On 2020-04-26 14:07 +0200, Bernd Zeimetz wrote: > Hi, > > Google Authenticator is a software-based authenticator by Google that > implements two-step verification services using the Time-based One-time > Password Algorithm (TOTP; specified in RFC 6238) and HMAC-based One-time > Password algorithm (HOTP; specified in RFC 4226), for authenticating users of > software applications. > > There are even cli tools that do the same stuff. I'd guess there is at least > one on Debian. yes oathtool. But this is still a PITA for sites where it is required, like microsoft and google. I don't want to have to do this for Debian stuff too. (run this auth program, then have a menu to say which site I am making the number for so it knows which token to use, then paste the resulting magic number into a webform). Are you proposing something less tiresome than this? I would much prefer to continue to be trusted not to have a shit password and take reasonable care in using it. Or that PAKE thing sounded like it might work quite well and the site didn't have to keep the whole password list. But my experience of 2FA so far has been deeply irksome, so I resent it being enforced, unless there is some way of not having to go through that rigmarole every time (the above sites generally only make me do it every two weeks - if it was every time I'd explode). But if every site started doing this it would be truly awful - one has hundreds of logins these days. Debian is one place that has a reasonably competent userbase - I remain unconvinced that we need to change things. Wookey -- Principal hats: Linaro, Debian, Wookware, ARM http://wookware.org/
Attachment:
signature.asc
Description: PGP signature