[HN Gopher] TOTP tokens on my wrist with the smartest dumb watch
___________________________________________________________________
TOTP tokens on my wrist with the smartest dumb watch
Author : emreb
Score : 325 points
Date : 2022-10-18 05:50 UTC (17 hours ago)
(HTM) web link (blog.singleton.io)
(TXT) w3m dump (blog.singleton.io)
| sneak wrote:
| Cool hack. That said:
|
| A security reminder to anyone who is in the target audience here:
| if you're clever enough to have TOTP 2FA enabled on your Google
| account, get some cheap USB security keys and enable Advanced
| Protection, which completely disables non-hardware 2FA. It
| requires two different tokens (and you should really get one for
| each computer you have/use, plus at least one offsite backup)
| because once enabled it actually and completely locks anyone out
| of the account that does not possess one of the enrolled tokens.
|
| https://landing.google.com/advancedprotection/
|
| TOTP is not much better than SMS-based 2FA. It's still vulnerable
| to phishing, local device malware (that attacks your TOTP in your
| password manager), etc. It's best to use hardware tokens
| everywhere that support them, and both Google and GitHub do. (And
| Google supports a special hardware token only mode which I wish
| more sites would adopt.)
| mhkool wrote:
| I like the yubico key that even has a pin code so if lost or
| stolen protects your TOTP codes
| amelius wrote:
| > which completely disables non-hardware 2FA
|
| Does this make Google stop asking for my phone number?
| [deleted]
| xupybd wrote:
| Can you recommend any cheap USB security keys? I've looked in
| the past and cost has been prohibitive.
| sneak wrote:
| I have a $50 yubikey nano plugged into each of my multiple-
| thousand-dollar computers, protecting my accounts
| containing/accessing client data worth millions.
|
| If anything under $100 is too much to secure your account,
| just use SMS 2FA, or disable 2FA entirely.
| masklinn wrote:
| Fwiw big players regularly give free keys to e.g. OSS
| maintainers. Dunno if it's still active but Pypy has a
| program for maintainers of crates flagged as sensitive (or
| something like that), you can get two Titan keys courtesy of
| google.
|
| I also have a pair of github-branded yubikeys from a long
| time ago but I don't remember what that program was.
|
| > cost has been prohibitive.
|
| A titan is 35 or so, hardly prohibitive. And if you have
| access to anything important your company ought be glad to
| get you one or two, or yubis.
| niel wrote:
| Cloudflare and Yubico are in partnership to provide YubiKeys
| at a discount:
|
| https://www.cloudflare.com/products/zero-trust/phishing-
| resi...
|
| Related thread: https://news.ycombinator.com/item?id=33020078
| sitic wrote:
| US Google One users on a >=2TB plan should currently also
| have an offer for a free Titan key at
| https://one.google.com/benefits
| Tijdreiziger wrote:
| > Eligible customers must have an active zone or actively
| use Cloudflare Zero Trust.
| madc wrote:
| Have you looked into these? https://solokeys.com
| rjzzleep wrote:
| I was a backer of the V2 and I think my order is now a year
| overdue. I don't really back things on kickstarter because
| I don't like to gamble, but this seemed like a sure bet.
| Turns out it wasn't.
| ibotty wrote:
| I got my solokeys v2. A bummer that they did not ship to
| some folks.
| stavros wrote:
| I got mine (and it randomly died so they sent me a second
| one). You still haven't received your first one? That
| sucks, they're generally very good devices (minus them
| randomly dying, I guess).
| Brajeshwar wrote:
| Not them but I have stopped backing projects on
| Kickstarter, because I have been burned to the tune of
| $2,000+ (2016-17-ish currency conversion).
| tzs wrote:
| > TOTP is not much better than SMS-based 2FA. It's still
| vulnerable to phishing, local device malware (that attacks your
| TOTP in your password manager), etc.
|
| It's still massively better than SMS-bases 2FA. Those
| vulnerabilities you list are all things that involve you or
| your device. You can take care to avoid them.
