When I post to HN, I post mostly for criticism and suggestions and less for praise.
I did not sense what you did here, maybe I filtered it out.
Readit Newsbrna-2 commented on OpenClaw – Moltbot Renamed Again openclaw.ai/blog/introduc... · Posted by u/ed
and openclaw.com is a law firm.
The page says - Hadir Helal, Partner - Open Chance & Associates Law Firm
This looks to me like:
- the page belongs to the person - not to the firm
- domain should be openCALW and not CLAW
- page could look better
- they also have the domain openchancelaw.com
Maybe Hadir is open to donating the domain or for a exchange of some kind, like an up to date web page or something along these lines.
brna-2 commented on MTOTP: Wouldn't it be nice if you were the 2FA device? github.com/VBranimir/mTOT... · Posted by u/brna-2
Thinking about it, there are only 10 billion different keys and somewhat fewer sboxes.
So given a single pass code and the login time, you can just compute all possible pass codes. Since more than one key could produce the same pass code, you would need 2 or 3 to narrow it down.
In fact, you don't even need to know the login time really, even just knowing roughly when would only increase the space to search by a bit.
Also @MattPalmer1086 the best solution for this I have now is to have several secret keys and rotate usage. Would be nice to have some additional security boosts.
brna-2 commented on MTOTP: Wouldn't it be nice if you were the 2FA device? github.com/VBranimir/mTOT... · Posted by u/brna-2
Thinking about it, there are only 10 billion different keys and somewhat fewer sboxes.
So given a single pass code and the login time, you can just compute all possible pass codes. Since more than one key could produce the same pass code, you would need 2 or 3 to narrow it down.
In fact, you don't even need to know the login time really, even just knowing roughly when would only increase the space to search by a bit.
Yep known issue, was hoping someone could spice the protocol up without making it mentally to heavy, hn is full of smart playful people.
brna-2 commented on MTOTP: Wouldn't it be nice if you were the 2FA device? github.com/VBranimir/mTOT... · Posted by u/brna-2
brna-2 commented on MTOTP: Wouldn't it be nice if you were the 2FA device? github.com/VBranimir/mTOT... · Posted by u/brna-2
What is the purpose of the 6th digit?
It doesnt add any security, as it is trivially computable from the other digits already computed.
It appears to be a checksum, but I can't see why one would be needed.
I originally included it as a structural integrity digit, with the option for early rejection on the server side. That early exit check is not implemented in the current PAM module yet.
This is an early POC, and sanity checks like this are exactly the kind of feedback I’m looking for.
brna-2 commented on MTOTP: Wouldn't it be nice if you were the 2FA device? github.com/VBranimir/mTOT... · Posted by u/brna-2
An interesting idea but in theory just three correct pass codes and some brute force will reveal the secret key so you'd have to be very careful about only inputting the pass code to sites that you trust well.
It's definitely computable on a piece of paper and reasonably secure against replay attacks.
Yep, I am aware, 2 or 3 OTP's and timestamps plus some brute forcing using the source-code. Server-side brute force by input should or could be implausible.
But that is why I am signaling here that I would love a genius or a playful expert/enthusiast contributing a bit or two to it - or becoming a co-author.
brna-2 commented on MTOTP: Wouldn't it be nice if you were the 2FA device? github.com/VBranimir/mTOT... · Posted by u/brna-2
What makes this 2FA? It's "something you know, plus mental labor", which makes it a password.
2FA is "something you have" (or ".. you are", for biometrics): it is supposed to prove that you currently physically posses the single copy of a token. The textbook example is a TOTP stored in a Yubikey.
Granted, this has been watered down a lot by the way-too-common practice of storing TOTP secrets in password managers, but that's how it is supposed to work.
Does your mTOTP prove you own the single copy? No, you could trivially tell someone else the secret key. Does it prove that you currently own it? No, you can pre-calculate a verification token for future use.
I still think it is a very neat idea on paper, but I'm not quite seeing the added value. The obvious next step is to do all the math in client-side code and just have the user enter the secret - doing this kind of mental math every time you log in is something only the most hardcore nerds get excited about.
Time based skew makes it a changeable second factor,
additional changeable pass makes it the second factor,
Also - if the first factor is a password manager or ssh key - this is the second factor.
The idea of it was so neat to me, I just had to thinker with it.
brna-2 commented on MTOTP: Wouldn't it be nice if you were the 2FA device? github.com/VBranimir/mTOT... · Posted by u/brna-2
This is an early experiment in human-computable TOTP.
Not production crypto, but a serious attempt to reach reasonable security for plausible 2FA.
Protocol revisions, criticism, and contributions are welcome.