Hi, > Le 15/02/2017 à 01:49, Tad a écrit : >> Hello all, >> >> I got tired of loading up Chrome and Authy on my desktop whenever I >> needed to generate a 2FA code, so I wrote a pass extension: >> >> https://github.com/tadfisher/pass-otp
Good job, I wanted to do the same extension, but your one is good enough. Thank a lot for it. >> Let me know what you think! I'm certainly willing to make changes and >> improvements, so any feedback would be appreciated. Regarding your code I think it is important to add a test suite. > On 15/02/17 07:53, Gambiit wrote: > - 2FA on the same device is not 2FA. Well, this is not exactly true. The purpose of 2FA is to have a second way to authenticate yourself. It can be something your have (a device in opposition to something you know (the password)) but it is not mandatory. Therefore if you have an other password repository (or a subfolder) to store your OTP secrets with an other GPP key it is fine. Moreover you can store this repo in a different device. However, have the 2FA protected with the same GPG key than the password is indeed not really useful. (Although it would still protect you if the server DB is stolen and you password revealed). In conclusion it always depends of your attacker model and of your own security police. Therefore have a pass extension to support OTP makes sense. Recommend the users to use a different repo (with a different key) would also makes sense. Alex _______________________________________________ Password-Store mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/password-store
