Hacker News new | past | comments | ask | show | jobs | submit login

2FA is great for the web UI, but none of these vendors make it particularly easy to enforce 2FA on the command line.



I use Krypt.co. It stores my private key in my mobile device only. I can hook up any device to use it as my SSH key, but the key never leaves the device. Instead, it signs all requests only once I authorize them interactively.


An ssh key is 2FA


An SSH key is one factor. There are various methods for protecting the key with additional factors, but none of the git hosts provide a way to require those additional factors. So as an org owner you're left either trusting every one of your users not to get sloppy with keys, or installing spyware on their computers to make sure they're not using unprotected keys.


How so? An SSH key is a single factor. You could argue that a password-protected private key provides a second factor, but that still falls in the category of "something you know."


How many people can recite their SSH key? Surely an SSH key is "something you have".


Having two different static passwords on an account isn't actually two different factors, whether you can recite them or not.

The fact that one time passwords expire and change is what makes them a different factor than a static password.


> The fact that one time passwords expire and change is what makes them a different factor than a static password.

If you're getting your 2FA code by SMS message or the like, this can be true.

If you're using TOTP (e.g. Google Authenticator), that's just as static as your other passwords. The TOTP code never expires nor changes. What changes is the code you're supposed to send over the wire.


Eh? TOTP usually expire in 60 seconds, so in most cases even if you accidentally leak it, it will be safe.

(and you are not likely to leak it anyway -- with something that changes that often, you are not going to have an incentive to write it to files)


A 60-second TOTP code is a fully deterministic function of a permanent, unchangeable secret. That's why you and the server can agree on what the code should be without needing to communicate beyond setting up the code originally.

This makes it identical to a password from a theoretical perspective. There's really no difference between a TOTP secret that you keep in a TOTP app and haven't memorized, and a password you keep in your password manager and also haven't memorized. Both are "something you know", and nothing else.

You're correct that leaking a temporary code from a single login attempt doesn't compromise the TOTP secret. That is an artifact of the login process, not of whether the mechanism is labeled "2FA" or "password". You can do the same thing while calling the secret a password: https://en.wikipedia.org/wiki/Secure_Remote_Password_protoco...


I disagree, I believe TOTP belongs firmly in the "something you have" category. You cannot memorize TOTP password, nor you can store in your password manager. You also cannot pass that knowledge to another person. So this is more like a public key than a password.

Ultimately, everything is "permanent, unchangeable secret", including private key and biometric data. Where the data is stored and how is it accessed makes all the difference.

I could not find the original definition of "something you have", but modern standards like PCI actually give OTP auth as an example of "something you have" (p. 4 of [1])

(I am not looking at the degenerate case of running TOTP app on the same device / same security domain -- it does not describe most cases, and there are some fairly straightforward technical measures to defeat this)

[1] https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authe...


> You cannot memorize TOTP password, nor you can store in your password manager. You also cannot pass that knowledge to another person.

But none of these things are true. For example, my most recent job involved sharing a 2FA-protected online account. We all had the code.


Sorry, "none of these things are true" in your environment. They are certainly true for other people, in fact, I bet they are true for majority of them.

I think analogy to physical house keys is very helpful. What did your work do?

Did you show the enrollment QR code, and multiple people scanned it --> this is like duplicating house key.

Did you put the key into password manager -> this is like that combination lockbox that releases house key if you enter the right combination.

People do all sorts of unusual things, this does not change the properties of intended usage.


> They are certainly true for other people, in fact, I bet they are true for majority of them.

Well, no. Everyone who uses TOTP, without exception, has their secret stored in a password manager. That's what the TOTP app or device is.


There is a big difference between TOTP app/device and a password manager.

The password manager returns passwords directly. They can be viewed, memorized, passed to another person, copied to another device, or checked into git.

With TOTP, there is a private key inside, but it is not accessible to user. You cannot view it, or memorize it, nor can you pass it to another person or check it into git. It is purely implementation detail which is not exposed in any way.

Disclaimer: this is the case with classical TOTP devices, like RSA SecurID hardware token, or un-rooted Android phone running Google Authenticator. I have those, and everyone I know have them as well.

There are exceptions, like people using LastPass 2FA or people who store TOTP secret on their PC. This is not intended usage, and it does not matter for most users.


> nor you can store in your password manager

Some 2FA apps also allow you to back up your codes to a cloud service.


Yes, but I put it into category of "unsafe things that defeat the point of mechanism"

For example, you can put your spare house key under doormat. This effectively makes a lock on your house door require "something you know" (you need to know where the key is stored).

However, that does not mean that we can say that all keys are "something you know". The fact that many people decided to compromise their security does not reflect on other intended use of locks and keys.


Agreed. But I think it goes to show how blurry the line is between "know" and "have."


A TOTP challenge is also "something you know", which is a really large portion of total "2FA".


Exactly. PATs are designed to circumvent human intervention (MFA) for authentication in order to support automation. I am very curious if there's a better way than PATs.


ssh keys with a passphrase?


SSH keys on a YubiKey




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: