OK, normally I have my shit wired together, but this bastard is getting to me.
The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.
Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.
Life.
I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.
So I search for:
"google passkey login with ssh"
My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.
Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?
#TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh
Learn how to build a production-ready Email OTP authentication node in ForgeRock AM 7.x using the RFC 4226 HOTP algorithm. Includes complete Java source, Maven project, SMTP delivery with TLS, rate limiting, and JUnit 5 tests validating all RFC test vectors.
#ForgeRock #ForgeRockAM #EmailOTP #HOTP #TwoFactorAuthenticat
#xsukax Secure #Authenticator
https://github.com/xsukax/xsukax-Secure-Authenticator
Demo: https://xsukax.github.io/xsukax-Secure-Authenticator/
A privacy-focused, #client-side #two-factor authentication (2FA) application that generates Time-based One-Time Passwords (TOTP) and #HMAC-based One-Time Passwords (HOTP) entirely within your browser. No server communication, no tracking, complete control over your authentication codes.
I have posted the initial version for the analysis on 'are #HOTP #zeroknowledge proofs'.
Although the blog post is not very mathematical in nature, I seem to have covered all relevant aspects. Previous social media posts covered the gist, but there is more detail present in the blog post.
https://dannyvanheumen.nl/post/analysis-are-hotp-zero-knowledge-proofs/
Intuitive explanation for #zeroknowledge #zeroknowledgeproof analysis for #HOTP #MFA principle.
Behind the 6-digit code: Building HOTP and TOTP from scratch
https://blog.dogac.dev/how-do-one-time-passwords-work/
#HackerNews #HOTP #TOTP #OneTimePasswords #Security #Development
A while ago, I have started working on authorization and authentication at work. This taught me a lot about how modern authentication systems work. However I have always thought One-Time Password logins are the most mystical ones. A six-digit code that changes every time and can be used to verify
Are you happy with current #TOTP #HOTP mobile apps out there? #authy #google #microsoft #freeotp.
If you see a new or want to try a new unknown #TOTP #authenticator #passwordManager what factors you look for.
1. Open Source app.
2. At least core open source.
3. I try evaluate mostly features matter.
4. I love #BigTech, don't care #SmallTech.
Need some inputs selecting a different #authenticator #password #PasswordManager, any help I really appreciate.
Thanks.
I'm looking for a good overview/comparison of different #MFA/#2FA or #PasswordLess authentication protocols.
The recent #Fido2 #MitM risk made me aware that I need to learn more.
Pointers and #BoostWelcome
#fedipower #wisdomOfTheCrowd #FollowerPower
As the best way to get an answer on the internet, is to state something wrong, let's try this 😜
#FIDO and FIDO2 are actually a whole set of (related?) protocols.
FIDO includes FIDO #UAF (Universal Authentication Framework) and FIDO #U2F (Universal Second Factor).
FIDO2 is the "successor" of FIDO and consists of two parts.
#WebAuthn and #CTAP (Client to Authenticator Protocol). From the name I would guess that WebAuthn is for web stuff (requiring browser support) and CTAP is for IT infrastructure stuff (???)
#Passkey is based on #Fido2
Other related concepts or protocols are #OTP (one-time passwords), #TOTP (Time-based One-time Password) and #HOTP (“H” in HOTP stands for Hash-based Message Authentication Code (HMAC))
Not sure how #SmartCards play into this.
And not sure which of these methods would work for an offline authentication login into your laptop (and ideally also as key for whole disk encryption)
Authenticator app? What's that? I use the terminal 🔥
🔒 **cotp**: Trustworthy and encrypted TOTP/HOTP authenticator with a TUI.
🚀 Supports importing (e.g. from Aegis, Authy, Google Authenticator, etc.)
🦀 Written in Rust & built with @ratatui_rs
⭐ GitHub: https://github.com/replydev/cotp
#rustlang #ratatui #tui #totp #hotp #authentication #auth #encryption
Sam Volatile
IAMDevBox
Workahol
xsukax 
Hacker News
Garrow Bregenza 
Claudius Link
Orhun Parmaksız 👾