From nobody Sun Jan  9 17:12:33 2022
X-Original-To: questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 8AD8C19372F2
	for <questions@mlmmj.nyi.freebsd.org>; Sun,  9 Jan 2022 17:12:39 +0000 (UTC)
	(envelope-from 4250.82.1d4d80000b4d420.13f2ade0b4eb750659a7197fef32fd45@email-od.com)
Received: from s1-b0c6.socketlabs.email-od.com (s1-b0c6.socketlabs.email-od.com [142.0.176.198])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JX3Rq3Hssz4lP5
	for <questions@freebsd.org>; Sun,  9 Jan 2022 17:12:39 +0000 (UTC)
	(envelope-from 4250.82.1d4d80000b4d420.13f2ade0b4eb750659a7197fef32fd45@email-od.com)
DKIM-Signature: v=1; a=rsa-sha256; d=email-od.com;i=@email-od.com;s=dkim;
	c=relaxed/relaxed; q=dns/txt; t=1641748359; x=1644340359;
	h=content-transfer-encoding:content-type:mime-version:references:in-reply-to:message-id:subject:cc:to:from:date:x-thread-info;
	bh=o7z71F1sKRAZgtj7uqDDP4oozn66JPqHuN3P1dr8sZ0=;
	b=K0vAb/3PtlO/vfYSOw5oPrp/MzGHOtg5ma7vWQ584G0o6zdkfC1zWY3jexOvvX9awQA1/AYENWQ9P5KrpC7/rNTOqq3O7SXxcpM9nq67GPzJnUOP2+bIrSP4l1QUjglrG/mq0j0UYSFvXI2Nd4ZsngccY2j51P66LiDlPjfpALs=
X-Thread-Info: NDI1MC4xMi4xZDRkODAwMDBiNGQ0MjAucXVlc3Rpb25zPWZyZWVic2Qub3Jn
Received: from r1.us-east-2.aws.in.socketlabs.com (r1.us-east-2.aws.in.socketlabs.com [142.0.189.1]) by mxsg2.email-od.com
	with ESMTP(version=Tls12 cipher=Aes256 bits=256); Sun, 9 Jan 2022 12:12:35 -0500
Received: from smtp.lan.sohara.org (EMTPY [185.202.17.215]) by r1.us-east-2.aws.in.socketlabs.com
	with ESMTP(version=Tls12 cipher=Aes256 bits=256); Sun, 9 Jan 2022 12:12:35 -0500
Received: from [192.168.63.1] (helo=steve.lan.sohara.org)
	by smtp.lan.sohara.org with smtp (Exim 4.94.2 (FreeBSD))
	(envelope-from <steve@sohara.org>)
	id 1n6bk9-000Md6-KC; Sun, 09 Jan 2022 17:12:33 +0000
Date: Sun, 9 Jan 2022 17:12:33 +0000
From: Steve O'Hara-Smith <steve@sohara.org>
To: Valeri Galtsev <galtsev@kicp.uchicago.edu>
Cc: questions@freebsd.org
Subject: Re: entering geli passphrase only once at FreeBSD boot
Message-Id: <20220109171233.5ce74616e93058d49e19c177@sohara.org>
In-Reply-To: <747271fd-3276-b2ef-dd8c-b18c1fff2f10@kicp.uchicago.edu>
References: <CAKkGsYKyPt5OfYVH5L=83yqzeHvkyMaU6oZH_0WzRFrWRKsXSw@mail.gmail.com>
	<20220109102339.45932ef6cf6f42daa3a1871d@sohara.org>
	<CAOgwaMshquXn8NbotqPQNp22_wVw_aSiG476+YVNuTKMPB7eDQ@mail.gmail.com>
	<20220109145048.141b35831e07ad9fa8a73c66@sohara.org>
	<f84b37a9-eba2-8307-40bd-4c9a7700abf0@kicp.uchicago.edu>
	<20220109153523.5cdc554507c5d9966f4eb28e@sohara.org>
	<747271fd-3276-b2ef-dd8c-b18c1fff2f10@kicp.uchicago.edu>
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd13.0)
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
Sender: owner-freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4JX3Rq3Hssz4lP5
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
X-ThisMailContainsUnwantedMimeParts: N

On Sun, 9 Jan 2022 11:28:36 -0500
Valeri Galtsev <galtsev@kicp.uchicago.edu> wrote:

> 
> 
> On 1/9/22 10:35 AM, Steve O'Hara-Smith wrote:
> > On Sun, 9 Jan 2022 10:20:59 -0500
> > Valeri Galtsev <galtsev@kicp.uchicago.edu> wrote:
> > 
> >> If RFID chip is involved, part of "hiding" [secret] is to keep card
> >> with RFID chip inside shielding sleeve. Or the guy with RF scanner
> >> standing next to will easily read it.
> > 
> > 
> > 	QR code and camera, typed password and shoulder surfer,
> > fingerprint and wine glass ... same problem different spaces, the
> > standard solutions are OTP and challenge/response neither of which is
> > an option for geli passphrases unfortunately which leaves only "be
> > careful".
> > 
> 
> I for one stay away from any "biometric" ways of authentication. I do 
> not want any part of my body "borrowed" from me for such authentication 

	Yeah, these people who embed RFID chips in their hands are just
asking for amateur surgery.

> ;-) But seriously: how secret is your fingerprint? We leave them 

	Not even slightly, it's a bit like the old bike locks that could be
opened by any key including a screwdriver - security theatre.

> everywhere. Or laptop magically unlocks thanks to face recognition, - I 
> don't even want to start rant about that (still: whose brain dead idea 
> is that!?)

	It would help if it required the face to be moving - a bit.

	The one that gets me is the dialogue that pops up on some sites
*after* authentication with my name in it and a request to confirm that I
am indeed the person named.

> These days with 2 factor authentication enforced widely we became 
> hostages of our cell phones ;-( Imagine you forgot it at home and need 
> to authenticate. Or the device just died.

	Yep, but the old RSA keyfobs had the same problems.

-- 
Steve O'Hara-Smith
Odds and Ends at http://www.sohara.org/