<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi,<br>
maybe it is more accurate to concentrate on the "One Time
Password" here than on the "Two Factor".<br>
<br>
If an attacker snoops on the communication, he still has no
access, as the OTP can only be used once (and is already used up),
so an OTP is much more secure than a simple password - even
without 2-Factor.<br>
In addition with a normal password, it also makes brute forcing
virtually impossible as you had to guess the OTP and the password
- if you get the OTP right, you have one attempt at the password,
then you have to guess a different OTP.<br>
<br>
If you combine that with a GPG Smartcard, you are back to "real"
2-Factor, as the GPG key becomes the second, 'external' factor,
but as I said, even without it, it still is a security improvement
against many attacks.<br>
<br>
Regards,<br>
Lenz<br>
<br>
Am 05.08.2015 um 15:57 schrieb Alexandre Pujol:<br>
</div>
<blockquote cite="mid:55C2163A.2070002@pujol.io" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
Hi,<br>
<br>
Maybe I'm wrong, but in my opinion it is a mistake to use a
password manager in order to store OTP secrets.<br>
<br>
The aim of an TFA is to increase the auth security requiring the
combination of two different components. For instance something
you know (a password) and something you've got (a key, a OTP
generated on your mobile or on a security device...).<br>
<br>
Therefore if you store your OTP secrets in the same place than all
your passwords it makes the whole thing pointless.<br>
<br>
Regards,<br>
Alex<br>
<br>
<div class="moz-cite-prefix">On 05/08/15 12:50, admin wrote:<br>
</div>
<blockquote cite="mid:55C1F884.3030904@lesderniersdelaclasse.pw"
type="cite">
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
<font face="Ubuntu">Hello,<br>
I'm apologize for my poor english and my bad code... But I
tried to add a functionality to allow password-store to
generate a time otp. It's very useful for websites requesting
a 2FA totp like google or github. See my fork of the master
github password-store :<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://github.com/Gambiit/password-store">https://github.com/Gambiit/password-store</a><br>
Thanks a lot for password-store, Best regards :)</font> <br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Password-Store mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Password-Store@lists.zx2c4.com">Password-Store@lists.zx2c4.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.zx2c4.com/mailman/listinfo/password-store">http://lists.zx2c4.com/mailman/listinfo/password-store</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Password-Store mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Password-Store@lists.zx2c4.com">Password-Store@lists.zx2c4.com</a>
<a class="moz-txt-link-freetext" href="http://lists.zx2c4.com/mailman/listinfo/password-store">http://lists.zx2c4.com/mailman/listinfo/password-store</a>
</pre>
</blockquote>
<br>
</body>
</html>