[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Salsa update: no more "-guest" and more

Mattia Rizzolo <mattia@debian.org> writes:

> Since I sometimes I don't really know my passwords, I suppose at that
> point the "something I know" instead of being the actual password is the
> GPG passphrase used to decrypt the file that actually contains the
> password, but it's still 2fa.

By equivalent logic, a GnuPG-encrypted password manager containing long,
randomly-generated passwords is also 2FA, without adding the TOTP element,
since you need both your passphrase to unlock it and a copy of the
password manager store.  (The reality is that counting factors has
limitations as a measure of security, and it breaks down here.)

The main benefit of adding a TOTP authentication element is that a
successful phishing attack without a local compromise of your laptop has
to use your credentials immediately and only gets to log in once, as
opposed to being able to store your credentials and use them at any time
in the future.  This is real benefit, although I'm not sure it's worth the
hassle for everyone.  The drawback of adding a second factor (account
lockout) is real and worth considering as well, although less of a worry
for Debian Developers and Maintainers with GnuPG keys in the keyring since
we can use GnuPG signatures as an account recovery mechanism.

If you want a good second factor, a physically separate Webauthn device is
superior to any OTP scheme (and also provides much stronger phishing
protection), but it does require buying and tracking a physical object,
and since that object can break or be lost, also storing backup codes
somewhere safe.

Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to: