* Petr Pisar:

> Exactly. OTP simply does not scale. E.g.
> <https://www.yubico.com/cz/product/yubikey-5-nfc/> claims "OTP seeds: 2".

Token2 sells something that has 100 slots, with the appropriate
interface to select it.  They claim it's programmable from Linux.  I
don't know Red Hat supports it.

> The problem is elegantly solved with asymetric keys where you can safely use
> a single key for inifinite number of services. TLS supports authenticating
> clients with X.509 certificate for ages. Yet almost nobody implements it. All
> Git hosting services support key authentication, yet they have a problem with
> X.509. I don't get it.

Isn't this a bit like FIDO2?

Asymmetric keys makes you depend on supply chain integrity, though.
With TOTP, exfiltration is more of theoretical possibility even if you
use a hardware token (it would have to have radio and maybe even a SIM
card for token recovery at scale).  On-device key generation can produce
predictable or otherwise recoverable keys, and in some instances, the
public key bits are publicly available.  This avoids the need for a
potential attacker to maintain direct communication with the token.

Thanks,
Florian

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to