U2F solves that issue, and it's way more secure than TOTP. Sadly, not many sites support it yet (Google, GitHub, and Dropbox all do). So, just find a hardware token with U2F support and push sites to implement support for it. :-)
~reed On Fri, Dec 30, 2016 at 4:24 PM Bertrand Jacquin <[email protected]> wrote: > I get your point. While I trust more hardware tokens than phones, I > > usually can access a very limited set of slot to store private > > material. That is needed since I don't want or can use the same seed for > > Google, Gandi and other services offering MFA. > > > > It's probably not the place to discuss Yubikey. I'm not using Yubikey > > myself but OpenPGP hardware token and don't really know how I can then > > specify which slot of the Yubikey should be used depending on the need. > > Subject to investigate. > > > > Cheers > > > > On Fri, Dec 30, 2016 at 11:50:36PM +0000, Reed Loden wrote: > > > If I compromise your computer, I still get both the password and the TOTP > > > secret just from a simple keylogger. Not safe. > > > > > > If you don't want to use your phone, just get a hardware token of some > sort > > > (Yubikey or similar). > > > > > > ~reed > > > > > > On Fri, Dec 30, 2016 at 3:31 PM Bertrand Jacquin <[email protected]> > > > wrote: > > > > > > > Well, they don't have to be stored on the password store directory nor > > > > > > > > encrypted using the same GPG key. > > > > > > > > > > > > > > > > On 30/12/2016 23:28, Reed Loden wrote: > > > > > > > > > How is that 2FA if both factors are stored on the same media? Seems > > > > > > > > > quite insecure to me. > > > > > > > > > > > > > > > > > > ~reed > > > > > > > > > > > > > > > > > > On Fri, Dec 30, 2016 at 3:16 PM Bertrand Jacquin > > > > > > > > > <[email protected]> wrote: > > > > > > > > > > > > > > > > > >> Hi, > > > > > > > > >> > > > > > > > > >> Thanks to everyone involve in this really nice password tool you've > > > > > > > > >> > > > > > > > > >> made, this is something I'm using every day and really enjoy using > > > > > > > > >> it. > > > > > > > > >> > > > > > > > > >> Have you ever considered adding an option to handle TOTP, meaning > > > > > > > > >> that the > > > > > > > > >> > > > > > > > > >> seed could be stored in a gpg file and pass could provide an easy > > > > > > > > >> way to get > > > > > > > > >> > > > > > > > > >> current OTP by using oathtool. For example: > > > > > > > > >> > > > > > > > > >> $ oathtool -v --base32 --totp XXX > > > > > > > > >> > > > > > > > > >> Hex secret: YYY > > > > > > > > >> > > > > > > > > >> Base32 secret: XXX > > > > > > > > >> > > > > > > > > >> Digits: 6 > > > > > > > > >> > > > > > > > > >> Window size: 0 > > > > > > > > >> > > > > > > > > >> Step size (seconds): 30 > > > > > > > > >> > > > > > > > > >> Start time: 1970-01-01 00:00:00 UTC (0) > > > > > > > > >> > > > > > > > > >> Current time: 2016-12-18 17:42:53 UTC (1482082973) > > > > > > > > >> > > > > > > > > >> Counter: 0x2F1D38D (49402765) > > > > > > > > >> > > > > > > > > >> 799465 > > > > > > > > >> > > > > > > > > >> Thanks you be really handle for me to just run: > > > > > > > > >> > > > > > > > > >> $ pass show -c --totp Web/gandi.net [1] > > > > > > > > >> > > > > > > > > >> And being able to paste when Gandi ask for it. > > > > > > > > >> > > > > > > > > >> Cheers > > > > > > > > >> > > > > > > > > >> -- > > > > > > > > >> > > > > > > > > >> Bertrand > > > > > > > > >> > > > > > > > > >> _______________________________________________ > > > > > > > > >> > > > > > > > > >> Password-Store mailing list > > > > > > > > >> > > > > > > > > >> [email protected] > > > > > > > > >> > > > > > > > > >> https://lists.zx2c4.com/mailman/listinfo/password-store > > > > > > > > > > > > > > > > > > > > > > > > > > > Links: > > > > > > > > > ------ > > > > > > > > > [1] http://gandi.net > > > > > > > > > > > > > > > > -- > > > > > > > > Bertrand > > > > > > > > > > > > -- > > Bertrand > >
_______________________________________________ Password-Store mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/password-store
