2403 entries in 1.918s
joecool: i always assumed majority of griping on them was from the
OTP end, not the smartcard applet end
mircea_popescu: pankkake, actually, you can use the cardano to generate a multi-mb
otp, keep it encrypted
pankkake: MarieLynn: you're missing the last step, decrypting the
OTP, I guess
Naphex: attacker needs username, password,
otp(yubi,gpg), email for approving a withdrawal
Naphex: artifexd: you touch the button, it types the
OTP Naphex: you can just realtime phish or sniff/block
otp Naphex: i validate
OTP against yubiservers
Naphex: so user gives me yubi pub key, and then shoots
OTP Naphex: and
OTP just removes the risk of insider/intrusion that can just spam hotwallet servers or trade messages with withdrawals
Naphex: for me it promises a
OTP, from the user. which i can validate without holding a secret
Naphex: ;;rate asciilifeform 1 NSA Should make a open
OTP Token
Naphex: ;;rate 1 asciilifeform NSA Should make a open
OTP Token
Naphex: ;;rate 1 asciilifeform NSA Should make a open
OTP Token ;]
Naphex: well - a completly open
OTP token, with hardware for sale would make a killin'
Naphex: well, i just use it as a solution for
OTP without handling private keys
Naphex: i'm not trumpeting yubikey, but i don't know of a better
OTP atm
Naphex: which you would need to generate a valid
otp Naphex: i will soon be implementing GPG
OTP Naphex: then server checks signature, then checks
otp Naphex:
OTP - is
otp released to the client, by levels email yubikey/gpg/ - whatever
Naphex: TIMESTAMP/MICRO:MESSAGE-DATA:UUID:SIGNATURE:
OTP Naphex: MESSAGE-DATA:UUID:SIGNATURE:
OTP Naphex: now
OTP can be, Email / YubiKey -> GPG, Bitcoin signature
Naphex: if the user's
OTP is not valid
Naphex: backend is just uuid / secret +
otp choice (default email
otp without yubi and soon gpg)
Naphex: gpg
otp will be set up after in security
Naphex: as well as gpg
otp for withdrawals
Naphex: with gpg auth the flow is going to be username/pass -> gpg
otp -> logged in
Naphex: already started work on implementing gpg
otp in the validation server
benkay: everify <decrypted
otp>
benkay: btw TestingUnoDosTre that
OTP url is unique for the duration of your use of that key. so feel free to hard code it into any scripts you write.
benkay: a little script that curl
otp-url.php | gpg -d | pbcopy on os x is how i do things
benkay: if you do ;;eauth cgcardona_ , you can decrypt the
otp you get in return and then ;;everify that string
gribble: (everify <
otp>) -- Verify the latest encrypt-authentication request by providing your decrypted one-time password. If verified, you'll be authenticated for the duration of the bot's or your IRC session on channel (whichever is shorter).
dignork: asciilifeform, it's a complex device containing
OTP, so not a strict match
dignork: asciilifeform, there are
OTP chips, you're saying they can be rewritten?
gribble: (everify <
otp>) -- Verify the latest encrypt-authentication request by providing your decrypted one-time password. If verified, you'll be authenticated for the duration of the bot's or your IRC session on channel (whichever is shorter).
Duffer1: paste the
OTP mesage into where you sign messages, copy the result, then come back and type ;;everify signedmessageresulthere
ThickAsThieves: now i need to look up what an encrypted
OTP is and what i need it for
mircea_popescu: it's circular,
otp is only impractical because people have been designing things to make it impractical. otherwise
otp generating doohickeys would be trivial to make.