Reply
arcza  1 day ago

The user experience between a phone, tablet and computer should be symbiotic. Krb is not a first class thing in the mobile world. So users now hav great Krb experience with Outlook.exe but are typing passwords into Safari at owa.example.com (anywhere you type an AD password that isn't lsass or ADFS is really not good posture)

So, passwords are bad and the password is a key component of krb. Moving away from passwords is a step in the right direction eg OIDC.

  • pheggs  1 day ago

    right given the product names I assume you are on windows. with kerberos people shouldnt have to type their passwords into apps at all, and if you use pkinit there are no passwords at all?

    i give you the mobile part, I dont know how well it is supported - iOS claims to have support though, and android through third parties I believe. Never tried that. Its just that I personally have a preference for auth methods that dont require opening a browser for desktop apps