Rockbox Development > Feature Ideas

OTP

<< < (4/4)

[Saint]:

--- Quote from: monoid on January 28, 2013, 05:27:58 PM ---And if yes, than I do not understand why firewalls and virus-scanners are needed.

--- End quote ---

They aren't. Companies/developers offering such products should hang their heads in shame.


[Saint]

As a side-note, regarding secure locking of a device:

When my phone(s) are in range of my keys and the bluetooth dongle located thereupon (and in theory, me), the device(s) will only sleep the screen when idle and eventually (10 minutes after the screen sleeps) lock with an insecure lock. If out of range of said dongle however, the device will lock with a password immediately (pin and pattern locks I do not consider secure as they can often be trivially reversed by looking at smudges on the screen {pattern locks more so than pin, as pattern locks often leave a clear start and end point imprinted on the screen}). Food for thought.

OTP:
As linked, some tokens do allow for retrieval. But that is beside the point. As the H points out:

 If I have any doubts I will resort to my safe note for this, as I haven't yet heard of any technique that would allow a trojan to bridge the air gap[8] between my PC or smartphone and the written note in my desk at home.

http://www.h-online.com/security/features/Password-protection-for-everyone-1795647.html?view=print

an mp3 player generates a nice air gap -- and if you are targeted by a trojan when you mount it to sync, then it is post festa anyway.

dgquintas:
Actually, that's just what I did in this plugin: https://github.com/dgquintas/rockbox-totp

phr:
This should be relatively simple to do.  I had the same idea and was going to suggest it, but searched first and found this old post.

The algorithm is just a dozen or so lines of Python or Lua (or a little more C) plus the sha1 hash function (C library), assuming the device has a realtime clock accessible to the program.  Reasonable security results from the device simply not being internet connected.   It wouldn't be as secure as a hardware token, but almost everyone nowadays uses smartphone apps for this, which are vulnerable to all the malware and downloads that phones are.  One running on an mp3 player could at worst be compromised through the USB port.  There is no serious attempt in the usual Google setup to prevent the user him/herself from accessing the keys on purpose, if that's what anyone is thinking.  The seed value is shown as a character string below a QR code, that you're supposed to load into your phone by taking a picture.

Navigation

[0] Message Index

[*] Previous page