Post AJ8cFbW3gsIJEnnZOS by privateger@plasmatrap.com
(DIR) More posts by privateger@plasmatrap.com
(DIR) Post #AJ8Wvo4mmcEGd6mZd2 by mat@friendica.exon.name
2022-05-05T06:34:03Z
0 likes, 0 repeats
Sigh. Does anyone have a suggestion for an open source 2FA (TOTP) tool that works on iPhone and doesn't leak information to Google or Microsoft or the other usual suspects?@developersThe Register 2022-05-05 04:01:13GitHub to require two factor authentication for code contributors by late 2023GitHub has announced that it will require two factor authentication for users who contribute code on its service."The software supply chain starts with the developer," wrote GitHub chief security officer Mike Hanley on the company blog. "Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain."Readers will doubtless recall that attacks on development supply chains have recently proven extremely nasty. Exhibit A: the Russian operatives that slipped malware into SolarWinds' Orion monitoring tool and used it to gain access to over 18,000 companies. GitHub has also had its own problems, such as when access to npm was compromised.Hence its decision to require 2FA "by the end of 2023" for users who commit code, open or merge pull requests, use Actions, or publish packages.GitHub already offers 2FA, requires contributors of popular packages (including npm) to employ it, and states that 16.5 per cent of active users already employ the technique.Why the rest have until sometime in 2023 to adopt 2FA isn't explained in Hanley's post, beyond his assertion that "GitHub is committed to making sure that strong account security doesn't come at the expense of a great experience for developers, and our end of 2023 target gives us the opportunity to optimize for this."The post also states that GitHub will "actively explore new ways of securely authenticating users" and add more ways to recover accounts."Improvements that help prevent and recover from account compromise" are also on the agenda.Hanley's post states that details of GitHub's 2FA implementation will emerge in "coming months". ®Retrieved 2022-05-05: www.theregister.com/2022/05/05…
(DIR) Post #AJ8Wvox1Wxc9LK9tAW by mathias@friendica.hellquist.eu
2022-05-05T07:21:25Z
0 likes, 0 repeats
@mat Bitwarden is Open Source and as of last week also present in the Fediverse: @bitwarden
(DIR) Post #AJ8WvpoYJwQs1LCdbU by wilhelm@pirati.ca
2022-05-05T08:19:28Z
0 likes, 0 repeats
@mathias @mat @bitwarden "Authenticator key (TOTP) storage is available to all accounts. TOTP code generation requires Premium or membership to a Paid Organization (Families, Teams, or Enterprise)."https://bitwarden.com/help/authenticator-keys/
(DIR) Post #AJ8WvqefCC7GcxaFpQ by bitwarden@fosstodon.org
2022-05-05T08:39:15Z
0 likes, 0 repeats
@wilhelm @mat @mathias Thanks for sharing the link! Bitwarden’s core password management features are #FOSS, but as the article mentions, interested users can upgrade to premium for $10 a year (less than $1/month) for additional features like TOTP code generation.
(DIR) Post #AJ8YJAlegOvzcXXXA8 by paul@notnull.click
2022-05-05T08:47:44.601813Z
0 likes, 0 repeats
@bitwarden @mat @mathias I've always found the idea of TOTP code generation in the same app as your password manager to be a little questionable - the idea is to keep them separate right? So one being hacked wouldn't mean you're totally compromisedI'm happy to listen to arguments on the contrary, but for me right now that option isn't a good idea.
(DIR) Post #AJ8YJBTG4HoRnlwM7s by bitwarden@fosstodon.org
2022-05-05T08:54:44Z
0 likes, 0 repeats
@paul @mat @mathias LOTs of conversation around this, with one use case being when team members need to use 2FA for a shared account, the balance between security and convenience of trying to coordinate securely sending the 2FA response to employees that need. In this case, anyone in an org with access to the shared collection/item can just hit the paste shortcut after auto-filling as the code gets copied to the clipboard (unless disabled in settings).
(DIR) Post #AJ8YQ5lpf0yq9JvEUy by bitwarden@fosstodon.org
2022-05-05T08:56:02Z
0 likes, 0 repeats
@paul @mat @mathias LOTs of conversation around this, with one use case being when team members need to use 2FA for a shared account, the balance between security and convenience of trying to coordinate securely sending the 2FA response to employees that need it.In this case, anyone in a Bitwarden organization with access to the shared collection/item can just hit the paste shortcut after auto-filling as the code gets copied to the clipboard (unless disabled in settings).
(DIR) Post #AJ8Yeb9flpDjXazSyG by mat@friendica.exon.name
2022-05-05T08:44:46Z
0 likes, 0 repeats
I see. I was hoping that there would be a free as in beer TOTP solution out there. At least your consumer subscription plan includes TOTP, whereas the Lastpass version I'm using only has TOTP in the corporate plan. So I will consider this, but it's not a slam-dunk. And it is irritating to have to pay a fee just for the privilege of giving away code for free.
(DIR) Post #AJ8YebkBa4QZMq4csq by bitwarden@fosstodon.org
2022-05-05T08:58:35Z
0 likes, 0 repeats
@mat @wilhelm @mathias Thanks for the honest feedback Matthew, the Bitwarden team is always listening and learning.
