Date: Tue, 18 Jun 2019 19:57:55 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: Victor Sudakov <vas@mpeks.tomsk.su> Cc: freebsd-security@freebsd.org Subject: Re: Untrusted terminals: OPIE vs security/pam_google_authenticator Message-ID: <nycvar.OFS.7.76.444.1906181941030.12587@mx.roble.com> In-Reply-To: <20190619020512.GA64608@admin.sibptus.ru> References: <20190618075954.GA30296@admin.sibptus.ru> <CA%2BQLa9AkOwM14nxgXmmiH8TFewaT6HGjq7vzRQ5u4YNFNh-W-w@mail.gmail.com> <20190619020512.GA64608@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
> In my case, no page is involved, just the FreeOTP app on my Android > phone (which is less convenient than a sheet of paper with OPIE > passwords, but I can live with that). FreeOTP and FreeOTP+ are IMO the best OTP apps out there. They require no privacy invading "push" notifications and are open source. Just wish more sites would publish numeric codes instead of gimmicky QR codes. That said there are still plenty of us who also use OPIE. The passcodes are a solid T/HOTP fallback, aren't subject to seizure by border agents having a bad day, can be easily copied and stored on paper and have zero dependencies on 3rd parties. That's not to say that OPIE should be kept in base though. There's already way too much unused legacy cruft in FreeBSD base. Ports are the right tool for that job. But OPIE is still used, can be updated relatively easily, and should be kept somewhere accessible for security-conscious end-users. To eliminate it would only benefit those with commercial interests in proprietary and hosted (vendor lock-in) MFA solutions. IMO, Roger Marquis
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?nycvar.OFS.7.76.444.1906181941030.12587>