[lug] OTP

[Davide Del Vento]

I'm switching subject since we're switching topic.

>> Still, I like https://www.yubico.com/products/yubikey-hardware/yubikey/
>> better
>
> You need a separate one for each account you want to authenticate, don't
> you?

Yes and no. If the account providers agree, they can let me use the
same one for more than one account. If they don't (which I expect
being the case most of the times), yes, I do need one yk for each
account. However, most of my accounts are "useless" and have the same
stupid password which I could post here and not care for the accounts
being compromised (e.g. I used them once to comment to some stupid
blog post), so I will not be buying yk for them. The only accounts I
care are gmail, my bank, maybe github, maybe openID (which would have
solved all my issues, if sites used it). Some people might care for
ebay/amazon (I've been pissed off by them and deleted my accounts with
both). I already have 10 metal keys (home, office, car, bike lock,
etc) on my keyring, 3 or 4 additional plastic ones would not make any
difference.

> I like smart cards.

Yes, but then you need a reader, and how do you know the reader is not
compromised if you use a shared one? What if the computer you want to
use oversee at an internet cafe does not have the smart card reader?
And if you need many smart cards (do you? I dunno, maybe you can
program one with all your accounts) your wallet become very thick
(mine is already too thick). More details?

Yubikeys are just USB keyboards to the computer, and NFC-enabled
"paste" (as in cut-and-paste) for non-USB-enabled devices (iPhone and
iPad which by the way I don't care about). The yubikey firmware and
encryption key is written to a write only memory and (they claim)
cannot be overwritten or read out, maybe because of the way the hw is
implemented, so you can safely use it in an hostile, shared machine.

Cheers,
Davide