Highest Rated Comments


pzl51 karma

herpes drugs commercials in the US are commonly narrated over scenes of random outdoor activity.

pzl24 karma

  1. Do you know how the reddit password masker works? If you type your reddit account password it automatically masks it: ******* How does reddit do that?

  2. And you probably can't or won't want to answer this, but: Duo's 2FA. One of the methods available is the "mobile passcode". The 6-digit TOTP you can use from the app. Does this use the typical TOTP algorithm as seen in Google Authenticator and others? The seed/secret for this must come from the initial QR code, yes? Looking at the GET params for the QR image, an initial seed is exposed there. The activation_code per your docs. The first part (before the dash) seems to be constantly changing. The part after the dash seems rather consistent. Maybe tied to account, or phone, or API server. not sure. But I haven't been able to figure out how the TOTP algorithm is seeded from the activation code. Either part (or both) are not base32 aligned. base32'ing either or both parts and running through TOTP are not matching up when the app is using the same activation code.

pzl22 karma

followup:

how does it feel to be the leading cause in wives finding out about the stripper their husband just saw?

pzl2 karma

This is a pretty good description of the first version of auth key stuff (e.g. U2F non-resident keys on a yubikey).

In that system (which is NOT webauthn / passkeys, but basically the prequel to them):

  • a site says it wants to register a user
  • site talks to the browser
  • browser talks to hardware key
  • hardware key uses some on-chip non-extractable secret key material, plus RNG, to generate asymmetric keys. For instance, An ecdsa key pair.
  • hardware key returns various metadata, including the public key, and a “key handle”
  • info is passed through the browser, back to site
  • site stores handle and pubkey

On authentication:

  • the site gives the key handle to the hardware token, and a hash to sign.
  • The token signs with the private key.
  • Site can validate the signature with the public key from before.

So, yeah, not crazy dissimilar from SSH.

I’m not sure how much the fido2/webauthn stuff differs from the old U2F flow above.