On Tue, Feb 12, 2019 at 12:25 AM Michael Christopher Robinson < [email protected]> wrote:
> inexpensively add GPS equipment to Linux laptops and desktops so that > in theory I should be able to send my GPS coordinates to the server. > GPS only provides "something you know" and not "something you have". So, you would only be using GPS to add some entropy that you could better do with a stronger passphrase. Since you want to allow all of the US, or even at a city-level, it would be relatively easy to iterate through a list of major cities. If someone was targeting you directly, they could do a quick web search, or get you to visit a website to give away your current IP address. Once they have your IP address, they can do a GeoIP lookup to get your city. They could also try to search for the addresses where you live or recently lived, or even pay to get information from a commercial or hacked database. > I'm thinking the identify yourself page needs to get you the client to > send the GPS coordinates and the the secret key if you have it in a > secure manner. If the secret key matches for an accepted device and > the GPS coordinates land in an acceptable geographic region for that > device, you are golden. If by "secret key", you mean a client cert or another type of private key that you use to "sign"/hash/digest instead of sending to the server as-is...then that would count as something you have and could add security. If it's just a key that you send with your password in a form, then it's just the equivalent of increasing the entropy of your password. I wasn't previously aware that you were running under a copy of apache that you could configure. What Louis mentioned with client certs is one of the easiest solutions and well supported by nginx and apache; you can configure this directly in apache instead of having to do it in rainloop. If you are worried about someone stealing the secret/client-cert off your computer, or you need to log in from other computers at times, you could also buy a YubiKey and do U2F at the apache level ( https://developers.yubico.com/u2fval/Apache_Deployment.html). You could also then use the YubiKey for additional things like local login. You could also set up a VPN. _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