|
| With SMS there are also vulnerabilities that don't involve you
| or your device, such as someone convincing your carrier to
| transfer your phone number to them.
| UncleMeat wrote:
| SIM swap is real but rare, since it cannot be automated. It
| is also largely defeated by having a strong and unique
| password, assuming that your provider doesn't use SMS as a
| single factor password reset option.
|
| If you've got a strong and unique password then your primary
| concern should be phishing, which is the same for sms and
| totp.
| vladvasiliu wrote:
| While I agree with your points regarding the security of TOTP /
| SMS, and I do push for hardware keys at work, I think a case
| could be made for a mixed use for "regular people".
|
| Maintaining two hardware keys is an absolute PITA, especially
| if you go down the route of storing one off-site, hence not
| having it with you to enroll when you get a new account.
|
| What I do, is use the hardware token as the "main" factor and
| use the TOTP if for some reason I don't have the token (I may
| sometimes forget it at home when I'm at my parents' house).
|
| The point is that, since I usually have my key, if I'm
| presented with a Google or whatever prompt for a TOTP, I know
| something's fishy. I don't normally use that, so I'll
| investigate why that happens and won't just go ahead and type
| my code in there.
| jasonjayr wrote:
| This needs to be repeated too. And developers need to be
| reminded that anything they secure with hardware keys
| absolutely _needs_ to accept multiple hardware keys in order
| to mitigate loss or destruction of the first key.
| quickthrower2 wrote:
| Not so sure, for me I am going to forget to have the hardware
| device. I will probably lose it. I will forget to take it with
| me and then can't access things mobile. Or will take it out
| with me and lose it. Have enough stuff to keep track of! I
| would use hardware for some occasional use logins though.
|
| Why is TOTP not much better than SMS? Someone can take over
| your phone contract to get those SMS messages by sweet talking
| your telco, but for TOTP they need to get hold of my device or
| get some malware onto my phone.
| rjzzleep wrote:
| > TOTP is not much better than SMS-based 2FA. It's still
| vulnerable to phishing, local device malware (that attacks your
| TOTP in your password manager), etc. It's best to use hardware
| tokens everywhere that support them, and both Google and GitHub
| do. (And Google supports a special hardware token only mode
| which I wish more sites would adopt.)
|
| Since this device doesn't actually have network connectivity he
| might have this problem potentially when someone is watching
| his watch with a camera, or if someone is able to do something
| in his close proximity, which means it absolutely is better
| than SMS-based 2FA and the phishing attack vector is different
| and if a person has access to him in close proximity anyway the
| cheap USB security doesn't offer anything(well not completely
| true, but almost) over this particular TOTP use case.
|
| Security is kinda cool these days and everyone is a security
| expert, but just reiterating trained responses without actually
| thinking about the attack vectors is getting a bit annoying.
| It's as if it is cool to say the most secure use case people
| can think of without even considering what and who it is that
| is actually protected and from whom.
| hennell wrote:
| Well if you want to look at specific attack vectors this one
| may have remote access issues based on what and where you
| store the source code. I'd guess OP knows what he's doing,
| but someone trying this with an accidentally open repo or
| comprised machine are possibly bigger risks here then with
| most other TOTP solutions.
|
| Equally it has the hardware key flaw of being able to be
| physically stolen, but with no option of an additional lock,
| and more likely then most systems that you might leave the
| totp running so a camera exploit is a little easier then with
| an app maybe.
|
| Not to say I think any of this is likely, and with the
| exception of a public repo mistake, it's probably a lot
| harder then an SMS exploit.
| jgrahamc wrote:
| TOTP is really vulnerable to phishing. Hardware keys are the
| solution.
| rjzzleep wrote:
| Yeah, sure, but then again a watch on your wrist is harder
| to take away than a hardware key on your physical keychain
| that you don't pay attention to.
