Re: How do I read result of a QR Code
On Sat, 2024-01-20 at 17:54 -0800, ToddAndMargo via users wrote: > c) Something you are, such as a biometric. This method > involves verification of characteristics inherent to the > individual, such as via retina scans, iris scans, fingerprint > scans, finger vein scans, facial recognition, voice > recognition, hand geometry, and even earlobe geometry The problem with biometrics, is that if you're identified by data about you, that data is stolen, and someone can provide it on demand without your presence, you can't change your authentication data. If someone can fake your biodata, they can do it forever. Fingerprints lifted from the glossy surface of your phone, a compromised service that held your data, a fraudulent service that gets you to log into them... -- uname -rsvp Linux 3.10.0-1160.105.1.el7.x86_64 #1 SMP Thu Dec 7 15:39:45 UTC 2023 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: How do I read result of a QR Code
On Sat, 2024-01-20 at 22:08 +0100, Walter H. via users wrote: > not really, because, the knowledge of user and password is somewhere else; There are a lot of people who'll have an unsecured phone, because it's a pain to them. > so neither the person who stole your phone (the 2FA device) nor you are > able to login; > > you should not use the phone as all in one: > - the login device, > - the 2FA device and also > - the password manager device A lot of people will. It's the point of contact, it's the stupid SMS they receive on the same device to confirm its them, it may be a rolling code generator. I get the impression it's a major reason phones are stolen - identity theft rather than the value of the phone, itself. That, and maybe hoping for nudes. -- uname -rsvp Linux 3.10.0-1160.105.1.el7.x86_64 #1 SMP Thu Dec 7 15:39:45 UTC 2023 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: How do I read result of a QR Code
On 1/20/24 13:08, Walter H. via users wrote: On 20.01.2024 20:39, Tim via users wrote: On Sat, 2024-01-20 at 20:00 +0100, Walter H. via users wrote: buy an iPhone ... exact this what you want is the other way of it sense; 2FA = 2 Factor Authentication example you login on a site, there you have the knowledge of user and password and then the 2nd factor, which is a OTP when you really do this with your fedora, then there is NO 2nd factor, because when your fedora gets compromised, the 2FA gets compromised, too That's one of my gripes about two-factor authentication - it (typically) uses your phone. Steal someone's phone, and it's everything they need to pretend to be you. not really, because, the knowledge of user and password is somewhere else; so neither the person who stole your phone (the 2FA device) nor you are able to login; you should not use the phone as all in one: - the login device, - the 2FA device and also - the password manager device https://docs-prv.pcisecuritystandards.org/Guidance%20Document/Authentication/Multi-Factor-Authentication-Guidance-v1.pdf You have to pick two of the three below. a) Something you know, such as a password or passphrase. This method involves verification of information that a user provides, such as a password/passphrase, PIN, or the answers to secret questions (challenge-response). b) Something you have, such as a token device or smartcard. This method involves verification of a specific item a user has in their possession, such as a physical or logical security token, a one-time password (OTP) token, a key fob, an employee access card, or a phone’s SIM card. For mobile authentication, a smartphone often provides the possession factor in conjunction with an OTP app or a cryptographic material (i.e., certificate or a key) residing on the device. c) Something you are, such as a biometric. This method involves verification of characteristics inherent to the individual, such as via retina scans, iris scans, fingerprint scans, finger vein scans, facial recognition, voice recognition, hand geometry, and even earlobe geometry -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: How do I read result of a QR Code
On 20.01.2024 20:52, Chris Adams wrote: Once upon a time, Tim said: That's one of my gripes about two-factor authentication - it (typically) uses your phone. Steal someone's phone, and it's everything they need to pretend to be you. That's going to be true of any second-factor device. In theory, MFA is "something you know plus something you have", but we use too many passwords to "know" them all, so we use password managers. password managers/safes are ok as long as they are independent from the device used for login ... Then the "know" is just one password manager master password... but the "have" is often stored in the same password manager (because where else are you going to store it?). a tip: don't store the whole password; e.g. use the stored passwords plus something short only in your head; it might be the same to all used passwords; 3 or 4 signs are enough, e.g. '#A7x' I know, if doing like this, the password manager isn't simple any more; but as always said: simplicity and security don't go together; smime.p7s Description: S/MIME Cryptographic Signature -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: How do I read result of a QR Code
