[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Salsa update: no more "-guest" and more

On 2020-04-28 05:08, Wookey wrote:
On 2020-04-26 14:07 +0200, Bernd Zeimetz wrote:

Google Authenticator is a software-based authenticator by Google that
implements two-step verification services using the Time-based One-time Password Algorithm (TOTP; specified in RFC 6238) and HMAC-based One-time Password algorithm (HOTP; specified in RFC 4226), for authenticating users of
software applications.

There are even cli tools that do the same stuff. I'd guess there is at least
one on Debian.

yes oathtool.

But this is still a PITA for sites where it is required, like
microsoft and google. I don't want to have to do this for Debian stuff
too. (run this auth program, then have a menu to say which site I
am making the number for so it knows which token to use, then paste
the resulting magic number into a webform). Are you proposing
something less tiresome than this?

I would much prefer to continue to be trusted not to have a shit
password and take reasonable care in using it. Or that PAKE thing
sounded like it might work quite well and the site didn't have to keep
the whole password list. But my experience of 2FA so far has been
deeply irksome, so I resent it being enforced, unless there is some
way of not having to go through that rigmarole every time (the above
sites generally only make me do it every two weeks - if it was every
time I'd explode). But if every site started doing this it would be
truly awful - one has hundreds of logins these days.

Debian is one place that has a reasonably competent userbase - I
remain unconvinced that we need to change things.

It's kinda weird that the solution exists with 2FA FIDO tokens using webauthn. (Like the current generation of Yubikeys but there are of course others.) Gitlab supports that.

I mean I don't want to suggest that buying hardware is required, but that's literally what they were designed for. Automatically dealing with origin information sanely and then a touch signs you in. OTPs are as fishable as passwords.

Kind regards
Philipp Kern

Reply to: