Two Factory Authentication (2FA) support

118 views
Skip to first unread message

HP

unread,
Jan 1, 2021, 6:00:54 PM1/1/21
to TiddlyWiki
Hi all,

regarding to this article about 2FA Web authentication I asking myself if it could be useful to TiddlyWiki in any way.

What do you think? I would love to have a 2FA via my security key.

Regards


tony

unread,
Jan 1, 2021, 10:41:34 PM1/1/21
to TiddlyWiki
Hi,

If your security key supports a static password, then this may be a viable solution with default encryption -

Not exactly multi-factor authentication, but it achieves the same convenience with a physical token.

For example, my Yubikey supports two slots for configuration: a One-Time Password (OTP) and a static password

I just set the password for the TiddyWiki to the static password on my key. 

When prompted, I insert the Yubikey and just press, Voila! 

In reality, the key is perma inserted and I just reach over and touch.

Best,
tony

Jeremy Ruston

unread,
Jan 2, 2021, 12:38:28 PM1/2/21
to TiddlyWiki Group
Hi HP

The Web authentication specification assumes the existence of a server, and so is of no use to the single file configuration of TiddlyWiki. While it could be integrated into the Node.js setup our policy is to try to keep complex security related code external to TiddlyWiki. It’s much easier for third parties to audit the security characteristics of, say, TiddlyWiki behind a standard Nginx server than to ask them to delve into the TiddlyWiki code to audit our usage of crypto APIs.

Best wishes

Jereym


--
You received this message because you are subscribed to the Google Groups "TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/dd65b0a4-4257-470a-be9d-abb02cd7713bn%40googlegroups.com.

Mark S.

unread,
Jan 2, 2021, 1:25:21 PM1/2/21
to TiddlyWiki
Another soul trying to find an actual use for those security keys. Lock down your github account? Yeah, they can do that. Lock down your bank account?  Not so much.

On Friday, January 1, 2021 at 3:00:54 PM UTC-8 HP wrote:

HP

unread,
Jan 2, 2021, 2:32:34 PM1/2/21
to TiddlyWiki
I sholdn't answer any more wise man than me. However, here for those with more creativity https://github.com/FiloSottile/mkcert (a simple tool for making locally-trusted development certificates. It requires no configuratio; https)..

Blessings

Mark S.

unread,
Jan 2, 2021, 3:06:53 PM1/2/21
to TiddlyWiki
That is interesting, and might be useful if running TW on node.js in https mode. The question is, could you add the generated certificate to your Android device, so that you could log in securely from your own device? That would solve the "coffee shop" problem.

But sadly, I see no role for physical security keys in this. I have two of them, and only use them for minor accounts because the "big names" don't recognize their use yet.

HP

unread,
Jan 3, 2021, 4:21:57 AM1/3/21
to TiddlyWiki
Yes
Reply all
Reply to author
Forward
0 new messages