On Sun, Apr 26, 2020 at 10:12:41AM -0700, Sean Whitton wrote:
> On Sun 26 Apr 2020 at 02:36PM +02, Mattia Rizzolo wrote:
> > On Sun, Apr 26, 2020 at 02:07:54PM +0200, Bernd Zeimetz wrote:
> >> There are even cli tools that do the same stuff. I'd guess there is at least one on Debian.
> > Indeed, after I first lost a phone, and a second one broke, leaving me
> > with a quite huge pain to recover my accounts, I started using
> > `oathtool` to manage the TOTP and HOTP codes, which is in Debian, and I
> > store the secret hash needed to generate the codes with `pass`.
> >
> > That said, for the only website where I need HOTP (Ubuntu SSO), I stored
> > that thing in the HOTP spot of my yubikey, and for everything else they
> > also support U2F so I likewise use my yubikey for those as well.
>
> In such a case, though, haven't you essentially turned it back into one
> factor authentication (the single factor being your laptop)?
It's still two factor: something I know (password) and something I have
(my yubikey).
Since I sometimes I don't really know my passwords, I suppose at that
point the "something I know" instead of being the actual password is the
GPG passphrase used to decrypt the file that actually contains the
password, but it's still 2fa.
Still I wouldn't consider that to be tied to my laptop (the password
storage does live in my laptop, but it's encrypted AND duplicated
elsewhere).
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Attachment:
signature.asc
Description: PGP signature