home.social

#hotp — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #hotp, aggregated by home.social.

  1. OK, normally I have my shit wired together, but this bastard is getting to me.

    The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.

    Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.

    Life.

    I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.

    So I search for:
    "google passkey login with ssh"
    My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
    Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
    Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.

    Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?

    #TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh

  2. OK, normally I have my shit wired together, but this bastard is getting to me.

    The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.

    Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.

    Life.

    I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.

    So I search for:
    "google passkey login with ssh"
    My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
    Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
    Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.

    Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?

    #TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh

  3. OK, normally I have my shit wired together, but this bastard is getting to me.

    The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.

    Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.

    Life.

    I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.

    So I search for:
    "google passkey login with ssh"
    My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
    Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
    Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.

    Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?

    #TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh

  4. OK, normally I have my shit wired together, but this bastard is getting to me.

    The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.

    Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.

    Life.

    I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.

    So I search for:
    "google passkey login with ssh"
    My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
    Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
    Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.

    Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?

    #TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh

  5. OK, normally I have my shit wired together, but this bastard is getting to me.

    The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.

    Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.

    Life.

    I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.

    So I search for:
    "google passkey login with ssh"
    My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
    Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
    Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.

    Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?

    #TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh

  6. PSA for those implementing #rfc6238: READ THE ERRATA! Maybe even before reading the RFC itself. I wasted an entire day chasing my tail because the RFC contained incorrect test vectors.
    #IETF #RFC #openSource #programming #totp #hotp

  7. I'm looking for a good overview/comparison of different #MFA/#2FA or #PasswordLess authentication protocols.

    The recent #Fido2 #MitM risk made me aware that I need to learn more.

    Pointers and #BoostWelcome

    #fedipower #wisdomOfTheCrowd #FollowerPower

    As the best way to get an answer on the internet, is to state something wrong, let's try this 😜

    #FIDO and FIDO2 are actually a whole set of (related?) protocols.
    FIDO includes FIDO #UAF (Universal Authentication Framework) and FIDO #U2F (Universal Second Factor).

    FIDO2 is the "successor" of FIDO and consists of two parts.
    #WebAuthn and #CTAP (Client to Authenticator Protocol). From the name I would guess that WebAuthn is for web stuff (requiring browser support) and CTAP is for IT infrastructure stuff (???)

    #Passkey is based on #Fido2
    Other related concepts or protocols are #OTP (one-time passwords), #TOTP (Time-based One-time Password) and #HOTP (“H” in HOTP stands for Hash-based Message Authentication Code (HMAC))

    Not sure how #SmartCards play into this.

    And not sure which of these methods would work for an offline authentication login into your laptop (and ideally also as key for whole disk encryption)

  8. I'm looking for a good overview/comparison of different #MFA/#2FA or #PasswordLess authentication protocols.

    The recent #Fido2 #MitM risk made me aware that I need to learn more.

    Pointers and #BoostWelcome

    #fedipower #wisdomOfTheCrowd #FollowerPower

    As the best way to get an answer on the internet, is to state something wrong, let's try this 😜

    #FIDO and FIDO2 are actually a whole set of (related?) protocols.
    FIDO includes FIDO #UAF (Universal Authentication Framework) and FIDO #U2F (Universal Second Factor).

    FIDO2 is the "successor" of FIDO and consists of two parts.
    #WebAuthn and #CTAP (Client to Authenticator Protocol). From the name I would guess that WebAuthn is for web stuff (requiring browser support) and CTAP is for IT infrastructure stuff (???)

    #Passkey is based on #Fido2
    Other related concepts or protocols are #OTP (one-time passwords), #TOTP (Time-based One-time Password) and #HOTP (“H” in HOTP stands for Hash-based Message Authentication Code (HMAC))

    Not sure how #SmartCards play into this.

    And not sure which of these methods would work for an offline authentication login into your laptop (and ideally also as key for whole disk encryption)

  9. I'm looking for a good overview/comparison of different #MFA/#2FA or #PasswordLess authentication protocols.

    The recent #Fido2 #MitM risk made me aware that I need to learn more.

