Here's a "fun" thought experiment. Imagine a website which let you sign in using only your username and TOTP code. No passwords. No magic links emailed to you. No FIDO tokens. No codes via SMS. Just a TOTP generated and displayed on your device. Is that useful? Sensible? Practical? It's certainly technically possible. Store the username, store the TOTP seed, done. Your users can now log in. Is it useful? Well, it would force users to not reuse passwords they've used elsewhere. That prevents …
Continue reading →
Yeah. Yeah, I reckon so. Under the right circumstances. Multi-Factor Authentication (MFA, 2FA, TOTP, whatever you want to call it) is pretty nifty. You scan a QR code and your phone will continually generate a set of one-time passwords which are synchronised with a remote server. There's nothing stopping multiple people from scanning that QR code! They will each have the same password displayed at the same time. I've found this to be useful in a few situations. If my wife and I have access…
Continue reading →
Recently, WordPress got in contact with me to say they suspect that my password was exposed in some sort of data breach. Well, it's a day ending with a "y" - so of course some scumbag has pilfered my digital identity. WordPress mandated that I change my password. But was that really necessary? Firstly, the password was uniquely generated by my password manager. It isn't re-used anywhere else. So there is no chance of hackers breaking in to my email, bank, or OnlyFans account. Secondly, and…
Continue reading →
I needed to read and write NFC cards on Linux. I only buy USB-C peripherals now, so I found the brilliantly named "ACR1252U-MF" which appears to be the only USB-C reader on the market. Total cost was about £35 on eBay. It's a cheap and light plastic box with a short USB cord. When you plug it in, there's a flashing light which can't be disabled. When it is powered up, or it detects and NFC chip, it makes this weird and scratchy beep: 🔊 💾 Download this audio file. On Linux, it shows…
Continue reading →
I have mixed feelings about Multi-Factor Authentication. I get why it is necessary to rely on something which isn't a password but - let's be honest here - it is a pain juggling between SMS, TOTP apps, proprietary apps, and magic links. I'm also not a fan of PassKeys. It feels weird to me that my computer is the password. I get the theoretical way it works - but it rubs me up the wrong way. So, Yubikeys? I find them an annoyance. I never have my keys to hand - which sort of defeats the…
Continue reading →
