Brodie RobertsonAug 30, 2023
Github REQUIRES 2FA: What This Means For You? #Linux #YouTube https://youtu.be/WnO3uaatquc
Github REQUIRES 2FA: What This Means For You?

YouTube
Show threadKevin Karhan Aug 30, 2023

@BrodieOnLinux it means that if #GitHub doesn't support any good #offline - capable #2FA like #iTAN, a lot of folks won't use it at all!

Espechally since they don't support EVERY NATION AND NETWORK nor can one expect to have a dedicaded and secure phone number for that!

Show threadKevin Karhan Aug 30, 2023

@thatguyoverthere @BrodieOnLinux it does require one to have a device to run it on tho.

Also nothing prevents them from generating iTAN lists and just request a randomized unused entry from it.

It's not as if they'll require it for every push and every merge of code.

Show threadBrodie RobertsonAug 30, 2023
@kkarhan @thatguyoverthere You have a computer
Show threadKevin Karhan Aug 30, 2023

@BrodieOnLinux @thatguyoverthere yes but putting #2FA on the same machine is kinda killing the security advantage.

The idea of Two-Factor - Authentification is to prevent someone from creating chaos if they gain access to an account or it's credentials...

Show threadDisinformation Purveyor  
@kkarhan @BrodieOnLinux to me TOTP seems like a perfectly reasonable solution to multi-factor auth. I agree that if you take it seriously you are generating tokens on a device that is not the one you are logging in with, but you can do that with a phone, a crappy laptop, or even some of the various usb devices. Some will even act as a keyboard.

The thing with iTAN is that you need to maintain a whole list of tokens, and I imagine a responsible implementation would only allow each token to be used once which means you have to keep track of which ones you've used. If anyone sees the list (or takes a photo) they can compromise you a lot easier than if someone sees a time based token that will only work within a small window and never again. Yes some math is involved, but in my opinion it is a better proof of authenticity than a token that was generated some ambiguous time ago. I don't want to have to go to the gun safe every time I have to do something on Github that requires a token.
Aug 30, 2023 at 1:23amWeb
Show threadKevin Karhan Aug 30, 2023

@thatguyoverthere @BrodieOnLinux

Yeah, it's really a downgrade and sadly not practical for me at all...
https://mstdn.social/@kkarhan/110975953455694385

Kevin Karhan :verified: (@[email protected])

@10volt @[email protected] @[email protected] #iTAN are numerized, pre-generated TANs that get requested for randomized 2FA... https://en.wikipedia.org/wiki/Transaction_authentication_number#Indexed_TAN_(iTAN) And no, #TOTP / #HOTP & #SMS-#TAN are NOT practical for numerous reasons I CANNOT disclose... https://mstdn.social/@kkarhan/110975936045776700

Mastodon 🐘
Show threadKevin Karhan Aug 30, 2023

@thatguyoverthere @BrodieOnLinux

Also yes, all #iTAN implementations will cross out all used TANs and the last 2-5 are used to auth a new iTAN sheet...

And the best part of it: those can be perfectly seperated and don't need anything but paper and ink to put them on.

Personally, I do want my shit to be so secure that I can't backdoor it at gunpoint without the ability to commit asset denial towards the attacker...

Call me weird, but I'd be dead for over a decade if I wasn't that cautious...