On Thu, Apr 02, 2015 at 14:38:28 CEST, Nick Econopouly wrote: > "2-factor authentication is a large field with many dysfunctional > solutions (biometrics, for example, or numerous insecure hardware > tokens), and no final good solutions are in sight. Hence it is not > something that has a place in cryptsetup proper, beyond what is > already there. You can also always treat the passphrase as the secret > and protect that with your chosen 2-factor authentication scheme." > > I've been interested in the hardware tokens you mentioned; are the yubikey > and the upcoming nitrokey insecure? > > (For 2fa, I assume the gnupg features are more secure because they at > least require a pin) > > -nick The think is that in the past most chipcards were broken, some in ridiculously simple fashions. At the same time, people do not realize this. I have even heard some security people call a smartcard a "mini-HSM". The problem is that makeing a secure token is hard and expensive. For example, it needs always-on sensors that can wipe it in case of attacks on the hardware. Sure, a hardware token of any kind usually gives you a significant security boost as most people chose insecure passwords, but that is basically it. If a user uses secure passwords, 2-factor will just annoy. Gr"usse, Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
