I was wondering why I was always failing my TOTP 2FA logins on the first attempt. Turns out I found a bug in the Authenticator app for GNOME, where it will always give you the wrong codes after resuming the computer from suspend (sometimes after unlocking the app's built-in lockscreen too, I think): https://gitlab.gnome.org/World/Authenticator/-/issues/481
Mein Test mit Passbolt entwickelt sich so langsam für mich zu einem Game-Changer. Der Browser Quick Access in Verbindung mit TOTP - 🤯 - Click - Copy - Paste ... 😎 Das heißt für mich, am Wochenende das Ganze Projekt ausfallsicher inkl. Backup erstellen und irgendwie Dokumentieren. #Selfhosting#passbolt#2FA#totp
I have officially deleted my Amazon account and cut ties with their ecosystem entirely. For a long time, the convenience of Prime felt like a necessary evil, especially since they have a warehouse in my city and can do same day shipping. But I can no longer reconcile the big tech giant's behavior with the values I promote at Terminal Tilt. As a privacy advocate and FOSS supporter, continuing to feed the machine feels increasingly hypocritical.
Ethically, their treatment of labor is indefensible. Between the terrible warehouse conditions and the dark patterns designed to make canceling subscriptions nearly impossible, it is clear they view both employees and customers as numbers to be exploited, with contempt. Their anti-competitive practices have done irreparable harm to small businesses and independent creators who are forced to play in a rigged sandbox.
As an FSF and EFF member, I believe privacy is a fundamental right. Amazon's business model relies on massive data harvesting and a huge surveillance network that I simply do not want to be a part of. Deleting my account is my way of reclaiming my digital sovereignty and refusing to let my personal data be a product in their inventory.
The change also affects how I handle Terminal Tilt going forward. I am officially ending the use of Amazon affiliate links for the channel. While the links are a standard revenue stream for most creators, I refuse to track my audience into the Amazon ecosystem just for a small commission. I would rather the channel grow slower and more honestly than profit from a company that actively works against user freedom. Convenience is the enemy of sovereignty.
When I review products now, whether it is the security keys from
@nitrokey ,
@yubico , and Token2 or open source hardware, I will provide links to direct manufacturers or ethical, privacy-respecting retailers instead. Convenience should never be the primary metric for our choices.
If you want to support my work on Linux, privacy, and the #NoAI movement, I encourage you to use my LiberaPay or Ko-Fi links. Supporting creators directly ensures that the content remains independent and free from the influence of the Epstein class and corporate overlords. You can find all my direct support links on my self-hosted Linkstack: https://links.terminaltilt.com
It feels good to be out. It is time to prioritize people and principles over same-day shipping.
A photo of five hardware security keys arranged in a half circle on a dark desk mat. From left to right: two YubiKeys with gold touch buttons, a black Nitrokey 3A NFC in the center, and two Token2 keys on the right, one featuring a pattern of lock icons and the other with a fingerprint sensor.
Passkeys sollen »einfacher & sicherer« sein – für mich sind sie vor allem unnötiger Aufwand. Jedes Gerät braucht seinen eigenen Passkey, Gerätewechsel wird schnell kompliziert, dazu neue Abhängigkeiten (Sync/Ökosystem) und potenziell nervige Recovery, wenn was schiefgeht.
Ich bleibe beim Passwortmanager: für jeden Dienst ein eigenes, langes Zufallspasswort + wo sinnvoll 2FA/OTP. Das deckt mein Schutzniveau ab. Passkeys lösen für mich kein Problem – sie schaffen neue.
Passkeys adressieren vor allem typische Mensch-Maschine-Probleme (Wiederverwendung, Phishing-Anfälligkeit, schwache Passwörter). Wer diese Probleme tatsächlich hat, kann von Passkeys dennoch profitieren.
Ich benutze Aegis (Android) und OTPClient (Linux), da kann man für größere Syncs auch die ganze Datenbank verschlüsselt austauschen (und Backups machen!). Und wenn man nur einzelne Einträge kopieren will, kann man sich den QR-Code oder das Secret auch anzeigen lassen oder als Input verwenden.
Ich hatte mich bisher auch um die tiefere Beschäftigung mit Passkey herumgedrückt (Seiten die dazu auffordern, waren sehr vage). Die Diskussion zeigt mir, das ich für mich da wohl vorerst weder einen Usability- noch einen Security-Gewinn sehe.
I set up TOTP 2FA on the Itch.io account I used to publish my first visual novel a few days ago (see my pinned post for the VN). I ordinarily have no reason to take note of instructions for setting up app-based 2FA, but something in the Itch instructions caught my attention and led me to suspect that Itch has not touched the page in some time...
Hashicorp Vault TOTP Secrets Engine hỗ trợ tạo và xác thực mã OTP dùng một lần, thời gian sống ngắn (thường 30 giây), phục vụ xác thực hai yếu tố (2FA). Dùng để tích hợp với hệ thống bên ngoài hoặc cung cấp OTP từ Vault. Hỗ trợ API để tạo, liệt kê, xóa khóa và tạo/xác thực mã. Thiết lập dễ dàng qua CLI hoặc GUI.
Wie kann ich sicher stellen, dass ich mich nicht selbst aussperre, sollte mein Handy mit der App mal zerstört oder verloren gehen (z.B. Treppe runter, in Fluss fallen, etc)
Kann ich den QR-Code ausdrucken und zuhause und gesichert aufbewahren? 🤔
Außerdem: Wie kann man auf einen TOTP gesicherten Zugang mit mehreren Personen zugreifen, z.B. damit meine Frau weiter dran kommt, sollte mir etwas zustoßen? Kann ich den Zugang auf 2 Geräten einrichten? 🤔
While I love the idea of #passkeys I continue to find the ecosystem of them too siloed. #sms#2fa continues to grow among the stupid, like governments and banks. Meanwhile, my Android #totp#Authenticator app has more entries than I can easily count. Finding the right now... difficult. Will it even sort alphabetically? Or by MRU? Or??? I wonder what alternative apps exist.
»Passwortmanager — Test offenbart Sicherheitslücken bei Nutzerdaten:
Passwortmanager im Test - Nur drei von zehn Produkten verschlüsseln alle Daten komplett. Bei einigen können Hersteller auf Passwörter zugreifen«
Ein Argument mehr um dem Open-Source Passwort-Manager
@keepassxc & Co zu vertrauen. Immer noch wird dis verhältnismässig von wenigen priv. & geschäftlich eingesetzt.
🧵 …ergänzend zum oberen Toot noch ein Erklärvideo vom @tuxwiz zum Thema
@keepassxc und deren zusätzlichen Einsatz über eine
@nextcloud Instanz. Wenn dies für euch nichts neues ist, dann ist dies sicherlich was für eure Bekannte, Verwandte und Freunde als informative Quelle.
It's like most people dependent on smartphones for #2FA logins everywhere, but much worse. Smartphone usually has one #authenticator app, everything visible in one place, Yubikeys have various modules inside and I use most of it for many different things.
Authenticator part here is the easiest one, at least I have nice list of accounts/services to display with one simple command. But I have to remember U2F enabled services myself... Or check how many files I encrypted with GPG, or where I could use ssh keys...
Oh, and I use also pam-u2f and have FIDO LUKS login configured...
:blobCat_anxious_sweat:
Seriously, user could become even more dependent in more complex ways...
Why the hell these things don't just support firmware updates?!
#DecRecs Day 1 - Let's start easy with some QTBIPOC books I enjoyed this year:
All This Could Be Different by Sarah Thankam Mathews - realistic fiction about a young Indian lesbian starting a suspicious consulting job and just trying to get over her shitty self while navigating family and friendship
Gods of Want by K-Ming Chang - excellent series of Taiwanese diasporic short stories full of intergenerational angst and ghosts that haunt us, be it from the margins or right up in our faces
Roar of the Lambs by Jamison Shea - yet another excellent YA novel starring a duo intertwined by events set forth in their families decades before, a Black seer who just wants to get to get out of this town and a mixed nonbinary teen who always stands up for what is right - both of whom only ever face doubt and distrust by others
Sister Snake by Amanda Lee Koe - an homage to chinese folklore brought into the modern lore, two sisters, both of whom can take forms of both human or snake, fall back into one another's lives. one raging in their chaos, another just trying to fit in.
I've been using Bitwarden as my password manager since 2021. I recommend that any student that is using an .edu email that they might lose access to in the future use a manager to keep track of accounts that they might need to change access from. I periodically go through my passwords and sort them into folders, descriptive titles, and delete unused accounts.
