Normally, we think of bottlenecks as a bad thing. They limit how fast we can go, how much bandwidth we have, and keep us from reaching our full capability. We definitely do as much as possible to avoid them. We optimize for speed and performance, set up multiple servers to handle things, redundancy, etc. All for the sake of removing bottlenecks to let us and our customers move as fast as possible.
But let’s look at this from a different perspective, that of the attacker. If you have optimized your systems to respond as quickly as possible to your users, that also makes them respond quickly for your attackers. How can you optimize for your users while not giving the same advantage to the bad guys?
There are certainly complicated systems you can use to implement a “one way” type of optimization, though picking out your users from malicious ones is not simple. But what if you can bottleneck a critical path to your systems in such a way that determining the right users is simple, and doesn’t impact your actual users?
This is where the Good Bottleneck comes into play. In many situations where passwords are used, someone can keep trying to log in until they succeed. That’s not to say there aren’t ways to stop it, but the user experience isn’t always so great (not to mention the extra cost of support calls when accounts are locked). After you have spent a lot of time optimizing your systems, attacks can happen fast. What you need to do is be able to put a block in place to slow things down, but without impacting the user experience by making things slow or complicated.
Solutions like GreenRADIUS with YubiKeys provide this type of Good Bottleneck. You can optimize everything to the max, but when the attack comes, the use of 2FA means that authentication is a non-starter as an attack point. Obviously that doesn’t prevent attacks to other points on the system, but gaining access to a user account directly is usually a lot easier to exploit then going after other weak points that don’t lead to account access. The user experience is simple, so it doesn’t impact the user base, but directly impacts the attacker by preventing many of the simpler attacks (such as brute force access on user accounts) that are costly to protect against but simple to make.