Skip to main content

KDE policy made my digital life more secure

Two month ago, in October 2022, KDE's GitLab made me use a two-factor authentication (2FA). Without a second factor, I was no longer able to push code, comment on merge requests, or contribute anything meaningful on KDE Invent.

For a long time, I have known I should use two-factor authentication for my important accounts; especially for those accounts used to commit code other people are executing because they trust me. But I was too lazy to have everything prepared to use the second factor.

Thanks to Ben and the KDE infrastructure team, there were no more excuses and I had to set up a secure login.

Secure login, but don't lock yourself out 

Having a second factor, it is important that I am not locked out, if my second factor is left at home or broken. Here is what I did:

  1. The first step is to choose the second factor. I decided against dedicated hardware like a Yubi key. I am familiar with one-time passwords on my mobile phone, thus, I decided to use Time-based one-time password (TOTP). This means a device or mobile app knows a secret to calculate a six-digit one-time password. The password is only valid for a couple of seconds, then a new one can be generated locally. I use Google Authenticator, but there are alternatives from less controversial vendors. Just scan the QR code and verify the secret by once entering a one-time code.
  2. I installed Keepass to store the recovery codes in case my TOTP device is broken or stolen. As a side effect, I can now use more complex passwords for less frequently used passwords.
  3. I made a backup including the Keepass database.
  4. As a side-effect, I need to use tokens for checkouts and pushes. A great opportunity to have this aspect of secure development activated, too.

Remaining open questions

Some questions remain open for me. Time will tell, how much they bug me and where I need to adjust.

Currently, I only have my personal phone as a TOTP device. Maybe I want to add more phones or my iPad. I am also unsure whether I should install and use a TOTP software on my desktop like KDE Keysmith. It is a weighting of comfort, security, and reliability.

I have not yet made up my mind, how to handel the tokens for checkout and pushes. Having them in an open document in Kate might be more harmful then using my password as in the past. I consider storing them in Keepass, too.

By-product: More security everywhere

Now that I have everything prepared on my side to use TOTP as my two-factor authentication, it was easy to use it for all the other accounts that deserve some extra protection: GitLab.com, GitHub, and independent GitLab instances hosted by FOSS projects similar to KDE Invent. Even my Google account is now protected by a TOTP mechanism and I no longer get text messages to my mobile phone. Further, I stored ten security codes from Google, just in case.

Having a security spree, I also wanted to use TOTP for my banking accounts. Unfortunately, my banks insist on the use of their own app. I think they could benefit from using open and established standards, but they decided to force us costumers to install and use their apps.

Labels:

Comments

  1. AnonymousDecember 31, 2022 at 1:18 PM

    About the banks: I found a great way to go about is is to have a store-free phone (fdroid only), and when the bank wants something like that, just show them "nope, not possibile. Digital discrimination..."
    But in my case FLOSS > security.

    ReplyDelete

Post a Comment

Popular posts from this blog

New programming language needed for KDE?

Disclaimer: I am not one of KDE's masterminds or spokespersons. I am a mere bystander with few unimportant commits. I follow KDE's ecosystem and other developments in the free software world. In the following, I share some thoughts and my personal opinion. Talks about new programming languages After 30 years of C code, the Linux kernel opens itself to a second high-level language: Rust. Since fall of 2022 the kernel mainly gained infrastructure work. Some experiments show promising results like a Rust-based network driver or a scheduler . Recently, Git developers started to discuss how to allow Rust code in our beloved version control system. Far from having reached a consensus, its media coverage and heated discussions in forums show how interested the public is in this topic. Other projects try to replace established software by rewritten from scratch Rust ones: uutils coreutils , sudo-rs , librsvg , Rustls . Heck, Rewrite it it Rust (RiiR) has become a meme . We already h
18 comments
Read more

Kile 2.9.95 / 3.0 beta 4 released

We have a release of Kile 2.9.95, also known as 3.0 beta 4! Earlier today, Michel Ludwig tagged the current Git master. This is the first beta release since October 2019. Beside the port to KDE Frameworks 6 and Qt 6, it provides a couple of new features and bug fixes. New features Port to KDE Frameworks 6 & Qt 6 (Port by Carl Schwan) Enable high-dpi support Provide option to hide menu bar (Patch by Daniel Fichtner, #372295 ) Configurable global default setting for the LivePreview engines (Patch by Florian Zumkeller-Quast, #450332 ) Remove offline copy of "LaTeX2e: An unofficial reference manual", use online version instead (Patch by myself, Christoph Grüninger, Issue #7 ) Fixed bugs Kile crashes on selecting "Browse" or "Zoom" for document preview (Patch by Carl Schwan, #465547 , #476207, #467435, #452618, #429452) Kile crashes when generating new document (Patch by Carl Schwan, #436837 ) Ensure \end{env} is inserted in the right place even when the
2 comments
Read more

Use cppcheck to find bugs and improve code quality (not only for Kile)

Do you know isocpp.org's blog ? As an open-minded C++ programmer, I am a fond reader and have been inspired multiple times. I always enjoyed the blog posts from Andrey Karpov . He has deep knowledge with static code analysis and is a co-founder of PVS-Studio, a commercial static code analyzer for C++, C#, C, and Java. To advertise new releases of their product, Andrey and his co-workers scan popular open source projects with their tool. They explain the numerous results and showcase by these real-world examples how beneficial static code analysis is even for mature and healthy code bases. I found these posts both entertaining and instructive. If you are not aware of them, you might find them an interesting read: Clang 11 , LLVM 15 , Qt 6 , GCC 13 . I find this topic intriguing; nevertheless, for a long time I did not manage to dive deeper into this topic. I am a satisfied user of Kile , KDE's user-friendly TeX/LaTeX editor. In the span of almost 20 years (Is Kile really that ol
Post a Comment
Read more