Dear Mick, dear all: Am 05.08.24 um 09:06 schrieb Michael Kjörling: > On 5 Aug 2024 05:31 +0800, from wes...@mxcloud.eu.org (Wesley): >> OT question, can debian desktop run a simulator for phone app?
Absolutely yes. But that's not going to help anyone in this thread. > If OP thinks a password manager is "more complicated than needed", > then what isn't running a hardware emulator + whole operating system + > Who knows what? I suspect that some contributors to this thread might have gotten Micks original question wrong, which is about 2FA, to require a passphrase _and_ a one-time (TOTP) token. And that you, dear Mick, might have gotten the purpose of 2FA wrong. No offense intended. Let's all take a step back, and take a broader look. So please bear with me and read me out. I'm up for any challenge to be proven wrong. (because presumably I am) 2FA is intended to raise the bar of stealing your login from just one leaked known secret (username/passphrase) to two _strictly_ separate bars. The latter must not be yet another secret, but might be physical custody of some given device. In that way, a merely leaked passphrase won't give immediate access to your login, neither would that device, if only that was stolen. Still those two factors ought to be secure each by themselves. Passphrases are supposed to be un-guessable even by brute-force, so they better be very complex; also they're not supposed to be re-used for multiple accounts. For that very reason, passphrase "managers" (vaults) exist. They must be strongly encrypted, and local only. But for reasonable security, they don't suffice. Why not? Their weak points are: Blackhats might either: 1. intercept your passphrase while authenticating, or 2. steal them from your passphrase-encrypted vault, if your local account or machine has been compromised, or 3. steal them from where you're authenticating against, if stored there insecurely. For 3., that should be salted strong hash algorithms. More often than not, that's not the case. You can never know. All three of the above shouldn't happen, but all of them have happened, do happen, and will continue to happen. Take your guess where all the passphrase lists on the darknet are coming from. Some might be MD5 or SHA1 hashed, both of which are weak, or the salt might be poorly chosen. Unless you know for certain, assume each of your passphrases to be potentially compromised, or compromisable. That's where 2FA kicks in: Your passphrase alone, which might've been compromised, won't unlock your authentication, but requires you to possess/provide an independent factor, that would ideally not be compromised simultaneously with your passphrase or with your local account. That might well be a cellphone receiving a text message, or an app that performs TOTP. (both of which is not inherently secure, but much better than nothing) Or maybe, much better, a hardware token. If I understand you correctly, Mick, you're considering to move your TOTP factor out of an independent device towards your local debian machine for convenience, so you'd be giving away the second authentication factor to anyone who's compromised your local account, that you were defending against in the first place. Please tell me you're not shooting yourself in the foot. It's your choice, Mick. Debian includes several programs that do TOTP. But for 2FA to have any meaningful effect, the factors need to be independent, or else you might as well ditch 2FA altogether. Are you seeking security, or are you seeking convenience? Both maybe? Then keep your credentials separate. Feel free to use your debian machine as an encrypted passphrase vault, and make another separate device your 2nd factor. Or vice-versa. Just know what you are doing. Now on my own behalf, thanks to anyone for reading this far and for trying to understand my point. I'd love to see any flaws in my argument being challenged. Your security decisions are inherently yours. I'm not a lawyer. Keep your security up, and take care. Despite that I'm German: Keep smiling. :) I'll smile back (: Even we do cheer sometimes, if necessary ;) Have a nice day -- Kevin Price