|
| EDIT: yes, lol, thank you for explaining what phishing is
| jgrahamc. We didn't know. I get that a lot of Americans and
| some Germans guard their car keys like an internal organ,
| but for a lot of people in the world a keychain is
| something you toss in an insecure place most of the time of
| the day.
| throwawaaarrgh wrote:
| stealing watches is pretty trivial if you practice. but
| also TOTP is just more inconvenient than, say, the
| Microsoft authenticator with biometric confirm and server
| push, or a token you just press that's near your computer
| or phone. the fact that these can also help defeat
| phishing is just one more benefit.
| vladvasiliu wrote:
| It may be easier to steal, but it should have some kind
| of minimal protection. It should lock out after a low
| number of failed pins, for example. The YubiKeys do this.
| jgrahamc wrote:
| Phishing doesn't require stealing the watch. It just
| requires me to type in a TOTP token on a phishing
| website. Very different threat model than physical
| access.
| [deleted]
| KingOfCoders wrote:
| Where does one buy the sensor board? Or is it only DIY?
|
| [edit] https://www.crowdsupply.com/oddly-specific-objects/sensor-
| wa...
| diego_moita wrote:
| For the best smartwatch ever made I recommend Pebble
| Authenticator: https://github.com/Neal/pebble-authenticator
| [deleted]
| wryun wrote:
| If you're a bit weirded out by the website secret pasting, I made
| a PR which lets the sensor watch load TOTP secrets from an Aegis
| export (essentially just a bunch of TOTP URIs):
|
| https://github.com/joeycastillo/Sensor-Watch/pull/95
|
| This is the reason I bought the board. It makes me happy not
| having to use my phone for this.
| cbm-vic-20 wrote:
| I just wanted to call out how cool it is to replace the guts of a
| 1980s-era wristwatch with a ARM Cortex M0+ microcontroller, while
| reusing the original display and buttons.
| andrepd wrote:
| One of my long-term hacker project goals is to replace the guts
| of an analog watch with a microcontroller and turn it into a
| "smartwatch-lite". There's a surprising amount of information
| and features you can display with three pointers (and a small
| numeric window): temperature, heartrate and other body sensors,
| NFC to replace payment or access cards, etc.
| wlesieutre wrote:
| Not as customizable as what I'm sure you're planning, but
| Withings makes watches with that design direction
|
| https://www.withings.com/us/en/watches
| andrepd wrote:
| Yep there are plenty of watches like that (for example
| Fossil I think), but I'd really like to take a nice vintage
| watch and build a hackable watch platform myself.
| jkepler wrote:
| Yeah, I had a Withings semismart watch, one of their
| cheaper models without a screen. It integrated a pedometer,
| and had a dial had that would show steps taken, it moved
| from 0 to 100% of your goal. One had to pair it to the
| Withings Android app to set not just the goal for number of
| steps/day, but even for setting the time.
|
| I sold it after a few months, realizing how much I missed a
| second hand and a glow-in-the-dark face. Also, the app had
| a ton of telemetry going back to Withings.
|
| Building your own you would be in full control of the data.
| amelius wrote:
| Waiting for keyboard with NFC making this even simpler.
| Tepix wrote:
| Neat. For those who don't want to tinker with hardware (just
| software) - is there a nice app providing TOTP for the PineTime
| smartwatch?
| wryun wrote:
| It is pretty trivial to put this board in a Casio watch; I'm
| not even sure I'd call it tinkering unless you decided you want
| to connect the buzzer (requires soldering one bit of metal).
| m4lvin wrote:
| Not for PineTime, but the bangle.js has a a 2FA TOTP app:
| https://banglejs.com/apps/?id=authentiwatch
|
| For InfiniTime (the PineTime firmware), here is the
| issue/discussion about it:
| https://github.com/InfiniTimeOrg/InfiniTime/issues/310
| trustingtrust wrote:
| There needs to be a button based passcode to view TOTP instead of
| just pressing one button once. That would add a layer of
| security. A combination of buttons and number of presses should
| still be somewhat added security.
| Arainach wrote:
| What's the threat model here? The TOTP code is worthless
| without the password. You would need to get my password and
| physically obtain the watch; what threat does a button code
| protect against?
|
| Someone who steals the watch from my house doesn't have the
| password.
|
| Someone who phishes the password doesn't have access to the
| watch.
|
| The government agent who has exerted enough physical force or
| legal coercion to get me to cough up the password can demand
| the TOTP code at the same time.
| Cthulhu_ wrote:
| The only added security I can think of on a two factor
| authentication thing is a fingerprint reader on a physical
| hardware key, and even that's more of a gimmick than
| anything. And maybe TOTP codes generated from a password
| manager, but IMO that already defeats the purpose of two-
| factor because if your one device with password manager is
| compromised, they have both password and the second factor.
|
| The four number code IS the added security already.
| Piisamirotta wrote:
| Damn the font size is way too large on my mobile, unreadable.
| 1970-01-01 wrote:
| What's old is new once again. It's the old RSA SecurID token
| generator, but now it has water-resistance and an LED! I'll buy
| one.
| tacon wrote:
| Are there any similar boards or projects for taking over a large
| wall-mounted LCD clock? I would love to hack on that display.
| distcs wrote:
| Is there some Unix-ish tool to generate these TOTPs on a laptop?
| I don't like to keep the 2nd factor on a small mobile device that
| is easy to lose. So I ask about a laptop tool.
|
| By Unix-ish I mean something that is small and does one thing
| well. Like pipe in a secret to it and it gives me a TOTP? Pipe in
| multiple secrets and it gives me multiple TOTPs? Then I don't
| have to remain beholden to a custom encryption format. I can
| encrypt my secrets with other Unix-ish tools, decrypt it, pipe it
| to this tool and get my TOTPs. Recommendations?
| wolczek wrote:
| https://keepassxc.org comes with keepassxc-cli
| nashashmi wrote:
| Totp.app is a great web app. So you can install on your phone
| as well
| [deleted]
| Amorymeltzer wrote:
| From today! https://drewdevault.com/2022/10/18/TOTP-is-
| easy.html
| grenoire wrote:
| I just cooked up something in Python if you have it installed
| on your system, quite straightforward to use. If there's
| interest, I can prepare a compiled version.
|
| Unlike the other ones posted here, this one just takes secrets
| as arguments: > python -mtotp
| DGLTPWEUERUUDCEC SWPKQCKEWRXPCRXE 628502 674329
|
| https://pastebin.com/apNKxMBF
| susam wrote:
| I believe it is worth mentioning here that reading secrets
| from command line arguments exposes the secrets in shell
| history (e.g., ~/.bash_history, ~/.zsh_history, etc.), thus
| writing the secrets in cleartext to the filesystem. If
| command line auditing is enabled on a system, any secrets in
| command line arguments would be exposed in such audit logs
| too.
|
| Further, if multiple users are logged into the same system
| (perhaps an unlikely scenario for most people), then secrets
| in command line arguments would expose the secrets in the
| output of ps -ef too thereby exposing the secrets to other
| users.
|
| By the way, I have a similar script at
| https://github.com/susam/mintotp but it reads secrets from
| the standard input (as opposed to reading from command line
| arguments), one secret per line, and outputs TOTP values, one
| per line. Most of what this script does can be done with
| oathtool too and there is a section titled "Alternative: OATH
| Toolkit" in the README that documents this in detail.
| twalla wrote:
| fun fact: you can teach your shell to ignore commands that
| begin with a space character. in bash $HISTCONTROL needs to
| be ignorespace or ignoreboth, in zsh you must setopt
| HIST_IGNORE_SPACE
| neilv wrote:
| > _reading secrets from command line arguments exposes the
| secrets in shell history_
|
| Yes, and process arguments (such as from command line) can
| also be accessible in process list data that's accessible
| to other processes and users.
|
| Even if the process only lives for an instant, or normally
| no other processes could access the data, good practice is
| to nevertheless keep secrets out of any process arguments.
| grenoire wrote:
| I should indeed have mentioned that. On the other hand,
| this is not a concern if you do not execute the it outside
| your shell (e.g. in another script that reads TOTP secrets
| from elsewhere).
| 3np wrote:
| Here's an example of how you can wrap oathtool from oath-
| toolkit: https://markusholtermann.eu/2018/08/simple-bash-totp-
| script/
|
| https://www.nongnu.org/oath-toolkit/
| computerfriend wrote:
| You can also store them on YubiKeys, accessible on the command
| line with ykman.
| maeln wrote:
| > Is there some Unix-ish tool to generate these TOTPs on a
| laptop? I don't like to keep the 2nd factor on a small mobile
| device that is easy to lose.
|
| I know that this is not really answering your question, but
| most open-source TOTP apps (like andOTP and Aegis) can export
| all the TOTP in an encrypted file that you can save. So if you
| lose your main TOTP device you can restore all of them quite
| easily.
| markstos wrote:
| You are looking for a Yubikey and `ykman`.
|
| This is secure because the secret never leaves the hardware
| key.
|
| This is convenient because you launch a tool with a global
| keyboard shortcut and copy/paste the code. I use `yubikey-oath-
| dmenu` to allow me to quickly filter to the TOTP code I need.
| undume wrote:
| OATH Tookit provides console tool for generating TOTP codes:
| oathtool. https://www.nongnu.org/oath-toolkit/
| guipsp wrote:
| https://github.com/WhyNotHugo/totp-cli
| aw1cks wrote:
| pass-otp[0] integrates into pass[1] nicely. It's about as
| unix-y as password/secret management comes in my eyes.
|
| Alternatively, gopass[2], which re-implements pass in golang,
| has this functionality built in[3].
|
| [0] https://github.com/tadfisher/pass-otp
|
| [1] https://www.passwordstore.org/
|
| [2] https://www.gopass.pw/
|
| [3]
| https://github.com/gopasspw/gopass/blob/master/docs/commands...
| tadfisher wrote:
| Thanks for the compliment!
| nashashmi wrote:
| Also need to mention totp.app
|
| It allows export import feature of keys
| emreb wrote:
| Authy used to have a Chrome client you can run on your computer
| that syncronizes all your secrets.
| adamgordonbell wrote:
| I think you want oathtool.
|
| You can also use python's pyotp.totp.now()
|
| https://earthly.dev/blog/multi-factor-auth/
| lukeschlather wrote:
| You need a TPM 2.0 compatible CPU, but something like this
| sounds really excellent:
| https://github.com/tpm2-software/tpm2-totp
|
| This means your laptop itself would be your hardware device,
| the TOTP secret would be stored in the TPM and theoretically
| impossible to steal/copy. Of course this means you will
| probably want a mobile device (possibly a second laptop also)
| as a backup.)
| cryptonector wrote:
| Note that tpm2-totp is specifically meant to authenticate
| your laptop's state (TPM PCR values) to you, not you to some
| third system. But you could adapt tpm2-totp for the purpose
| of authenticating you to other systems.
| tecleandor wrote:
| Several options...
|
| Not exactly the same, but if you're using Bitwarden (which is
| compatible with generating TOTP tokens) to manage your
| passwords, you can use their bitwarden-cli tool to request
| tokens from the cli: https://bitwarden.com/help/cli/#get
|
| But if you want the simplest cli thing, you can probably can
| use this golang ( https://github.com/yitsushi/totp-cli ) or
| this python ( https://github.com/WhyNotHugo/totp-cli )
| implementations.
| Brajeshwar wrote:
| If you are not that a hacker but already own a Smartwatch such as
| the Apple Watch, Authy[1] is a pretty rock solid option. I use
| Authy for a few key credentials, and I have used my watch for the
| keys.
