Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That is way too much work. Doing work means stuff is happening and stuff means sidechannel attacks that someone else hasn't audited, because it's not an integrated product anyone would bother auditing.

In particular, I don't see how 2FA is possible with this, so shoulder surfing is a bigger issue.

I definitely trust Google or BitWarden more than a password I can memorize plus my own constant vigilance.



> In particular, I don't see how 2FA is possible with this

You can use anything that integrates with GPG ... eg: you can do it with a Yubikey [0]

[0] https://support.yubico.com/hc/en-us/articles/360013790259-Us...


Ah, I stand corrected, I forgot about trusted hardware based 2FA.

Still, it doesn't allow SMS or email based 2FA as far as I can tell, since that involves a trusted server and doesn't mean anything in a trustless model where the server owner could just add a bypass.


> In particular, I don't see how 2FA is possible with this

Umm, why not?

First, you can use a different app (like aegis) to generate OTPs.

Second, pass has an extension (https://github.com/tadfisher/pass-otp) that can be used to generate OTPs.

Third, you can use something like oathtool to generate your otp using your totp secret

oathtool -b --totp "your-totp-secret"


I'm not quite sure I understand this. It seems like a way to generate OTPs, but it doesn't solve requiring a second factor to access the vault.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: