From owner-freebsd-security@freebsd.org  Wed Jun 19 02:58:04 2019
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9F5EB15CF9EC
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Wed, 19 Jun 2019 02:58:04 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [209.237.23.5])
 (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits))
 (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 452E071010
 for <freebsd-security@freebsd.org>; Wed, 19 Jun 2019 02:58:03 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from roble.com (roble.com [209.237.23.50])
 by mx5.roble.com (Postfix) with ESMTP id 5587C518E7;
 Tue, 18 Jun 2019 19:57:55 -0700 (PDT)
Date: Tue, 18 Jun 2019 19:57:55 -0700 (PDT)
From: Roger Marquis <marquis@roble.com>
To: Victor Sudakov <vas@mpeks.tomsk.su>
cc: freebsd-security@freebsd.org
Subject: Re: Untrusted terminals: OPIE vs security/pam_google_authenticator
In-Reply-To: <20190619020512.GA64608@admin.sibptus.ru>
Message-ID: <nycvar.OFS.7.76.444.1906181941030.12587@mx.roble.com>
References: <20190618075954.GA30296@admin.sibptus.ru>
 <CA+QLa9AkOwM14nxgXmmiH8TFewaT6HGjq7vzRQ5u4YNFNh-W-w@mail.gmail.com>
 <20190619020512.GA64608@admin.sibptus.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
X-Rspamd-Queue-Id: 452E071010
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-7.00 / 15.00];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 NEURAL_HAM_SHORT(-1.00)[-0.995,0]; REPLY(-4.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jun 2019 02:58:04 -0000

> In my case, no page is involved, just the FreeOTP app on my Android
> phone (which is less convenient than a sheet of paper with OPIE
> passwords, but I can live with that).

FreeOTP and FreeOTP+ are IMO the best OTP apps out there.  They require
no privacy invading "push" notifications and are open source.  Just wish
more sites would publish numeric codes instead of gimmicky QR codes.

That said there are still plenty of us who also use OPIE.  The passcodes
are a solid T/HOTP fallback, aren't subject to seizure by border agents
having a bad day, can be easily copied and stored on paper and have zero
dependencies on 3rd parties.

That's not to say that OPIE should be kept in base though.  There's
already way too much unused legacy cruft in FreeBSD base.  Ports are the
right tool for that job.

But OPIE is still used, can be updated relatively easily, and should be
kept somewhere accessible for security-conscious end-users.  To
eliminate it would only benefit those with commercial interests in
proprietary and hosted (vendor lock-in) MFA solutions.

IMO,
Roger Marquis