|
| FYI, Authy was bought and is now owned by Twilio
|
| 1. https://authy.com
| k8sToGo wrote:
| I use Authy as well. Best part is it backups your stuff.
| Avamander wrote:
| Are those backups E2EE?
|
| Also to be totally honest, each device should have their own
| TOTP key and while backups are fine*, key sharing isn't.
| jabroni_salad wrote:
| Key sharing isnt fine but how many web services will let me
| enroll multiple totp tokens simultaneously? I havent
| encountered any, personally. yall designed this reality,
| now you have to live in it.
| stoplying1 wrote:
| No. They aren't. This thread is seriously upsetting to
| read. So many people clearly haven't even remotely begun to
| think about what they're doing or the implications thereof.
| bjord wrote:
| everything I've read suggests that they are, in fact,
| E2EE
|
| of course, they're not open source, so I'm not _really_
| going to bat for them here, but am I missing something?
|
| https://authy.com/blog/how-the-authy-two-factor-backups-
| work...
|
| https://www.ghacks.net/2022/08/10/twilio-the-company-
| behind-...
|
| etc.
| stoplying1 wrote:
| Another user here pointed out that Authy uses a user
| provided password to encrypt the 2fa secrets on the
| server. That's definitely more secure than I had said,
| that's my mistake. (I still have my reservations, but
| that's getting too pedantic to matter here)
| Maxburn wrote:
| That's the feature that got me into Authy. The other feature
| being it wasn't a google product.
| dontlaugh wrote:
| There's also Step Two, for iOS, Watch OS and even macOS. I
| quite like it.
| whatsthatabout wrote:
| That's what I use as well. Nice apps, fair pricing (One-time
| payment) and no data collection. Started using it only
| because of its feature to sync between devices with iCloud -
| so no more stress if my phone breaks.
| Avamander wrote:
| Unfortunately it has no import/export functionality and
| truncates eight/ten-digit TOTP codes. As I mentioned in an
| another comment, even then it is better than most
| alternatives on iOS.
| stoplying1 wrote:
| Ah yes, Twilio, the company that activated 2FA, forced users to
| activate it during login, and somehow forced it to be SMS auth
| (aka, completely jamming my account because I dared to login).
|
| Had to manually contact them to resolve and then close the
| account because FUCK THAT, and fuck SendGrid too, which did the
| exact same thing after Twilio acquired them.
|
| Sorry, I don't buy for a second that that was an accident or
| negligence. I'm sick of watching people play ball with
| companies that pull such moves. (Edit: you want to KYC me to
| prevent abuse? Fine. Don't make my startup insecure to achieve
| it.)
|
| Authy is just not a good suggestion here when there are
| standard, non-needlessly-tied-to-sms options.
| ayewo wrote:
| I use Duo Mobile [1] with my Apple Watch.
|
| Authy gets recommended often here but got turned off of them
| because they require a phone number to set up the app on iOS.
| There's no phone number requirement for TOTP implementations so
| I eventually found Duo Mobile. This was before they got bought
| by Cisco.
|
| 1: https://apps.apple.com/us/app/duo-mobile/id422663827
| Brajeshwar wrote:
| Ah! I used Authy because it was one of the very early OGs of
| TOTP Apps.
| GekkePrutser wrote:
| I use AndOTP on Android. You can export to a PGP-encrypted
| JSON file so your keys are really your own and not locked
| into a walled garden like Authy.
| Avamander wrote:
| AndOTP is great. Especially if you compare it with all the
| iOS options.
|
| iOS TOTP apps all suck, it's amazingly bad. I installed
| like ~15 different ones. After the fifth try, I just had to
| know if it was just my poor initial selection or a general
| problem.
|
| Each and every iOS TOTP app has at least one crucial
| problem - requiring a subscription, mandatory sync to a
| proprietary cloud, having no export-import, not having a
| watch companion, being from an unknown/generic developer,
| no support for longer TOTP codes (worse, some display it
| truncated!) or they're simply very buggy.
