Security notes / One-Time Passwords: Difference between revisions
Jump to navigation
Jump to search
(Created page with "{{SecurityRelated}} <!-- So, passwords fail backward secrecy and some concepts like it: : If it is found today, it can be used in the future. : Also, it means people can spy on you, and you will only learn about that when they change something drastically, like locking ''you'' out. Wouldn't it be great if the thing that logs you in today is never useful again? Well sure, but doesn't that mean I now need to learn a new password every day (or use)? Or a way of bas...") |
mNo edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{#addbodyclass:tag_tech}} | |||
{{#addbodyclass:tag_security}} | |||
{{SecurityRelated}} | {{SecurityRelated}} | ||
===On one-time passwords=== | |||
<!-- | <!-- | ||
'''Why?''' | |||
So, passwords fail [[backward secrecy]] and some concepts like it: | So, passwords fail [[backward secrecy]] and some concepts like it: | ||
| Line 59: | Line 64: | ||
Yubikey | Yubikey | ||
--> | |||
===On authenticators=== | |||
<!-- | |||
'Authenticator' just means "a thing that helps you authenticate" which is vague about what it is, and how good it is in terms of security. | |||
It often points towards either | |||
* a '''hardware authenticator''' | |||
: or rather the specific authentication exchange that it does, often made more secure by having a shared secret of some form | |||
* an '''authenticator app''' | |||
: doing the same in software | |||
In some cases these have almost identical function, | |||
but they can have very different security implications, | |||
in ways you can't easily explain to 99% of the world. | |||
Ideally, whether it | |||
is a physical device (we often call this a physical token, which isn't the clearest name), or | |||
is an app | |||
doesn't matter too much, | |||
in that knowing how it works does not make it less secure. | |||
'''How they work''' varies, but methods include: | |||
Many amount to a separate device that does | |||
* challenge-response ''based on'' a shared secret and a [[nonce]] | |||
: requires input | |||
: e.g. various banking tokens have done this for a long while | |||
* One-Time Passwords - Time based | |||
: e.g. TOTP | |||
: e.g. [https://en.wikipedia.org/wiki/RSA_SecurID RSA SecurID] | |||
* One-Time Passwords - counter based | |||
: e.g. HOTP {{comment|(stands for HMAC based)}} | |||
: meaning that if copied and used, you will notice (can no longer sign in ) | |||
Phone authenticator apps (e.g. Google Authenticator, Microsoft Authenticator, Authy) tend to support TOTP, HOTP, and some further specific things. | |||
Note that if you only use TOTP or HOTP, it doesn't matter which one you use {{comment|(though the more fancy, closed, or and cloudy they are, the more unknown weaknesses they may have - multiple popular password manages have had questions raised)}}. | |||
Note that OTP ''may'' not be otherwise protected. | |||
: because they are assumed to be 'something you have' and not protect against physical attacks | |||
: means no exchange is necessary | |||
: also makes it less bothersome to use | |||
That said, for phone apps there ''is'' | |||
--> | --> | ||
Latest revision as of 00:20, 22 April 2024
| Security related stuff.
Securing services
Unsorted - · Anonymization notes · website security notes · integrated security hardware · Glossary · unsorted |