On Tue, 2022-09-06 at 18:18 +0200, Vitaly Zaitsev via devel wrote:
On 06/09/2022 17:00, Gary Buhrmaster wrote:
> mobile device
Requires proprietary Google services.
> computer
Requires proprietary TPM 2.0 chip.
Hi,
Neither of this is true. For example, I use Raivo on my iOS device
which isn't proprietary.
It seems that your concerns regarding 2FA are based on a number of
misconceptions.
1. That it will cost money
You can generate TOTP codes using password generators, desktop apps, or
even by hand in the command line. It's a simple algorithm that doesn't
even require an Internet connection. However, in order for it to truly
be 2FA, it should be on a separate device (i.e, your phone) though
generating it on the desktop is what people do if they have no external
device.
2. That the algorithm will pose problems in other countries
I'm aware of ITAR and munitions exports, but I'm not convinced SHA1 and
HMAC poses as much of a problem as you say it does, even in
Russia/China.
3. That it requires specialized hardware
Again, not true. See part 1. TOTP should work on any device regardless
of the underlying hardware so long as it supports basic cryptographic
primitives.