undefined | Better HN

0 pointsdcrazy2mo ago0 comments

It’s far from a complete solution, but to mitigate this specific avenue of supply chain compromise, couldn’t Github/npm issue single-purpose physical hardware tokens and allow projects (or even mandate, for the most popular ones) maintainers use these hardware tokens as a form of 2FA?

0 comments

3 comments · 1 top-level

yjftsjthsd-h2mo ago· 2 in thread

What would a physical token give you that totp doesn't?

Edit: wait, did the attacker intercept the totp code as it was entered? Trying to make sense of the thread

dcrazyOP2mo ago

The attacker installed a RAT on the contributor’s machine, so if they had configured TOTP or saved the recovery codes anywhere on that machine, the attacker could defeat 2FA.

yjftsjthsd-h2mo ago

Oh, yes, I missed that the TOTP machine was compromised:\ Would that then imply that it would have been okay if codes came from a separate device, eg. a TOTP app on a Palm OS device with zero network connectivity? (Or maybe these days the easiest airgapped option is an old android phone that stays in airplane mode...)

2 more replies

j / k navigate · click thread line to collapse