|
| I settled on Step Two because it was like all the others,
| but not an eyesore...
| Caboose8685 wrote:
| Did you try Ravio OTP? I've seen good things said about
| it by FOSS people.
|
| https://raivo-otp.com/
| Avamander wrote:
| Yes. It had no import functionality, no Apple Watch
| companion, and a relatively convoluted setup process that
| adds a point of failure without reasonable reduction in
| any risk.
|
| One would have to set a password that they then store in
| a password manager, that is then accessed using the same
| 2FA protected by the password. Plus a mandatory PIN, with
| the same caveats. Cyclical or duplicate authentication is
| simply not good design.
| alibert wrote:
| I have been using OTP Auth for a while. It doesn't get
| updated a lot but it's working fine.
|
| https://cooperrs.de/otpauth.html
| jasonjayr wrote:
| iOS's security makes a self-hosted/non-third party
| backup/sync super difficult IIRC. (Unless you use Apple's
| product) I think unless the app has it built in, it's not
| easily doable. Android can use syncthing, but even Google
| is making that more and more difficult with each release.
|
| Is there a standard app developers can use to securely
| sync/backup to for self-hosters? Is there a 'nice'
| UX/flow to connect apps to s3-style storage (enabling
| folks to use AWS/DO/Backblaze/whatever?) or would that be
| too raw?
| Avamander wrote:
| You're most likely correct about automatic
| synchronisation from filesystem like that. That though
| doesn't mean there can't be any built-in integration with
| Next/OwnCloud or simply manual export-import.
| maeln wrote:
| Aegis is another open-source option. It can import the
| andOTP format and can also export the keys, but has the
| advantage of being able to use fingerprint unlock.
| jabroni_salad wrote:
| I also like that Aegis has folders so I can separate my
| work and personal stuff. Most of the others are just a
| flat list.
| thomc wrote:
| AndOTP can use your fingerprint as well.
| Settings->Authentication->Device Credentials
| ceejayoz wrote:
| The phone number gets used during account recovery; when I
| reset my iPhone once without a second Authy device to
| activate it, I was locked out for 24h while it bombarded my
| number with calls and texts about the impending restore. I
| appreciated that safety measure.
| stoplying1 wrote:
| And I don't appreciate being forced into a "feature" that
| specifically subverts the entire god damn point of 2FA
| codes and leaves them in an unprotected state on some third
| party server.
|
| Great!
| ceejayoz wrote:
| It is, indeed, great to have choices.
|
| (Side note: Authy backups are encrypted client-side with
| the user's backup password. They're not unprotected on a
| third-party server; Authy has no ability to decrypt them.
| https://authy.com/blog/how-the-authy-two-factor-backups-
| work...)
| stoplying1 wrote:
| I apologize for getting that wrong and also want to
| acknowledge that choice IS good, and I do agree that
| informed users can reasonably make that decision. I get a
| bit too "there's one best/right answer" on this topic,
| thanks for checking me a bit.
| _dongle_aster_ wrote:
| The TOTP secrets are encrypted with a passprhase locally.
| You need the phone number to download the encrypted
| secrets but then need to use your passphrase to decrypt
| the restored backup locally.
| yunruse wrote:
| The concept of programming a dumb watch is rather appealing; this
| project looks like one that's both practical and quite fun to
| work on.
|
| It would be rather neat to have a dumb watch that can take in
| custom embedded code (say Lua) for people who enjoy hacking but
| are terrible at hardware. I'd buy one day one!
| yellow_lead wrote:
| How accurate does the time have to be for TOTP to work? If the
| watch drifts a bit, will it no longer work? Compared to your
| phone which is synced with an NTP server.
| VTimofeenko wrote:
| The key lifetime may be other than the default 30 seconds, and
| IIRC the validator side may be configured to accept keys from N
| previous generations.
