On 4/8/22 13:28, Björn Persson wrote: > Michael Catanzaro wrote: >> On Thu, Apr 7 2022 at 12:30:42 PM -0400, Stephen Gallagher >> <[email protected]> wrote: >>> Well, it *could* grow an interface to some of the password wallet >>> services that support TOTP or HOTP codes (like Bitwarden, Lastpass, >>> 1password, etc.) and configure it to query that service and append the >>> code to the password. It doesn't help if you want/need a physical >>> token, though. >> >> Good idea. Of course we'd probably want to use GNOME Keyring for this >> (which does not currently support third-party services, but could in >> the future). I suppose gnome-online-accounts would only need to store >> the TOTP/HOTP seed and some config data. > > This sounds like you would store the password and the TOTP seed > together in the same keyring. That's rather pointless. If you store two > secrets together, then they are effectively a single secret, and the > TOTP just adds an unnecessary step to the authentication protocol. It's > better to generate a long random key for your "password", store that in > your keyring, and not bother with TOTP. > > Two-factor authentication is when you have two secrets stored in two > different storage media, for example one in Gnome Keyring and the > other in a Yubikey. > > If the keyring is encrypted with a master passphrase, then that's also > two-factor authentication. The encrypted key stored in the keyring is > one factor, and the master passphrase stored in the user's brain is the > other factor. In that case a TOTP seed stored in a Yubikey becomes a > third factor.
That is basically what I do. I use full disk encryption, which means that the entire drive (not just the keyring) is encrypted. That is one factor, and the keyring is the other. -- Sincerely, Demi Marie Obenour (she/her/hers) _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
