[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Salsa update: no more "-guest" and more

On 2020-04-26 14:07 +0200, Bernd Zeimetz wrote:
> Hi,
> Google Authenticator is a software-based authenticator by Google that
> implements two-step verification services using the Time-based One-time
> Password Algorithm (TOTP; specified in RFC 6238) and HMAC-based One-time
> Password algorithm (HOTP; specified in RFC 4226), for authenticating users of
> software applications.
> There are even cli tools that do the same stuff. I'd guess there is at least
> one on Debian.

yes oathtool.

But this is still a PITA for sites where it is required, like
microsoft and google. I don't want to have to do this for Debian stuff
too. (run this auth program, then have a menu to say which site I
am making the number for so it knows which token to use, then paste
the resulting magic number into a webform). Are you proposing
something less tiresome than this?

I would much prefer to continue to be trusted not to have a shit
password and take reasonable care in using it. Or that PAKE thing
sounded like it might work quite well and the site didn't have to keep
the whole password list. But my experience of 2FA so far has been
deeply irksome, so I resent it being enforced, unless there is some
way of not having to go through that rigmarole every time (the above
sites generally only make me do it every two weeks - if it was every
time I'd explode). But if every site started doing this it would be
truly awful - one has hundreds of logins these days.

Debian is one place that has a reasonably competent userbase - I
remain unconvinced that we need to change things.

Principal hats:  Linaro, Debian, Wookware, ARM

Attachment: signature.asc
Description: PGP signature

Reply to: