On Mon, Nov 15, 2021 at 11:59 PM Konstantin Ryabitsev <konstantin@xxxxxxxxxxxxxxxxxxx> wrote: > > On Mon, Nov 15, 2021 at 07:34:00PM +0100, Geert Uytterhoeven wrote: > > On a related subject, I am using Gmail for email (e.g. patch review), > > but not for actual patch submission (git send-email through my ISP's > > SMTP server). I do have app passwords set up for git send-email on > > my laptop (if I ever need to send patches while on the road, barely > > used so far) and for backing up email using getmail. > > > > Recently I received an email from Google that my account may be "at > > greater risk of targeted attack", and that they recommend enrolling > > into Google's strongest account security offering, the Advanced > > Protection Program. Apparently this makes use of a hardware token, > > the Titan Security Key. > > Well, I'm sure they wouldn't mind if you paid them money for a "Titan Security > key", but it's really just a rebranded Chinese-made U2F token and, as such, > not any different from any other U2F security key. You can get one from Most electronics are made in China, but the Titan is set apart because it was designed by Google, and was certified for FIPS 140-2, https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3361.pdf If assurances about secure hardware implementations aren't important to you, you can use any U2F device. If you have USB ports to spare, I can recommend the Yubikey Nano, which you can just leave in a USB port permanently. I also have a HyperFIDO Titanium Pro (from HyperSECU) on my keychain which is very sturdy. -- Han-Wen Nienhuys - Google Munich I work 80%. Don't expect answers from me on Fridays. -- Google Germany GmbH, Erika-Mann-Strasse 33, 80636 Munich Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
