I'd be wary of "proving one's identity" via (one of) one's SSH key by connecting to an unknown SSH host.
The main reason is a (maybe not on HN) little known scenario where the user has SSH key forwarding enabled, and the host they SSH to takes that forwarded identity and uses it to, say, fetch your private repos on github and the like.
I'd have _no problems at all_ signing a pgp message the likes of "I'm proving I am myself, and that you requested me to sign also with token QIMdoV76LIvymGvTxXEB8LkIIqfM4nEm5W"
This is pretty easily solved by using different keys for each service you wish to authenticate with (the same idea as using different passwords, basically). I already do this when pushing to GitHub over SSH versus SSHing into my own server.
Well, most SSH keys are RSA keys. Could it not also be used for signing? Also you could use a special alias/command (-a) that explicitly disables agent forwarding.
Because Google et al. want your phone number for certain commercial uses unbeknownst to you? Is it possible that personal information could be more valuable to these web companies than hex digits? Marketers cannot do much with a block of hex but they will pay for a working phone number. Collect enough personal information about people and in today's world you have a valuable company.
Last week I traveled home and Google did not let me login to my account because they were somehow 'suspicious' it was not me using my password (same machine). They wanted to force me to provide my phone number, even though I never asked for 2FA. Not truly a dark pattern, but shady anyway, expecting nothing less from a prism company.
ot. I guess you are downvoted because the element of truth in your comment (e.g. 2FA is data collection) hit some nerve. Just yesterday a similar 'questioning 2FA panacea' comment was downvoted, even though it was just arguing about the security aspects.
I think a public key is just as identifiable as a phone number and just as prone to data collection anything else. Although in this scenario it would be easier for the security conscious , to have multiple private keys.
If you loose your github 2FA, they will ask that you prove your identity by SSHing to some host and providing them with the token returned by that host
this is extremely important: just yesterday I forgot my phone at my university (luckily it hasn't been stolen) and realized that i was cut out of most services that use my phone as second authentication factor.
Print out the backup codes, and keep them in your wallet (or a safe at home). You should do that, anyway, in case your device gets stolen. Most sites which use 2FA tell you to do that right when you enable 2FA.
It's best to have the codes on multiple devices. Might not help in the short term ie 'left my phone and won't be home to use my tablet until 9'.
But in the event our phone was stolen, it can get pretty tough to recover some accounts once you've set up 2fa. If it's not, then there's really no point in having 2fa on the account at all.
EDIT:
Also of note, If you don't have a second device, a yubi key will store all the codes on the key. So any phone/laptop with the yubico auth app will be able to show the codes if you wanted to use that for a backup.
That reason is why I have my various 2fa credentials available from my computer as well. Problem is that I have some that either use a text message or the Authy API, which has abysmal desktop support.
I was thinking about this yesterday. Other than PGP keys, what about cell phone numbers? Everyone collects email, but for real transactional services, a phone is better and an email doesn't matter.
Maybe – but I still think the problem with tools like PGP are the user experience, and not any underlying tech.
If you look at things like WhatsApp and iMessage, they give you the same kind of security in a completely transparent way. And I believe Whisper/WhatsApp also give you a cool way to verify keys in person (I believe they use QR codes?)
So public key crypto is here, and it's widespread. It's just not in the form of PGP, and that's because of the UX shortcomings of PGP.
On a side note, Keybase really is awesome – I have setup keybase and am hopeful for it, but I feel even in that case, if you try to do PGP, it feels a bit odd.
[+] [-] mfontani|9 years ago|reply
The main reason is a (maybe not on HN) little known scenario where the user has SSH key forwarding enabled, and the host they SSH to takes that forwarded identity and uses it to, say, fetch your private repos on github and the like.
https://news.ycombinator.com/item?id=9425805
https://www.reddit.com/r/netsec/comments/3frnxb/my_ssh_serve...
I'd have _no problems at all_ signing a pgp message the likes of "I'm proving I am myself, and that you requested me to sign also with token QIMdoV76LIvymGvTxXEB8LkIIqfM4nEm5W"
[+] [-] kerkeslager|9 years ago|reply
[+] [-] marcosdumay|9 years ago|reply
But in both cases, you can have a single published key you can use to sign the site-specific shared keys.
[+] [-] tokenizerrr|9 years ago|reply
[+] [-] hannob|9 years ago|reply
The key question for all of these solutions is usability.
[+] [-] jdc|9 years ago|reply
[+] [-] textmode|9 years ago|reply
[+] [-] a_imho|9 years ago|reply
ot. I guess you are downvoted because the element of truth in your comment (e.g. 2FA is data collection) hit some nerve. Just yesterday a similar 'questioning 2FA panacea' comment was downvoted, even though it was just arguing about the security aspects.
[+] [-] riffraff|9 years ago|reply
[+] [-] nommm-nommm|9 years ago|reply
[+] [-] aclatuts|9 years ago|reply
[+] [-] sickbeard|9 years ago|reply
[+] [-] fidget|9 years ago|reply
[+] [-] mnkmnk|9 years ago|reply
[+] [-] Johan-bjareholt|9 years ago|reply
If you lose your phone you call your carrier to block that sim card and request a new one anyway, so you're not locked out.
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] criddell|9 years ago|reply
https://www.grc.com/sqrl/sqrl.htm
Read the "What happened behind the scenes" box for the details. I think it's pretty clever.
[+] [-] znpy|9 years ago|reply
[+] [-] drauh|9 years ago|reply
[+] [-] jethro_tell|9 years ago|reply
But in the event our phone was stolen, it can get pretty tough to recover some accounts once you've set up 2fa. If it's not, then there's really no point in having 2fa on the account at all.
EDIT: Also of note, If you don't have a second device, a yubi key will store all the codes on the key. So any phone/laptop with the yubico auth app will be able to show the codes if you wanted to use that for a backup.
[+] [-] wlesieutre|9 years ago|reply
Presumably similar apps available for Android Wear and Apple Watch, but those are too smart for my tastes.
[+] [-] rbritton|9 years ago|reply
[+] [-] StavrosK|9 years ago|reply
[+] [-] jamespitts|9 years ago|reply
[+] [-] vonklaus|9 years ago|reply
[+] [-] chrisper|9 years ago|reply
[+] [-] tacos|9 years ago|reply
There was a window to make this stuff standard 20 years ago and we, as technologists, totally whiffed on it.
The "these are not web technologies" quip at StackExchange made me cringe for some reason. As if this has anything to do with web protocols.
For the sordid history: https://en.wikipedia.org/wiki/Pretty_Good_Privacy
For yet another sadly ignored, co-opted, would-be-standard: https://tools.ietf.org/html/rfc4880
[+] [-] atonse|9 years ago|reply
If you look at things like WhatsApp and iMessage, they give you the same kind of security in a completely transparent way. And I believe Whisper/WhatsApp also give you a cool way to verify keys in person (I believe they use QR codes?)
So public key crypto is here, and it's widespread. It's just not in the form of PGP, and that's because of the UX shortcomings of PGP.
On a side note, Keybase really is awesome – I have setup keybase and am hopeful for it, but I feel even in that case, if you try to do PGP, it feels a bit odd.