Re: TOTP apps, and WebAuthn recommended devices?

[Taylor R Campbell]

> Date: Thu, 23 Mar 2023 09:51:17 -0400
> From: Greg Troxel 
> 
> One thing is TOTP.  There are Android apps from f-droid (which suits me
> but not everyone), and there is vaultwarden which should allow bitwarden
> to do TOTP.  I wonder if there are good TOTP programs in pkgsrc and what
> people recommend.

TOTP -- also called `authenticator app', and usually presented with a
QR code and an optional base32 string as the key -- is a very simple
standard protocol defined in RFC 6238, with reference to RFC 4226.

security/oath-toolkit is a command-line tool to manage a collection of
TOTP keys.  security/py-otp is a very simple Python library.  I use a
fragment of Python code with security/py-cryptography[1], from before
py-otp was added to pkgsrc.

For Android and iOS, there's also a free software app called FreeOTP
from Red Hat (in Google Play and F-Droid): https://freeotp.github.io/

In Firefox, the Bitwarden browser extension can automagically handle
TOTP keys.


However, you should be aware that _TOTP is vulnerable to phishing_.


If you inadvertently open gmai1.com instead of gmail.com and are shown
what looks exactly like a Google login page, entering a TOTP (or SMS)
code alongside your password gives the adversary everything they need
to break into your account.

In contrast, using only password + U2F/FIDO/webauthn security key
defeats phishing.

It defeats phishing because the browser cryptographically binds the
web site origin (gmai1.com vs gmail.com) into the protocol between the
security key and the server.

The user experience of U2F/FIDO/webauthn is also better because you
just tap a button -- no need to keep state on a phone, configure keys
into it, or copy & paste magic codes from one device to another.

One device (plus a second one as a backup!) works for as many sites as
you want, and for as many different accounts at each site as you want
(work, personal, whatever).  Directory of sites with support:
https://www.dongleauth.com/

For most uses, the words U2F, FIDO, FIDO2, and webauthn all mean
essentially the same thing, so I'll just say FIDO here.


> The other thing is WebAuthn which is apparently the new U2F.  I'd like
> to get some security keys for this, probably 3 (carry, non-carried
> backup, offsite cold storage) for long-term availability.  What devices
> are recommended, meeting:

All FIDO USB security keys will work out of the box on all modern
desktop/laptop platforms (including NetBSD 9), and all FIDO NFC/USB
security keys will work out of the box on all modern smartphones from
the last four years or so, in all major browsers.

You should pick according to the interface and form factor you need
(and what you can easily find nearby or get shipped to you).

A good choice to start with is NFC and USB-A or USB-C, so you can use
the same key with a phone and a laptop, like these:

https://www.yubico.com/product/security-key-nfc-by-yubico-black/
https://www.yubico.com/product/security-key-c-nfc-by-yubico-black/

Typical interfaces:

- USB-A
- USB-C
- Lightning (Apple proprietary)
- NFC
- smartcard contact
- Bluetooth LE

Typical form factors:

- keychain-oriented -- like a house or car key but with USB

  https://www.yubico.com/product/security-key-nfc-by-yubico-black/
  https://solokeys.com/products/solo-tap-usb-a-preorder?variant=27688204271680
  https://shop.nitrokey.com/shop/product/nkfi2-nitrokey-fido2-55
  https://www.ftsafe.com/Products/FIDO/NFC
  https://store.google.com/us/product/titan_security_key?hl=en-US

- nano -- barely sticks out of the USB port, so you can just keep it
  plugged into your laptop all the time

  https://www.yubico.com/product/yubikey-5-nano/
  
https://solokeys.com/products/somu-tiny-security-key-two-factor-authentication-u2f-and-fido2-usb-a

- credit card -- NFC/smartcard only, not well supported outside
  Windows yet, not a lot of retail market, seems to be mostly for
  corporate id badge deployments

  https://neowave.fr/en/products/fido-range/badgeo-nfc-fido-2/
  https://shop.cryptnox.com/products/cryptnox-fido-2-card
  https://gotrustid.com/products-idem-card/ (has battery for BLE)
  https://www.hidglobal.com/products/crescendo

- other

  https://shop.ledger.com/products/ledger-nano-s-plus
  https://authentrend.com/atkey-card/

You can vet a product with the FIDO certification database:
https://fidoalliance.org/certification/fido-certified-products/

You can try a key out without risking locking yourself out of any
accounts here: https://demo.yubico.com/

If you want to add support to a web site: https://webauthn.io/


Answering some specific concerns you had:

>   allow enrolling in a bunch of different sites (dozenish, not 1000s)

FIDO keys have no limit on the number of sites.  There is no state
stored on the device[2], except for a count of the number of
signatures it has made, which is revealed to the server so the server
can detect cloned devices.

>   work on NetBSD with firefox (netbsd 9 amd64 at the moment)

All certified FIDO USB keys wi

Re: TOTP apps, and WebAuthn recommended devices?

[Greg Troxel]

Thanks very much for the detailed response.

One thing that's not 100% clear to me:

  One device (plus a second one as a backup!)


A device can fail or be lost, so the backup concept is obvious, and
perhaps should extend to a third.

Are the backup devices independent in that you

  enroll device A on a site

  enroll device B on the same site

and then either one will be accpeted by the site to login, and they
otherwise don't have anything to do with each other?  I mean no transfer
of keymat, or other linkage.

So therefore one could have a secondary backup in a place far away
that's somewhat hard to get to, and when visiting it every few months,
enroll that backup as an additional key in the sites that were added to
the working device (carried with you) and the primary backup.

And yes, I realize that one needs physical access control on all the
devices, except that an attack requires pw + one of the devices.


Good point about TOTP and phishing.   Password via password manager and
TOTP mitigates that, as not typing in passwords means autofill needs to
work by URL match.

But, I'm mostly coming from "I need to cope with this world because
various sites are making it required", and I wanted to really understand
before digging in.  Important sites like adafruit, for instance,
supposedly to protect RPI purchases from bots, because nobody could
possibly code a bot that does TOTP, or something like that.

Re: TOTP apps, and WebAuthn recommended devices?

[Martin Husemann]

On Sat, Mar 25, 2023 at 02:45:46AM +, Taylor R Campbell wrote:
> [3] If you use FIDO-with-PIN instead of password+FIDO for anything,
> then the FIDO key does become a single point of failure -- and the
> compatibility and user experience is worse.  So I advise you avoid
> that.

Taylor put ther far too nicely - the user experiences with brain dead
setups like Office 365 is a disaster and apparently only designed to
push users away from the safe keys to the revenue generating use of the
providers "authenticator" app (for those not understanding it is plain
TOTP and there are free alternatives) or revealing their mobile phone numbers.

Martin

Re: Invisible mouse pointer

[Mayuresh]

On Fri, Mar 24, 2023 at 09:33:22PM +, RVP wrote:
> Try toggling the "HWCursor" option. See:

No luck with that!

-- 
Mayuresh