[tor-talk] Tor-Friendly Two-Factor Authentication?
Scott Arciszewski
scott at paragonie.com
Sat Jun 11 20:55:19 UTC 2016
On Sat, Jun 11, 2016 at 3:18 AM, Flipchan <flipchan at riseup.net> wrote:
> Let me awnser this for u:) use pgp , if c alot of ppl that use Googles
> stuff but all gets send back to Google so i wouldnt want them to get my
> data, github.com/flipchan/blogger i created 2factor so if the usr got a
> pgp fingerprint it will be redirected to 2factor.html after login ,then u
> generate a code(string of chars) and encrypt it with X users fingerprint
> and give it 2min to decrypt ,thats pgp :)
>
> Scott Arciszewski <scott at paragonie.com> skrev: (11 juni 2016 03:58:16
> CEST)
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA256
> >
> >Hi,
> >
> >I'm developing a CMS platform called Airship and I'd like to make it
> >as Tor-friendly as possible.
> >
> >Someone from the community suggested Two-Factor Authentication, but as
> >far as I'm aware there aren't many good options:
> >
> >* SMS-based authentication requires a phone number, which is
> >identifying information
> >* Google Authenticator requires a Google Account, which now-a-days
> >requires surrendering your phone number to Google
> >* FIDO U2F requires users to purchase separate hardware devices which,
> >while cheap, aren't already in the arsenal of most netizens
> >
> >I was curious if anyone in/around Tor was aware of any
> >privacy-preserving 2FA initiatives.
> >
> >Thanks a lot,
> >
> >Scott Arciszewski
> >Chief Development Officer
> >Paragon Initiative Enterprises
> >-----BEGIN PGP SIGNATURE-----
> >Version: Mailvelope v1.4.0
> >Comment: https://www.mailvelope.com
> >
> >wsBcBAEBCAAQBQJXW3AsCRBrl6HCgmQE2gAA06YIAIx89seJ/M1Z+8V6+4sP
> >VRMCOcH2tPBbBl7KW17RRDuO2aoDsWNiaLNgY7ssHcm2xBte0T04uNTxfYxu
> >8/pzzgUrU6L7WHcUnGdUfqHtdBr6DY6xSrSavu6VwEATm0f5qDl3AouHyd9X
> >9aZs1nNX0/QQc/hMOE+hfkGl0rUDKKiwXCxLqXTxdxHiNqixQjb2GpfbiUen
> >ph4BLFAIFsUZ/STGRJOY31SVB/Lk9MOG2VOPlhXa27R+8IV7rcq41sQtEdUL
> >AdDOOCazmNISpUz1/I6/0wW16fGqrHk3jbtWMklzl4LI5aFg1w3CmV/MLEZE
> >i2HHPGvMiO3osSmyNBM2lL0=
> >=a2E8
> >-----END PGP SIGNATURE-----
> >--
> >tor-talk mailing list - tor-talk at lists.torproject.org
> >To unsubscribe or change other settings go to
> >https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
> --
> Sincerly Flipchan
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
We're already using PGP/GPG for password resets. (Account recovery is,
additionally, a feature users can opt out of entirely.)
https://twitter.com/CiPHPerCoder/status/739536854517702660
https://twitter.com/CiPHPerCoder/status/739537611367276545
However, PGP is a terrible choice for usability here.
I'm not trying to cater to the ultra-crypto-nerd crowd with this feature,
because they're unlikely to have weak passwords and therefore *need* 2FA.
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com/>
More information about the tor-talk
mailing list