I recently switched to Ente Auth as my 2FA. I thought that I needed to always have Google and Microsoft's proprietary authentication apps - turns out I was able to add them to a different service super easily. Ente is multi-platform so it doesn't have to be only on your phone. Now if I could only get Steam to let me use a different app...
I find that these were great free options and have been easy to use. Both of these have a 0 data policy so if you lose access to your account, that's it- they can't restore it for you because they literally don't have that data. It's important to think about how you might want to back it up outside of the service.
In a world where Putin is bombing Ukraine, and China is preparing an invasion of Taiwan, Pete Hegseth believes he has identified the real enemy: Trans people.
Replace that with "Jews" and you will immediately see what he is doing here.
@heiseonline
Kann denen jemand bitte erklären das es nicht nur #totp als #2fa gibt? Wenn kein Handy in der Tasche ist, dann ist ja Platz für einen #Securitytoken !
Saw some post about migrating #authenticator apps... and I realised I never used Google app for example. Because when I started configuring #2FA, I already had #Yubikeys :blobcatpeek2:
So I naturally downloaded their Yubico Authenticator to use something I could use, without even thinking. And this was/is my first #OTP app I ever used.
I tried FreeOTP or something similar when it was recommended for some work thing in previous job, but never had a chance to really "feel" that because I changed jobs shortly after.
And now I thought for the first time that my only experience with OTP is when codes aren't device-locked... :blobcatgiggle:
And for me it's absolutely natural state, as things should be.
So schützt sich Deutschland: Antivirus 44 %, sichere Passwörter 44 %, 2FA 34 %. Mehr als die Hälfte verzichtet auf Basics! 😳
Eigenständige Passwortmanager nutzen nur 10 % – dabei macht er alles einfacher: Ein Master-Passwort, automatisch sichere Kennwörter. 👉 https://www.bsi.bund.de/dok/1078326
Wofür ein Passwortmanager gut ist?
Das erfahrt ihr in der Caption ⬇️
Der Cybersicherheitsmonitor gibt Einblicke
- in das Schutz- und Informationsverhalten der Bevölkerung und
- in ihre Betroffenheit von Cyberkriminalität.
Die gemeinsame Onlinebefragung von BSI und ProPK basiert auf einer repräsentativen Befragung von über 3.000 Personen. Die Studienergebnisse stellen die beiden Kooperationspartner online kostenlos zur Verfügung.
Hallo
@bsi , vielleicht hilft es, wenn Ihr ersteinmal der
@Bundesregierung erklärt warum das verheimlichen von Sicherheitslücken in Systemen, zu Gunsten des #Bundestrojaner, eine schlechte Idee ist, den ohne vollständig gepatchte Systeme bringen auch #antivirus, #2fa, kurz "die Basics", leider wenig bis nichts.
Today’s #EO10challenges spotlight shines on Ente Auth, a sleek, open source #2FA
authenticator that puts privacy first.
With end-to-end encrypted backups, cross-platform support, and no account required, it’s a refreshing alternative to proprietary options like Microsoft Authenticator and Google Authenticator.
I love to suggest its use, it means when it's a customer I can support one and only one application across platforms. Enjoy !
If you want to add extra security to your Mastodon account, you can optionally use "Two-Factor Authentication" (2FA). When you have this feature activated, even if someone else finds out your password they will be unable to log into your account.
There is a complete guide to activating 2FA on Mastodon here:
So I've been trying to figure out the answer to a theoretical problem: what would I do if I was in a foreign country and had my phone and laptop seized / stolen?
I'm not too concerned about the shit on them, but nowadays everything is 2FA. Even my password manager needs second factor auth on a new device, and the second factor is email which... You guessed it needs a second factor. I feel like I'm one lost device from disaster.
How do you go from zero to re-equipped with your logins without access to your own desk and devices?
Would it be insane to post an encrypted binary blob in like a public git repo? Random webpage? What encryption would be sufficient to confidentiality drop an entire password vault, ssh keys, etc into a public space?
"Scammers Read the Times... Do You? | Weekly News Roundup" 👀👏
"Scammers Read the Times... Do You? | Weekly News Roundup" 👀👏 ...