| petesergeant wrote:
| Up to the authenticating service
| joshxyz wrote:
| up to the service. some services allow up to 2 windows.
| himlion wrote:
| AWS asks you to sync by inputting subsequent codes if it
| detects keys from the wrong time window.
| samcat116 wrote:
| This is super cool but do folks really need their google and
| GitHub 2FA codes often enough to justify this? Browser sessions
| are pretty durable it seems. The one thing I could think of is
| GitHub admin type actions that prompt for a credential to enter
| "sudo" mode or whatever they call it. However in that case
| they'll take your password as well (or a webauthn key in my case)
| teaearlgraycold wrote:
| I have everything in 1P. No need for a physical device.
| MartinCron wrote:
| I always thought that the benefit of the physical device was
| that it was decoupled from the main device. If someone steals
| my laptop, for example, they won't be able to access my MFA
| secured accounts unless they ALSO steal my phone (and are
| unable to lock it).
| cyphar wrote:
| Sure, but if your threat model is that the attacker has
| enough access to your machine to extract your password
| manager's database, they can also just copy your session
| cookies from your existing browser session. Even in the
| case of password leaks, if someone breaches the password
| database of a website they can just as easily dump the TOTP
| table.
|
| Personally my view is that (if you're using a password
| manager with a unique password per-site) 2FA primarily
| protects you when you have to input your password on an
| untrusted system that may have a keylogger. In that case it
| doesn't really matter where you store the TOTP key
| (presumably you're not going to unlock your password
| database on that machine).
|
| To be fair, in the case of a security bug in the password
| manager (such as the few previous LastPass bugs in this
| vein), you are slightly more protected. But I use KeePassXC
| which has a far more segregated design so I'm not as
| worried about this as I would be if I was using a password
| manager entirely integrated into the browser (either built-
| in or an extension).
|
| (Though these days I primarily use U2F/WebAuthn if the site
| supports it.)
| edent wrote:
| I use systems which require a 2FA code every day, or whenever a
| destructive action takes place.
|
| So this is certainly useful for some people.
| m-p-3 wrote:
| It saved me a trip back to my desk a few times when I had to
| sign in to an account protected by 2FA on another computer and
| I forgot to bring my phone along.
| abawany wrote:
| Also, some sites, such as Fidelity, now require the 2fa
| password on every login regardless of browser trust status.
| SoftTalker wrote:
| Some folks don't use browser sessions.
|
| I log out of everything every day.
| bdcravens wrote:
| Some sites prompt more frequently (for example, AWS)
| kamranjon wrote:
| This is very cool, I just recently ordered a light phone 2 (a
| dumb phone) - and one of the things I am currently trying to
| solve is how I am going to access my google authentication codes
| for various work and personal project related accounts. Something
| like this would be very awesome, but also this post really
| demystifies how this type of auth works.
| tejado wrote:
| Maybe Authorizer is something you will like:
| https://github.com/tejado/Authorizer
| mkesper wrote:
| Please do not paste your secrets into any website as proposed
| here for conversion.
| cyanawesome wrote:
| Seriously, the QR is just a URI that any QR reader can decode
| (preferably one you trust).
|
| https://github.com/google/google-authenticator/wiki/Key-Uri-...
| monocasa wrote:
| And not just that, but TOTP isn't based on public/private
| crypto, but instead a shared secret embedded in plaintext in
| that URI.
| [deleted]
| jcpst wrote:
| I have been wearing the F-91 every day for a long time. It's such
| a classic piece, and the only digital watch that really appealed
| to me.
|
| I'm quite excited at the idea of taking one my old ones and
| giving it new functionality.
| jazzyjackson wrote:
| I didn't see anything on the site about where to get one, so
| here's the link to their crowd supply, 36$ for the board.
|
| https://www.crowdsupply.com/oddly-specific-objects/sensor-wa...
___________________________________________________________________
(page generated 2022-10-18 23:02 UTC)