These things should be offline / resilient first right?
Smartcards / YubiKeys.
Never understood the logic for these to be centralised / online.
These things should be offline / resilient first right?
Smartcards / YubiKeys.
Never understood the logic for these to be centralised / online.
PKI works offline until you realize you need to handle revocations.
For this and related reasons, such as enforcing protocol upgrades, most smartcard systems end up permanently online.
You can have a mixed system, such that revocation lists are downloaded and cached every hour or so, and you can even try to check online more often than that, but fall back to the downloaded lists if the system is down.
Revocation.
can be solved with a hybrid model that degrades when the central service is down. No?
Well they provide that if you want. they have both a OTP dongle, a OTP loud speaker and one that uses FIDO U2F (though you need to pay for that one).
https://www.mitid.dk/en-gb/get-started-with-mitid/how-to-use...