On Sun, Apr 26, 2020 at 10:12:41AM -0700, Sean Whitton wrote: > On Sun 26 Apr 2020 at 02:36PM +02, Mattia Rizzolo wrote: > > On Sun, Apr 26, 2020 at 02:07:54PM +0200, Bernd Zeimetz wrote: > >> There are even cli tools that do the same stuff. I'd guess there is at least one on Debian. > > Indeed, after I first lost a phone, and a second one broke, leaving me > > with a quite huge pain to recover my accounts, I started using > > `oathtool` to manage the TOTP and HOTP codes, which is in Debian, and I > > store the secret hash needed to generate the codes with `pass`. > > > > That said, for the only website where I need HOTP (Ubuntu SSO), I stored > > that thing in the HOTP spot of my yubikey, and for everything else they > > also support U2F so I likewise use my yubikey for those as well. > > In such a case, though, haven't you essentially turned it back into one > factor authentication (the single factor being your laptop)? It's still two factor: something I know (password) and something I have (my yubikey). Since I sometimes I don't really know my passwords, I suppose at that point the "something I know" instead of being the actual password is the GPG passphrase used to decrypt the file that actually contains the password, but it's still 2fa. Still I wouldn't consider that to be tied to my laptop (the password storage does live in my laptop, but it's encrypted AND duplicated elsewhere). -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. More about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Attachment:
signature.asc
Description: PGP signature