(DIR) Post #AJ8ZdnVqRJHhX2XkGm by paul@notnull.click
2022-05-05T08:59:53.524994Z
0 likes, 0 repeats
@bitwarden @mat @mathias Sure, I get it, but I’m of the mind that security shouldn’t be convenient. I understand the irony there, a password manager is convenient and I use one, but when it comes to 2FA I feel more secure with the inconvenienceHaving TOTP in your password manager removes the idea of “2FA”, ultimately in my opinion, making it 1FA
(DIR) Post #AJ8Zdo7mAHcrQgI2OO by bitwarden@fosstodon.org
2022-05-05T09:09:42Z
0 likes, 0 repeats
@paul @mat @mathias Thanks for the feedback! The other feature available is Master Password Re-prompt, which, in a future release, will obscure all vault item information unless I putting master password again (currently it only protects the password field) https://bitwarden.com/help/managing-items/#protect-individual-items
(DIR) Post #AJ8ZlPNg2pCn0OLt4K by bitwarden@fosstodon.org
2022-05-05T09:11:06Z
0 likes, 0 repeats
@paul @mat @mathias Thanks for the feedback! The other feature available is Master Password Re-prompt, which, in a future release, will obscure all of a vault item’s information unless master password is input again (currently the re-prompt only protects the password field) https://bitwarden.com/help/managing-items/#protect-individual-items
(DIR) Post #AJ8cFbW3gsIJEnnZOS by privateger@plasmatrap.com
2022-05-05T09:24:11.619Z
0 likes, 0 repeats
@paul@notnull.click @bitwarden@fosstodon.org @mat@friendica.exon.name @mathias@friendica.hellquist.eu This is purely a question of what you consider a factor. The actual answer to this are hardware security keys, like Yubikey.
(DIR) Post #AJ8cFc2Jkw6AqqtKfw by mat@friendica.exon.name
2022-05-05T09:31:14Z
0 likes, 0 repeats
The idea of a factor is to limit the pool of potential attackers. "Something you know" can be extracted by hackers, normally a large sophisticated team based in another country extracting credentials wholesale. "Something you have" can be extracted by your neighbourhood pickpocket. The power of 2FA is that the intersection of those two sets is extremely small. Having credentials on a phone, especially if that phone is backed up to the cloud, obliterates this idea. If a thief who can steal one factor can steal the other factor the same way, it's not two factors.In this case I just want to log into a github account so I can give away code for free. What am I defending here? What I want is 1FA and all of this bullshit to just go away. Microsoft now says that's not good enough, I need to jump through their 2FA hoop. I'm looking for a way to cut the bottom off that hoop.
(DIR) Post #AJ8cFceFTuRKkUdcnY by privateger@plasmatrap.com
2022-05-05T09:35:58.940Z
0 likes, 0 repeats
@mat@friendica.exon.name @mathias@friendica.hellquist.eu @bitwarden@fosstodon.org @paul@notnull.click The issue is the UX of most MFA being awful, I agree with that completely.You really should look into the Yubikeys you can plug into an USB port and just keep in there. Enter your password, gently touch the key and you're in. It's the logical evolution of MFA.
(DIR) Post #AJ8cFdF7Gpvkapt4GO by bitwarden@fosstodon.org
2022-05-05T09:38:55Z
0 likes, 0 repeats
@privateger @paul @mathias @mat That's the way the Bitwarden uses their hardware keys wherever possible and definitely the most seamless. Outside of Master Password Re-prompt, having a secondary password/pin is a great suggestion 👍
(DIR) Post #AJ8d52T9EtoXbFxm6K by mat@friendica.exon.name
2022-05-05T09:43:45Z
0 likes, 0 repeats
Came close to ordering a Yubikey on multiple occasions. My last note on the subject is from August last year, prompted by this comment. No. If replacing a lost/broken key is going to be hard, then no. Perhaps as a 2FA lock on my password manager, but I can't see the need. I do not, in fact, backup my password manager in the cloud, and I do have an emergency backup at home. Fingerprint protection is good enough. If Yubikey can sort out the migration process so that I can do without the password manager, then maybe we're talking.
(DIR) Post #AJ8d535QwYRHVzsLmC by bitwarden@fosstodon.org
2022-05-05T09:48:09Z
0 likes, 0 repeats
@mat @mathias @paul @privateger The Bitwarden team hasn't had any issues with broken keys, but best practice is to have a least 2.
(DIR) Post #AJ8gI3xbJ2n7qs6p9M by mathias@friendica.hellquist.eu
2022-05-05T10:14:55Z
0 likes, 0 repeats
@mat @wilhelm @bitwarden I haven’t looked in to ownership and data sharing, but have you looked at Authy, which is doing the TOTP (only). I used it a couple of years ago when I first migrated away from Google Authenticator.These days I, as suggested above in various replies, am using Bitwarden with Yubikeys, so I haven’t used Authy in a long time and cannot vouch for them, but I do know they exist (and aren’t, I think, Google or Microsoft etc).
(DIR) Post #AJ8gI9gS1iddbQ8DFg by bitwarden@fosstodon.org
2022-05-05T10:24:10Z
0 likes, 0 repeats
@mathias @wilhelm @mat There are definitely options out there for everyone no matter what solution you go with. Along with Authy, FreeOTP by Red Hat is commonly used.