#hotp — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #hotp, aggregated by home.social.
-
OK, normally I have my shit wired together, but this bastard is getting to me.
The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.
Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.
Life.
I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.
So I search for:
"google passkey login with ssh"
My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?
#TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh
-
OK, normally I have my shit wired together, but this bastard is getting to me.
The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.
Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.
Life.
I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.
So I search for:
"google passkey login with ssh"
My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?
#TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh
-
OK, normally I have my shit wired together, but this bastard is getting to me.
The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.
Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.
Life.
I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.
So I search for:
"google passkey login with ssh"
My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?
#TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh
-
OK, normally I have my shit wired together, but this bastard is getting to me.
The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.
Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.
Life.
I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.
So I search for:
"google passkey login with ssh"
My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?
#TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh
-
OK, normally I have my shit wired together, but this bastard is getting to me.
The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.
Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.
Life.
I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.
So I search for:
"google passkey login with ssh"
My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?
#TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh
-
PSA for those implementing #rfc6238: READ THE ERRATA! Maybe even before reading the RFC itself. I wasted an entire day chasing my tail because the RFC contained incorrect test vectors.
#IETF #RFC #openSource #programming #totp #hotp -
Behind the 6-digit code: Building HOTP and TOTP from scratch
https://blog.dogac.dev/how-do-one-time-passwords-work/
#HackerNews #HOTP #TOTP #OneTimePasswords #Security #Development
-
I'm looking for a good overview/comparison of different #MFA/#2FA or #PasswordLess authentication protocols.
The recent #Fido2 #MitM risk made me aware that I need to learn more.
Pointers and #BoostWelcome
#fedipower #wisdomOfTheCrowd #FollowerPower
As the best way to get an answer on the internet, is to state something wrong, let's try this 😜
#FIDO and FIDO2 are actually a whole set of (related?) protocols.
FIDO includes FIDO #UAF (Universal Authentication Framework) and FIDO #U2F (Universal Second Factor).FIDO2 is the "successor" of FIDO and consists of two parts.
#WebAuthn and #CTAP (Client to Authenticator Protocol). From the name I would guess that WebAuthn is for web stuff (requiring browser support) and CTAP is for IT infrastructure stuff (???)#Passkey is based on #Fido2
Other related concepts or protocols are #OTP (one-time passwords), #TOTP (Time-based One-time Password) and #HOTP (“H” in HOTP stands for Hash-based Message Authentication Code (HMAC))Not sure how #SmartCards play into this.
And not sure which of these methods would work for an offline authentication login into your laptop (and ideally also as key for whole disk encryption)
-
I'm looking for a good overview/comparison of different #MFA/#2FA or #PasswordLess authentication protocols.
The recent #Fido2 #MitM risk made me aware that I need to learn more.
Pointers and #BoostWelcome
#fedipower #wisdomOfTheCrowd #FollowerPower
As the best way to get an answer on the internet, is to state something wrong, let's try this 😜
#FIDO and FIDO2 are actually a whole set of (related?) protocols.
FIDO includes FIDO #UAF (Universal Authentication Framework) and FIDO #U2F (Universal Second Factor).FIDO2 is the "successor" of FIDO and consists of two parts.
#WebAuthn and #CTAP (Client to Authenticator Protocol). From the name I would guess that WebAuthn is for web stuff (requiring browser support) and CTAP is for IT infrastructure stuff (???)#Passkey is based on #Fido2
Other related concepts or protocols are #OTP (one-time passwords), #TOTP (Time-based One-time Password) and #HOTP (“H” in HOTP stands for Hash-based Message Authentication Code (HMAC))Not sure how #SmartCards play into this.
And not sure which of these methods would work for an offline authentication login into your laptop (and ideally also as key for whole disk encryption)
-
I'm looking for a good overview/comparison of different #MFA/#2FA or #PasswordLess authentication protocols.
The recent #Fido2 #MitM risk made me aware that I need to learn more.
Pointers and #BoostWelcome
#fedipower #wisdomOfTheCrowd #FollowerPower
As the best way to get an answer on the internet, is to state something wrong, let's try this 😜
#FIDO and FIDO2 are actually a whole set of (related?) protocols.
FIDO includes FIDO #UAF (Universal Authentication Framework) and FIDO #U2F (Universal Second Factor).FIDO2 is the "successor" of FIDO and consists of two parts.
#WebAuthn and #CTAP (Client to Authenticator Protocol). From the name I would guess that WebAuthn is for web stuff (requiring browser support) and CTAP is for IT infrastructure stuff (???)#Passkey is based on #Fido2
Other related concepts or protocols are #OTP (one-time passwords), #TOTP (Time-based One-time Password) and #HOTP (“H” in HOTP stands for Hash-based Message Authentication Code (HMAC))Not sure how #SmartCards play into this.
And not sure which of these methods would work for an offline authentication login into your laptop (and ideally also as key for whole disk encryption)
-
I'm looking for a good overview/comparison of different #MFA/#2FA or #PasswordLess authentication protocols.
The recent #Fido2 #MitM risk made me aware that I need to learn more.
Pointers and #BoostWelcome
#fedipower #wisdomOfTheCrowd #FollowerPower
As the best way to get an answer on the internet, is to state something wrong, let's try this 😜
#FIDO and FIDO2 are actually a whole set of (related?) protocols.
FIDO includes FIDO #UAF (Universal Authentication Framework) and FIDO #U2F (Universal Second Factor).FIDO2 is the "successor" of FIDO and consists of two parts.
#WebAuthn and #CTAP (Client to Authenticator Protocol). From the name I would guess that WebAuthn is for web stuff (requiring browser support) and CTAP is for IT infrastructure stuff (???)#Passkey is based on #Fido2
Other related concepts or protocols are #OTP (one-time passwords), #TOTP (Time-based One-time Password) and #HOTP (“H” in HOTP stands for Hash-based Message Authentication Code (HMAC))Not sure how #SmartCards play into this.
And not sure which of these methods would work for an offline authentication login into your laptop (and ideally also as key for whole disk encryption)
-
I'm looking for a good overview/comparison of different #MFA/#2FA or #PasswordLess authentication protocols.
The recent #Fido2 #MitM risk made me aware that I need to learn more.
Pointers and #BoostWelcome
#fedipower #wisdomOfTheCrowd #FollowerPower
As the best way to get an answer on the internet, is to state something wrong, let's try this 😜
#FIDO and FIDO2 are actually a whole set of (related?) protocols.
FIDO includes FIDO #UAF (Universal Authentication Framework) and FIDO #U2F (Universal Second Factor).FIDO2 is the "successor" of FIDO and consists of two parts.
#WebAuthn and #CTAP (Client to Authenticator Protocol). From the name I would guess that WebAuthn is for web stuff (requiring browser support) and CTAP is for IT infrastructure stuff (???)#Passkey is based on #Fido2
Other related concepts or protocols are #OTP (one-time passwords), #TOTP (Time-based One-time Password) and #HOTP (“H” in HOTP stands for Hash-based Message Authentication Code (HMAC))Not sure how #SmartCards play into this.
And not sure which of these methods would work for an offline authentication login into your laptop (and ideally also as key for whole disk encryption)
-
Authenticator app? What's that? I use the terminal 🔥
🔒 **cotp**: Trustworthy and encrypted TOTP/HOTP authenticator with a TUI.
🚀 Supports importing (e.g. from Aegis, Authy, Google Authenticator, etc.)
🦀 Written in Rust & built with @ratatui_rs
⭐ GitHub: https://github.com/replydev/cotp
#rustlang #ratatui #tui #totp #hotp #authentication #auth #encryption
-
#Shaarli: GitHub - beemdevelopment/Aegis: A free, secure and open source app for Android to manage your 2-step verification tokens. - Application mobile d'authentification double facteur (2FA).
Permet d'importer les jetons depuis d'autres applications (accès root) et de sauvegarder automatiquement les jetons. : https://github.com/beemdevelopment/Aegis #totp #hotp #2fa -
Passwords, multiple authentication factors: everything you want to know but are truly afraid to ask...
The full text: https://writefreely.mrnet.pt/pls/lets-talk-about-safer-authentication-the-good-bad-and-the-ugly
#authentication #hotp #totp #FIDO #FIDO2 #passkeys #webauthn #u2f #2fa #passwords #security
-
#OneTrickPony is a modern #Java library that implements support for One-Time Passwords. Built-In support is provided for the #HOTP (RFC 4226) and #TOTP (RFC 6238) algorithms. https://bit.ly/3YoVQ6M #Security
-
#OneTrickPony is a modern #Java library that implements support for One-Time Passwords. Built-In support is provided for the #HOTP (RFC 4226) and #TOTP (RFC 6238) algorithms. https://bit.ly/3YoVQ6M #Security
-
#OneTrickPony is a modern #Java library that implements support for One-Time Passwords. Built-In support is provided for the #HOTP (RFC 4226) and #TOTP (RFC 6238) algorithms. https://bit.ly/3YoVQ6M #Security
-
#OneTrickPony is a modern #Java library that implements support for One-Time Passwords. Built-In support is provided for the #HOTP (RFC 4226) and #TOTP (RFC 6238) algorithms. https://bit.ly/3YoVQ6M #Security
-
#OneTrickPony is a modern #Java library that implements support for One-Time Passwords. Built-In support is provided for the #HOTP (RFC 4226) and #TOTP (RFC 6238) algorithms. https://bit.ly/3YoVQ6M #Security
-
heise+ | 2FA: Fünf kostenlose Authenticator-Apps für Android im Vergleich
Alle von uns getesteten Authenticator-Apps können Einmalcodes generieren. Sie bieten allerdings unterschiedliche Einstellungsmöglichkeiten und Funktionen.
2FA: Fünf kostenlose Authenticator-Apps für Android im Vergleich -
heise+ | Passwortmanager Keepass: So generieren Sie Einmalpasswörter
Keepass kann Codes für die Zwei-Faktor-Authentifizierung generieren – oder die eigene Passwort-Datenbank damit schützen. So wird Keepass zur Passwort-Zentrale.
Passwortmanager Keepass: So generieren Sie Einmalpasswörter -
#andOTP is a Free open source Two-factor authentication app for #Android - https://github.com/andOTP/andOTP Among its useful features are plain text or encrypted automated #backup, visual icons, QR-code scanning, minimal permissions, Android-keystore authentication and ability to import from most other #2FA apps.
#backup #otp #totp #hotp #degoogle
via https://magicfab.ca/liens/ -
Prisa kodgudarna, tvåfaktorsautentisering på datamaskinen är här! #OTPClient ser ut att vara ett riktigt trevligt program med stark kryptering och lösenordsskydd för #2FA direkt på datorn. Men kanske för bekvämt i relation till ökad säkerhet med att ha 2FA på annan device? https://github.com/paolostivanin/OTPClient Tänk om #Sverige hade vettig öppen #eID där det räckte med tvåfaktor på dator eller mobil för identifiering oavsett system. #BankID #FrejaEID #TOTP #HOTP #WebAuthN