#indiewebcamp 2012-10-17

2012-10-17 UTC
dascher_, brennannovak, dascher, spinnerin, zztr, josephboyle, eschnou, friedcell, friedcell1 and tantek joined the channel
# 18:40 
tantek Have any indieweb folks tried using https://www.authy.com/ to setup 2-factor auth on their own site? I'd really like to figure out a solution for indieweb 2-factor auth, which could then be used distributed authentication (not just via delegation).
# 18:50 
tommorris !tell tantek it might be better to just use Google Authenticator aka. TOTP, as defined in RFC 6238. implementations for iOS, Android, Blackberry, Windows 7, J2ME (still in wide use in low-end phones and in developing world). see https://en.wikipedia.org/wiki/Google_Authenticator
# 18:50 
Loqi Ok, I'll tell him that when I see him next
# 18:55 
tommorris !tell tantek TOTP is IMHO more secure than SMS because it avoid (admittedly improbable) man-in-the-middle attacks at the level of the cellphone network. plus there are places with internet but very unreliable mobile service (my house, for instance)
# 18:55 
Loqi Ok, I'll tell him that when I see him next
# 18:56 
singpoly1a tommorris: I have no issue with TOTP, but HOTP is also useful if you want to restrict to just one key or whatever, and then you don't need a clock (so it can work on, say, yubikey) :)
# 18:58 
tommorris ah, but for the use case of logging into your personal site, having it tied to a smartphone (or equivalent device: iOS, Android etc.) is quite sensible.
# 18:58 
tommorris and TOTP works well for that.
# 18:59 
tommorris although it was a bit weird: my Android phone lost my Dropbox auth credentials the other day. so I had to log into Dropbox with user/pw and then also give it a TOTP code from the Authenticator app.
# 19:00 
singpoly1a Sure.  I have an app on my phone that will do both HOTP and TOTP, and I do use both for different things  :)
# 19:00 
tommorris Thank god that smartphone operating systems have pre-emptive multitasking, like proper operating systems had in 1969.
# 19:01 
singpoly1a heh
# 19:01 
singpoly1a My smartphone runs a real OS, so it's even more on top of things ;)
# 19:02 
singpoly1a "real OS" being somewhat tounge-in-cheek for "one that also runs on non-phones"
# 19:04 
tommorris people wonder why I'm not that keen on mobile stuff. well, everyone coos over features that Windows 95 had, plus, well, while I can touch type on a computer and I'm reduced to the same drooling hunt-and-peck mentality when on a phone.
# 19:05 
tommorris I have an Android phone. the primary use I have for it is plugging my laptop into it to get on the Internet.
# 19:08 
singpoly1a Yeah, I would never get a phone without a good harware keyboard.  I had one once because it was free, but it was pretty annoying
# 19:30 
@BarnabyWalters #indieweb proposal: Favicons + `apple-touch` PNGs for easily discoverable profile pics. Goes against discovery… http://waterpigs.co.uk/notes/439
dascher, tilgovi and tantek joined the channel
# 20:18 
Loqi tantek: tommorris left you a message 1 hour, 27 minutes ago: it might be better to just use Google Authenticator aka. TOTP, as defined in RFC 6238. implementations for iOS, Android, Blackberry, Windows 7, J2ME (still in wide use in low-end phones and in developing world). see https://en.wikipedia.org/wiki/Google_Authenticator
# 20:18 
Loqi tantek: tommorris left you a message 1 hour, 22 minutes ago: TOTP is IMHO more secure than SMS because it avoid (admittedly improbable) man-in-the-middle attacks at the level of the cellphone network. plus there are places with internet but very unreliable mobile service (my house, for instance)
friedcell, brennannovak and tantek joined the channel