this post was submitted on 26 Jun 2024
303 points (95.8% liked)

Cybersecurity - Memes

1995 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 3 points 5 months ago (1 children)

Btw with TOTP the server has your secret credentials too, pretty crazy.

[–] [email protected] 6 points 5 months ago (1 children)

Yes, shared secret based, but not a big deal because it is machine generated and unique per account. The 'server has your credential' is only a problem if the credential is reused across services. If you have access to read TOTP secrets from the server, you probably don't need those TOTP secrets to further compromise the service.

But webauthn/passkey is a better approach. Properly managed SSH keys are good too, but folks aren't too happy about how ssh keys are commonly pretty lax. Client certificates similarly would have worked, but never took off. Similar story for smartcards.

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago)

I am in the process of buying a Nitrokey 3 Mini!

Gonna test some stuff, like Secure Element LUKS encryption on my old Thinkpad