#stupidIdeaOfTheDay (based on one I found randomly on Reddit)

To avoid using Static passwords + TOTPs (like Google Authenticator codes), have a dynamic Single-factor authentication:
Sign the time (in blocks of 30 seconds like with TOTPS) with your private key, so you have passwords valid for 30-90 seconds. Allow at most 10 attempts every 30 seconds. Obviously, the server checks a valid signature with your registered public key.
For this, you can use an extension for your password manager as you are already doing to manage your static passwords + your TOTPs.

Similar to what Yubikey originally did. There are many weak points like Man in the middle, and phishing, and possible attacks over a known message, that were solved with WebAuthn, but it’s a nice exercise to think about.
Disclaimer: Don’t roll your own crypto
Disclaimer 2: Don’t implement 1FA, if you can do 2FA or MFA =P

⤋ Read More

Well, the login technique for SSH is great and works (you have to protect your key, but *nix OS makes it in a safer way)

For web browsing you have Client certificates or Webauthn which require a lot of configuration or external hardware, mostly difficult to use on a mobile device… 🤔

So, yeah, I’d like to find a good balance between easy to use and hacky

⤋ Read More

Participate

Login to join in on this yarn.