Petr Pisar wrote:
> OTP simply does not scale. E.g.
> <https://www.yubico.com/cz/product/yubikey-5-nfc/> claims "OTP seeds: 2".

That's for the proprietary Yubico OTP. OATH-TOTP for Fedora would use
one of the 64 OATH slots. That's a higher limit, but still finite of
course.

> A problem with the hardware tokens is that you need to select which seed to
> use. That can be done with a button on the device if you choose from
> 2 options.

That's how it's done for Yubico OTP. A short or long touch chooses the
first or second seed. On the other hand, the centralized verification
service gives Yubico the ability to track what service you log in to,
and when.

> It cannot be done if you have to choose from dozens. You would have
> to cotrol the choice from the computer

And that's how it's done for OATH-TOTP.

> The problem is elegantly solved with asymetric keys where you can safely use
> a single key for inifinite number of services. TLS supports authenticating
> clients with X.509 certificate for ages. Yet almost nobody implements it. All
> Git hosting services support key authentication, yet they have a problem with
> X.509. I don't get it.

Maybe it's because the user interface in the browsers is bad, which is
a solvable problem. Or maybe it came too early. Everybody thought a
password was good enough when TLS was new, and now TLS with client
certificates isn't new and shiny anymore.

Anyway, U2F is also designed such that a single hardware token can be
used with an unlimited number of servers.

Björn Persson

Attachment: pgppfelVyHYMG.pgp
Description: OpenPGP digital signatur

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to