Re: Salsa update: no more "-guest" and more

To: debian-devel@lists.debian.org
Subject: Re: Salsa update: no more "-guest" and more
From: Russ Allbery <rra@debian.org>
Date: Sun, 26 Apr 2020 15:01:52 -0700
Message-id: <[🔎] 871ro952jz.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20200426171743.GV2552348@mapreri.org> (Mattia Rizzolo's message of "Sun, 26 Apr 2020 19:17:43 +0200")
References: <20200418213339.GB32260@waldi.eu.org> <[🔎] 8555e1c9-2ae9-fc7e-8278-4e4e1bf1b0f1@bzed.de> <[🔎] 20200425164941.4nrgwu636mk564y5@shell.thinkmo.de> <[🔎] B4960B93-DB48-469A-A2A2-6E2D7383D219@bzed.de> <[🔎] 1aa1982f-e333-df39-121c-b7d0ceecaf3c@debian.org> <[🔎] 45946438-59a6-f2f3-98b0-3610c4982441@bzed.de> <158788837458.974141.1419978229354731331@localhost> <[🔎] 17687A47-091D-41CB-B152-EAC54C290170@bzed.de> <[🔎] 20200426123651.GU2552348@mapreri.org> <[🔎] 87lfmi9nna.fsf@iris.silentflame.com> <[🔎] 20200426171743.GV2552348@mapreri.org>

Mattia Rizzolo <mattia@debian.org> writes:

> Since I sometimes I don't really know my passwords, I suppose at that
> point the "something I know" instead of being the actual password is the
> GPG passphrase used to decrypt the file that actually contains the
> password, but it's still 2fa.

By equivalent logic, a GnuPG-encrypted password manager containing long,
randomly-generated passwords is also 2FA, without adding the TOTP element,
since you need both your passphrase to unlock it and a copy of the
password manager store.  (The reality is that counting factors has
limitations as a measure of security, and it breaks down here.)

The main benefit of adding a TOTP authentication element is that a
successful phishing attack without a local compromise of your laptop has
to use your credentials immediately and only gets to log in once, as
opposed to being able to store your credentials and use them at any time
in the future.  This is real benefit, although I'm not sure it's worth the
hassle for everyone.  The drawback of adding a second factor (account
lockout) is real and worth considering as well, although less of a worry
for Debian Developers and Maintainers with GnuPG keys in the keyring since
we can use GnuPG signatures as an account recovery mechanism.

If you want a good second factor, a physically separate Webauthn device is
superior to any OTP scheme (and also provides much stronger phishing
protection), but it does require buying and tracking a physical object,
and since that object can break or be lost, also storing backup codes
somewhere safe.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

References:
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: Salsa update: no more "-guest" and more
  - From: Bastian Blank <waldi@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: Salsa update: no more "-guest" and more
  - From: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: Salsa update: no more "-guest" and more
  - From: Mattia Rizzolo <mattia@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: Salsa update: no more "-guest" and more
  - From: Mattia Rizzolo <mattia@debian.org>

Prev by Date: Re: Salsa update: no more "-guest" and more
Next by Date: Re: Salsa update: no more "-guest" and more
Previous by thread: Re: Salsa update: no more "-guest" and more
Next by thread: Re: Salsa update: no more "-guest" and more
Index(es):
- Date
- Thread