Tags: #infosec #security I have used Keyoxide for awhile now to verify my identity so I thought to throw together a step by step instructions in case someone wants to do it themselves. --- Wha...
Wrote up a quick thing about using Keyoxide and thought to share it here since I haven’t posted in awhile. lol
So, if you send a password at some point, someone could theoretically intercept and get the password, and then impersonate you.
PGP keys are public-private. The key never leaves your possession. Instead, the other side asks you to cryptographically sign something using your private key, which they can validate using your public key.
You never expose your private key to any intermediary, and even the other side doesn’t have it.
TOTPs have a shared secret, and generate a temporary passphrase using both time and the secret. Those also protect (mostly) against interception, since the OTP becomes invalid within probably seconds. Just as with PGP keys, the secret does not change. However, unlike PGP, the other side does also have all the information required to authenticate as you.
Nah, that’s not a problem.
So, if you send a password at some point, someone could theoretically intercept and get the password, and then impersonate you.
PGP keys are public-private. The key never leaves your possession. Instead, the other side asks you to cryptographically sign something using your private key, which they can validate using your public key.
You never expose your private key to any intermediary, and even the other side doesn’t have it.
TOTPs have a shared secret, and generate a temporary passphrase using both time and the secret. Those also protect (mostly) against interception, since the OTP becomes invalid within probably seconds. Just as with PGP keys, the secret does not change. However, unlike PGP, the other side does also have all the information required to authenticate as you.