Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Subsidized FIDO U2F security keys

On 2015-10-03 14:35 +0900 (Sat), Jim Tittsler wrote:

> GitHub has recently gotten the 2 factor authentication religion.

While they have, you want to be very careful about what the Github folks
say when they talk about security. They are rather confused about what
two factor authentication is. For example, in a blog post[1] they refer
to TOTP as two-factor authentication[2], though TOTP is clearly no such
thing. (Google correctly refers to adding TOTP to standard password
authentication as "two-step" authentication.)

(TOTP is a shared password system where the password itself is
available to GitHub in cleartext form, and thus could be stolen via
a server compromise, unlike the passwords you use for their standard
authentication, which I am pretty sure are stored in well-designed
hashed format that currently nobody knows how to reverse.)


Curt Sampson         <>         +81 90 7737 2974

To iterate is human, to recurse divine.
    - L Peter Deutsch

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links