    Pointers and #BoostWelcome

    #fedipower #wisdomOfTheCrowd #FollowerPower

    As the best way to get an answer on the internet, is to state something wrong, let's try this 😜

    #FIDO and FIDO2 are actually a whole set of (related?) protocols.
    FIDO includes FIDO #UAF (Universal Authentication Framework) and FIDO #U2F (Universal Second Factor).

    FIDO2 is the "successor" of FIDO and consists of two parts.
    #WebAuthn and #CTAP (Client to Authenticator Protocol). From the name I would guess that WebAuthn is for web stuff (requiring browser support) and CTAP is for IT infrastructure stuff (???)

    #Passkey is based on #Fido2
    Other related concepts or protocols are #OTP (one-time passwords), #TOTP (Time-based One-time Password) and #HOTP (“H” in HOTP stands for Hash-based Message Authentication Code (HMAC))

    Not sure how #SmartCards play into this.

    And not sure which of these methods would work for an offline authentication login into your laptop (and ideally also as key for whole disk encryption)

  10. I'm looking for a good overview/comparison of different #MFA/#2FA or #PasswordLess authentication protocols.

    The recent #Fido2 #MitM risk made me aware that I need to learn more.

    Pointers and #BoostWelcome

    #fedipower #wisdomOfTheCrowd #FollowerPower

    As the best way to get an answer on the internet, is to state something wrong, let's try this 😜

    #FIDO and FIDO2 are actually a whole set of (related?) protocols.
    FIDO includes FIDO #UAF (Universal Authentication Framework) and FIDO #U2F (Universal Second Factor).

    FIDO2 is the "successor" of FIDO and consists of two parts.
    #WebAuthn and #CTAP (Client to Authenticator Protocol). From the name I would guess that WebAuthn is for web stuff (requiring browser support) and CTAP is for IT infrastructure stuff (???)

    #Passkey is based on #Fido2
    Other related concepts or protocols are #OTP (one-time passwords), #TOTP (Time-based One-time Password) and #HOTP (“H” in HOTP stands for Hash-based Message Authentication Code (HMAC))

    Not sure how #SmartCards play into this.

    And not sure which of these methods would work for an offline authentication login into your laptop (and ideally also as key for whole disk encryption)

  11. I'm looking for a good overview/comparison of different #MFA/#2FA or #PasswordLess authentication protocols.

    The recent #Fido2 #MitM risk made me aware that I need to learn more.

    Pointers and #BoostWelcome

    #fedipower #wisdomOfTheCrowd #FollowerPower

    As the best way to get an answer on the internet, is to state something wrong, let's try this 😜

    #FIDO and FIDO2 are actually a whole set of (related?) protocols.
    FIDO includes FIDO #UAF (Universal Authentication Framework) and FIDO #U2F (Universal Second Factor).

    FIDO2 is the "successor" of FIDO and consists of two parts.
    #WebAuthn and #CTAP (Client to Authenticator Protocol). From the name I would guess that WebAuthn is for web stuff (requiring browser support) and CTAP is for IT infrastructure stuff (???)

    #Passkey is based on #Fido2
    Other related concepts or protocols are #OTP (one-time passwords), #TOTP (Time-based One-time Password) and #HOTP (“H” in HOTP stands for Hash-based Message Authentication Code (HMAC))

    Not sure how #SmartCards play into this.

    And not sure which of these methods would work for an offline authentication login into your laptop (and ideally also as key for whole disk encryption)

  12. Authenticator app? What's that? I use the terminal 🔥

    🔒 **cotp**: Trustworthy and encrypted TOTP/HOTP authenticator with a TUI.

    🚀 Supports importing (e.g. from Aegis, Authy, Google Authenticator, etc.)

    🦀 Written in Rust & built with @ratatui_rs

    ⭐ GitHub: github.com/replydev/cotp

  13. #Shaarli: GitHub - beemdevelopment/Aegis: A free, secure and open source app for Android to manage your 2-step verification tokens. - Application mobile d'authentification double facteur (2FA).
    Permet d'importer les jetons depuis d'autres applications (accès root) et de sauvegarder automatiquement les jetons. : github.com/beemdevelopment/Aeg #totp #hotp #2fa

  14. Someone at GitHub asked for websites using HOTP.

    It’s true that all public sites use TOTP, I personally never registered to a site with 2FA based on HMAC. To me it’s probably used by enterprises.

    Do you know such sites or services?

  15. Jan <3 @rollbrettklauen ·

    Just looked at code I implemented a year ago and cringed. I mean I grew as a developer but why did I implement a state full version of and ?

  16. @mysk I'd rather recommend to avoid it at all costs and choose a non-proprietary method like () & ()...

    Like FreeOTP+ does:
    f-droid.org/en/packages/org.li

  17. @mysk I'd rather recommend to avoid it at all costs and choose a non-proprietary #2FA method like #HOTP (#RFC4226) & #TOTP (#RFC6238)...

    Like FreeOTP+ does:
    f-droid.org/en/packages/org.li

  18. @mysk I'd rather recommend to avoid it at all costs and choose a non-proprietary #2FA method like #HOTP (#RFC4226) & #TOTP (#RFC6238)...

    Like FreeOTP+ does:
    f-droid.org/en/packages/org.li

  19. #OneTrickPony is a modern #Java library that implements support for One-Time Passwords. Built-In support is provided for the #HOTP (RFC 4226) and #TOTP (RFC 6238) algorithms. bit.ly/3YoVQ6M #Security

  20. #OneTrickPony is a modern #Java library that implements support for One-Time Passwords. Built-In support is provided for the #HOTP (RFC 4226) and #TOTP (RFC 6238) algorithms. bit.ly/3YoVQ6M #Security

  21. #OneTrickPony is a modern #Java library that implements support for One-Time Passwords. Built-In support is provided for the #HOTP (RFC 4226) and #TOTP (RFC 6238) algorithms. bit.ly/3YoVQ6M #Security

  22. #OneTrickPony is a modern #Java library that implements support for One-Time Passwords. Built-In support is provided for the #HOTP (RFC 4226) and #TOTP (RFC 6238) algorithms. bit.ly/3YoVQ6M #Security

  23. #OneTrickPony is a modern #Java library that implements support for One-Time Passwords. Built-In support is provided for the #HOTP (RFC 4226) and #TOTP (RFC 6238) algorithms. bit.ly/3YoVQ6M #Security

  24. heise+ | 2FA: Fünf kostenlose Authenticator-Apps für Android im Vergleich

    Alle von uns getesteten Authenticator-Apps können Einmalcodes generieren. Sie bieten allerdings unterschiedliche Einstellungsmöglichkeiten und Funktionen.
    2FA: Fünf kostenlose Authenticator-Apps für Android im Vergleich
  25. @Troll Solution : #HOTP (RFC 4226), au lieu de #TOTP. (Mais il a d'autres inconvénients, la vie n'est pas facile, ma bonne dame.)

  26. heise+ | Passwortmanager Keepass: So generieren Sie Einmalpasswörter

    Keepass kann Codes für die Zwei-Faktor-Authentifizierung generieren – oder die eigene Passwort-Datenbank damit schützen. So wird Keepass zur Passwort-Zentrale.
    Passwortmanager Keepass: So generieren Sie Einmalpasswörter
  27. #andOTP is a Free open source Two-factor authentication app for #Android - github.com/andOTP/andOTP Among its useful features are plain text or encrypted automated #backup, visual icons, QR-code scanning, minimal permissions, Android-keystore authentication and ability to import from most other #2FA apps.
    #backup #otp #totp #hotp #degoogle
    via magicfab.ca/liens/

  28. Prisa kodgudarna, tvåfaktorsautentisering på datamaskinen är här! #OTPClient ser ut att vara ett riktigt trevligt program med stark kryptering och lösenordsskydd för #2FA direkt på datorn. Men kanske för bekvämt i relation till ökad säkerhet med att ha 2FA på annan device? github.com/paolostivanin/OTPCl Tänk om #Sverige hade vettig öppen #eID där det räckte med tvåfaktor på dator eller mobil för identifiering oavsett system. #BankID #FrejaEID #TOTP #HOTP #WebAuthN