On 20.01.2024 20:39, Tim via users wrote: On Sat, 2024-01-20 at 20:00 +0100, Walter H. via users wrote: buy an iPhone ... exact this what you want is the other way of it sense; 2FA = 2 Factor Authentication example you login on a site, there you have the knowledge of user and password and then the 2nd factor, which is a OTP when you really do this with your fedora, then there is NO 2nd factor, because when your fedora gets compromised, the 2FA gets compromised, too That's one of my gripes about two-factor authentication - it (typically) uses your phone. Steal someone's phone, and it's everything they need to pretend to be you. not really, because, the knowledge of user and password is somewhere else; so neither the person who stole your phone (the 2FA device) nor you are able to login; you should not use the phone as all in one: - the login device, - the 2FA device and also - the password manager device smime.p7s Description: S/MIME Cryptographic Signature -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: How do I read result of a QR Code
Once upon a time, Tim said: > That's one of my gripes about two-factor authentication - it > (typically) uses your phone. Steal someone's phone, and it's > everything they need to pretend to be you. That's going to be true of any second-factor device. In theory, MFA is "something you know plus something you have", but we use too many passwords to "know" them all, so we use password managers. Then the "know" is just one password manager master password... but the "have" is often stored in the same password manager (because where else are you going to store it?). It still helps, because while people may re-use passwords (so one breach can lead to access at other sites), the 2FA codes are unique per site (so breaching one site won't lead to other sites). The password/MFA code master password (and encryption) is the single point of security then, but that's still usually harder to breach. Most devices have "good enough" security, so someone getting your device doesn't help them unless they get it in an unlocked state (and even then, gets ONE person breached, not a million). But at that point, you're also down to the wrench attack. https://xkcd.com/538/ tl;dr: login security is hard -- Chris Adams -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: How do I read result of a QR Code
On Sat, 2024-01-20 at 20:00 +0100, Walter H. via users wrote: > buy an iPhone ... > > exact this what you want is the other way of it sense; > > 2FA = 2 Factor Authentication > > example you login on a site, there you have the knowledge of > > user and password > > and then the 2nd factor, which is a OTP > > when you really do this with your fedora, then there is NO 2nd factor, > because when your fedora gets compromised, the 2FA gets compromised, too That's one of my gripes about two-factor authentication - it (typically) uses your phone. Steal someone's phone, and it's everything they need to pretend to be you. -- uname -rsvp Linux 3.10.0-1160.105.1.el7.x86_64 #1 SMP Thu Dec 7 15:39:45 UTC 2023 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: How do I read result of a QR Code
On 17.01.2024 01:54, ToddAndMargo via users wrote: On 1/16/24 15:44, Samuel Sieb wrote: On 1/16/24 15:42, Samuel Sieb wrote: On 1/16/24 14:58, ToddAndMargo via users wrote: On 1/16/24 14:29, Barry wrote: On 16 Jan 2024, at 20:43, ToddAndMargo via users wrote: "keysmith" looks like it is "creating" the things, not reading them. Am I missing something? You mean creating the 6 digit codes? Isn’t that the point? Barry The opposite! I want to decode the Roshack splotch (OTP) when it is presented to me, so I can enter the number into the multifactor authentication challenge. You are misunderstanding how this works. That QR code contains a secret value that lets the OTP application generate the 6 digit codes as needed. There is no actual code in the QR code. To clarify further, you only need the QR code *once*. After that, you use the application to give you the code you need when asked for. This what I am after. A program presents a QC splotch. A user scans it with their Android phone and reads it into FreeOTP. FreeOTP coughs out a six digit code, which I enter. I want to do this without the Android. buy an iPhone ... exact this what you want is the other way of it sense; 2FA = 2 Factor Authentication example you login on a site, there you have the knowledge of user and password and then the 2nd factor, which is a OTP when you really do this with your fedora, then there is NO 2nd factor, because when your fedora gets compromised, the 2FA gets compromised, too smime.p7s Description: S/MIME Cryptographic Signature -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue