txt.sour.is eaplmx@twtxt.net "#stupidIdeaOfTheDay (based on one I found randomly on Reddit) To avoid using Static passwords + TOTPs (like Google Authenticator codes), have a ..."

twtxt.net

Fri, Sep 16 14:46 2022 (2y ago)

#stupidIdeaOfTheDay (based on one I found randomly on Reddit)

To avoid using Static passwords + TOTPs (like Google Authenticator codes), have a dynamic Single-factor authentication:
Sign the time (in blocks of 30 seconds like with TOTPS) with your private key, so you have passwords valid for 30-90 seconds. Allow at most 10 attempts every 30 seconds. Obviously, the server checks a valid signature with your registered public key.
For this, you can use an extension for your password manager as you are already doing to manage your static passwords + your TOTPs.

Similar to what Yubikey originally did. There are many weak points like Man in the middle, and phishing, and possible attacks over a known message, that were solved with WebAuthn, but it’s a nice exercise to think about.
Disclaimer: Don’t roll your own crypto
Disclaimer 2: Don’t implement 1FA, if you can do 2FA or MFA =P

⤋ Read More