undefined | Better HN

0 pointshedora4y ago0 comments

Digest authentication allows passwords to be authenticated without sending the “key”, and could also be used airgapped.

You’d need to type a nonce into the dongle, then type the result into your computer.

TOTP is just a password. Also, in practice, the server has to have non-air-gappped access to a TOTP generator, so it’s not really air gapped at all.

Read up on the great RSA key fob recall for an example of TOTP-style auth gone horribly wrong.

0 comments

lucideer4y ago

Digest auth can be air gapped but the time aspect of TOTP still makes digest comparatively less secure (plus digest isn't typically even done separately to the primary client device, nevermind airgapping, whereas TOTP is at least most commonly used via an entirely separate device).

> You’d need to type a nonce into the dongle, then type the result into your computer.

That would be a cool augmentation of digest auth, but afaik is hypothetical currently (at least as far as common use goes). I can use TOTP airgapped right now.

> in practice, the server has to have non-air-gappped access to a TOTP generator

This is a fair point, but requiring full server compromise is still a nice step up from being mitm-able.

> so it’s not really air gapped at all

That seems like a rather extreme conclusion to draw. Client-side only air gapping is still airgapping, the fact it doesn't extend to protection from server compromise doesn't completely invalidate the benefits.

j / k navigate · click thread line to collapse