* Petr Pisar: > Exactly. OTP simply does not scale. E.g. > <https://www.yubico.com/cz/product/yubikey-5-nfc/> claims "OTP seeds: 2".
Token2 sells something that has 100 slots, with the appropriate interface to select it. They claim it's programmable from Linux. I don't know Red Hat supports it. > The problem is elegantly solved with asymetric keys where you can safely use > a single key for inifinite number of services. TLS supports authenticating > clients with X.509 certificate for ages. Yet almost nobody implements it. All > Git hosting services support key authentication, yet they have a problem with > X.509. I don't get it. Isn't this a bit like FIDO2? Asymmetric keys makes you depend on supply chain integrity, though. With TOTP, exfiltration is more of theoretical possibility even if you use a hardware token (it would have to have radio and maybe even a SIM card for token recovery at scale). On-device key generation can produce predictable or otherwise recoverable keys, and in some instances, the public key bits are publicly available. This avoids the need for a potential attacker to maintain direct communication with the token. Thanks, Florian -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
