Skip to main content

KDE policy made my digital life more secure

Two month ago, in October 2022, KDE's GitLab made me use a two-factor authentication (2FA). Without a second factor, I was no longer able to push code, comment on merge requests, or contribute anything meaningful on KDE Invent.

For a long time, I have known I should use two-factor authentication for my important accounts; especially for those accounts used to commit code other people are executing because they trust me. But I was too lazy to have everything prepared to use the second factor.

Thanks to Ben and the KDE infrastructure team, there were no more excuses and I had to set up a secure login.

Secure login, but don't lock yourself out 

Having a second factor, it is important that I am not locked out, if my second factor is left at home or broken. Here is what I did:

  1. The first step is to choose the second factor. I decided against dedicated hardware like a Yubi key. I am familiar with one-time passwords on my mobile phone, thus, I decided to use Time-based one-time password (TOTP). This means a device or mobile app knows a secret to calculate a six-digit one-time password. The password is only valid for a couple of seconds, then a new one can be generated locally. I use Google Authenticator, but there are alternatives from less controversial vendors. Just scan the QR code and verify the secret by once entering a one-time code.
  2. I installed Keepass to store the recovery codes in case my TOTP device is broken or stolen. As a side effect, I can now use more complex passwords for less frequently used passwords.
  3. I made a backup including the Keepass database.
  4. As a side-effect, I need to use tokens for checkouts and pushes. A great opportunity to have this aspect of secure development activated, too.

Remaining open questions

Some questions remain open for me. Time will tell, how much they bug me and where I need to adjust.

Currently, I only have my personal phone as a TOTP device. Maybe I want to add more phones or my iPad. I am also unsure whether I should install and use a TOTP software on my desktop like KDE Keysmith. It is a weighting of comfort, security, and reliability.

I have not yet made up my mind, how to handel the tokens for checkout and pushes. Having them in an open document in Kate might be more harmful then using my password as in the past. I consider storing them in Keepass, too.

By-product: More security everywhere

Now that I have everything prepared on my side to use TOTP as my two-factor authentication, it was easy to use it for all the other accounts that deserve some extra protection: GitLab.com, GitHub, and independent GitLab instances hosted by FOSS projects similar to KDE Invent. Even my Google account is now protected by a TOTP mechanism and I no longer get text messages to my mobile phone. Further, I stored ten security codes from Google, just in case.

Having a security spree, I also wanted to use TOTP for my banking accounts. Unfortunately, my banks insist on the use of their own app. I think they could benefit from using open and established standards, but they decided to force us costumers to install and use their apps.

Labels:

Comments

  1. AnonymousDecember 31, 2022 at 1:18 PM

    About the banks: I found a great way to go about is is to have a store-free phone (fdroid only), and when the bank wants something like that, just show them "nope, not possibile. Digital discrimination..."
    But in my case FLOSS > security.

    ReplyDelete

Post a Comment

Popular posts from this blog

New programming language needed for KDE?

Disclaimer: I am not one of KDE's masterminds or spokespersons. I am a mere bystander with few unimportant commits. I follow KDE's ecosystem and other developments in the free software world. In the following, I share some thoughts and my personal opinion. Talks about new programming languages After 30 years of C code, the Linux kernel opens itself to a second high-level language: Rust. Since fall of 2022 the kernel mainly gained infrastructure work. Some experiments show promising results like a Rust-based network driver or a scheduler . Recently, Git developers started to discuss how to allow Rust code in our beloved version control system. Far from having reached a consensus, its media coverage and heated discussions in forums show how interested the public is in this topic. Other projects try to replace established software by rewritten from scratch Rust ones: uutils coreutils , sudo-rs , librsvg , Rustls . Heck, Rewrite it it Rust (RiiR) has become a meme . We already h...
18 comments
Read more

Kile 2.9.95 / 3.0 beta 4 released

We have a release of Kile 2.9.95, also known as 3.0 beta 4! Earlier today, Michel Ludwig tagged the current Git master. This is the first beta release since October 2019. Beside the port to KDE Frameworks 6 and Qt 6, it provides a couple of new features and bug fixes. New features Port to KDE Frameworks 6 & Qt 6 (Port by Carl Schwan) Enable high-dpi support Provide option to hide menu bar (Patch by Daniel Fichtner, #372295 ) Configurable global default setting for the LivePreview engines (Patch by Florian Zumkeller-Quast, #450332 ) Remove offline copy of "LaTeX2e: An unofficial reference manual", use online version instead (Patch by myself, Christoph GrĂ¼ninger, Issue #7 ) Fixed bugs Kile crashes on selecting "Browse" or "Zoom" for document preview (Patch by Carl Schwan, #465547 , #476207, #467435, #452618, #429452) Kile crashes when generating new document (Patch by Carl Schwan, #436837 ) Ensure \end{env} is inserted in the right place even when the...
2 comments
Read more

Release of KDE Stopmotion 0.8.7

Today marks the release of  KDE Stopmotion 0.8.7 ! About Stopmotion Stopmotion is a Free Open Source application to create stop-motion animations. It helps you capture and edit the frames of your animation and export them as a single file. Direct capture from webcams, MiniDV cameras, and DSLR cameras. It offers onion-skinning, import images from disk, and time lapse photography. Stopmotion supports multiple scenes, frame editing, basic sound track, animation playback at different frame rates, and GIMP integration for image. Movies can be exported to a file and to Cinelerra frame lists. Technically, it is a C++ / Qt application with optional dependencies to camera capture libraries. Changes in release 0.8.7 This release comes with no new features, but improvements to the project itself. Changes The project is now officially called to KDE Stopmotion. The former name Linux Stopmotion is no longer used. Support for qmake has been removed. Use CMake instead. Features Port serial...
Post a Comment
Read more