From nobody Thu Sep 15 23:38:35 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MTDDS5yNsz4cjNY; Thu, 15 Sep 2022 23:38:48 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [IPv6:2a01:4f9:c011:3eaf::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4MTDDQ4L09z46Rd; Thu, 15 Sep 2022 23:38:46 +0000 (UTC) (envelope-from des@des.no) Received: from ltc.des.no (unknown [84.211.31.80]) by smtp.des.no (Postfix) with ESMTPSA id A302D26161; Thu, 15 Sep 2022 23:38:35 +0000 (UTC) Received: by ltc.des.no (Postfix, from userid 1001) id 435B4924D4; Fri, 16 Sep 2022 01:38:35 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: grarpamp Cc: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org, freebsd-current@freebsd.org Subject: Re: Putting OPIE to rest In-Reply-To: (grarpamp@gmail.com's message of "Thu, 15 Sep 2022 19:00:32 -0400") References: <86h718sqdx.fsf@ltc.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (berkeley-unix) Date: Fri, 16 Sep 2022 01:38:35 +0200 Message-ID: <86czbwryx0.fsf@ltc.des.no> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4MTDDQ4L09z46Rd X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of des@des.no designates 2a01:4f9:c011:3eaf::2 as permitted sender) smtp.mailfrom=des@des.no X-Spamd-Result: default: False [-2.67 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; NEURAL_HAM_LONG(-1.00)[-0.999]; NEURAL_HAM_SHORT(-1.00)[-0.999]; R_MIXED_CHARSET(0.62)[subject]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; FREEMAIL_TO(0.00)[gmail.com]; ASN(0.00)[asn:24940, ipnet:2a01:4f9::/32, country:DE]; MIME_TRACE(0.00)[0:+]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,freebsd-hackers@freebsd.org,freebsd-security@freebsd.org]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; FREEFALL_USER(0.00)[des]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; DMARC_NA(0.00)[des.no]; RCVD_VIA_SMTP_AUTH(0.00)[] X-ThisMailContainsUnwantedMimeParts: N grarpamp writes: > OPIE is the only PAM that allows printing out the future > secure tokens. Old school, secure, it just works. > > HOTP requires hardware, TOTP requires time, > neither are printable, both of those require some other > [hackable] hw/sw device that costs $$$ money, and > those devices all have different threat/failure/admin models > than simple paper. Neither HOTP nor TOTP require dedicated devices. HOTP codes are sequential and can be pre-generated and printed if that's what you prefer. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no