11-23-2023, 11:05 PM
(This post was last modified: 11-23-2023, 11:06 PM by Kevin Kofler.)
(11-21-2023, 11:49 PM)zetabeta Wrote: one example is, 2FA, there is TOTP, which i think is a good generic standard, but organizations go with closed options, quite often uses push messages.Well, the thing is, TOTP is a standard that puts the user in control and does not lock the user into a particular device, but that means the other end has no way to enforce that you do not store the password and the secret from which the TOTPs can be generated on the same device, nor even that you store the secret only on one device. (Hint: You can input the secret into as many apps and devices as you want. The same applications that run on the PinePhone also run on your GNU/Linux desktop/notebook, e.g., Keysmith or GNOME Secrets. You can even copy the Keysmith config file 1:1 between GNU/Linux machines including the PinePhone, you do not even need the plain text secret for that. But there is also nothing preventing you from saving the secret in plain text somewhere.) I personally like that flexibility, but I can see why that raises a red flag for the "security" people at banks who always want to force their "security" mechanisms on everyone whether they want it or not.
