Hacker News new | past | comments | ask | show | jobs | submit login

That's what I meant, thanks. Don't know how I had such a hard time trying to explain that!



The major advantage is that the OTP secret is stored elsewhere - not on the machine authenticating.

If it is, it doesn't really add any security.

Morever, if the servers you authenticate too all share the same secret (ie you use the same token with all of them), you're decreasing the value of the 2nd factor by the amount of servers.

That's because anyone getting access to those servers can generate your OTP and connect to the other servers (if they also have the SSH key).

One way to mitigate that is to have a centralized authentication server for OTP.

All in all, if you want to protect your secret, OTP isn't the best solution. It's just something convenient. I would recommend using an openpgp smartcard instead.


I've never come across an openpgp smartcard, any particular one you recommend? I might look into this, seems like a very good idea.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: