

Introducing Authy for your personal computer - jstejada
http://blog.authy.com/authy-for-pc

======
a2b
Anyone else thinks this is a really really bad idea?

– Fishing attack prevention is a sham. It’s going to work for as long as
attackers are not aware that someone’s running Authy. After that, there is
nothing that stops the attacker from opening the whitelisted URL in a
different tab in addition to the phishing one.

– Saying that Authy for PC is "no worse" than using a separate device because
of session tokens is misleading. Many websites reject session tokens when a
user is logging in from a new location/IP, which is why 2FA is there in the
first place.

– Above all, 2FA enables precise audit. This is no longer possible with such
automation. Malware that gets access to a computer can copy Authy installation
to its servers, and then fully erase itself from being detected. It can then
access user’s data months after the time of the attack, completely undetected.

– Using bluetooth to automatically connect with the phone is equally bad. Part
of idea behind 2FA is that the machine that the user is operating is
considered compromised until (or even after) it is authenticated. Allowing
bluetooth connection directly into phone from a machine like that compromises
security.

------
ISL
I read this title as introducing two-factor authentication software _for_ my
home machine.

Is it straightforward to implement 2FA with Authenticator or similar on a
Debian box?

~~~
2bluesc
It's as easy as installing a PAM module, enabling challenge-response for
OpenSSH, and then generating a secret.

I set this up yesterday on a an Ubuntu 14.04 vps using this guide:
[https://www.digitalocean.com/community/articles/how-to-
prote...](https://www.digitalocean.com/community/articles/how-to-protect-ssh-
with-two-factor-authentication)

It's worth noting that private ssh keys work without 2FA and all password
logins are required to use 2FA. That's the security policy I was looking for.

------
CodeMage
Hell, no! Sure, 2FA was never designed to protect against device theft, but
keeping the authenticator on a separate device helps a lot.

------
zobzu
that stuff only protects from server side secrets compromise. i dont know but
if im using something inconvenient like 2FA, i want it to protect my
credentials client-side too.

