L.S. Oh well, I installed the Authenticator Chrome Extension (https://chromewebstore.google.com/detail/authenticator/bhghoamapcdpbohphigoo...) on my PC which could scan (nifty!) the QR code exported from Google Authenticator. All is fine now. Can use 2FA via Chrome on my PC. Regards, Ernst
From: "Ernst J. Oud" <ernstoud@gmail.com> Date: 25 March 2024 at 13:39:45 CET To: Bogdan-Stefan Rotariu <bogdan@rotariu.ro> Subject: Re: [atlas] 2FA
Bogdan-Stefan,
I agree with your remark about the fact that 2FA using an Authenticator on the same system used for the login defeats its purpose.
However, RIPE refers on the 2FA instruction page (https://www.ripe.net/membership/member-support/ripe-ncc-access/two-step-veri...) under the heading “What if I don't have or want to use a smartphone?” to the OATH Toolkit for Linux.
Thus, if I accept the risk that my PC could be hacked and RIPE clearly also accepts running 2FA on a PC running Linux then I reckon that running a 2FA Authenticator on Windows or even macOS should also be made possible.
I therefore stand by my question how to enable an Authenticator on a PC if already enabled on another device. More than 95% of users don’t use Linux on their desktop. Then only referring to an arcane Linux CLI tool is a bit limiting.
I installed that toolkit on WSL2 on my PC and it installed fine but to use it I still need the secret key that was used to enable 2FA. Which I don’t have and is also not available on my profile page. Tried exporting it in Google Authenticator which gives a QR code, pointed WinAuth to the URL where I stored it. Didn’t work.
Regards,
Ernst J. Oud
On 25 Mar 2024, at 12:40, Bogdan-Stefan Rotariu <bogdan@rotariu.ro> wrote:
Hello,
The scope of 2FA is to use a secondary device to get the authorisation codes. We saw hacked PC’s that had Authy or any other 2FA Apps, and the attackers used those to obtain the codes and hijacked accounts. So using a 2FA App on the same device that you’re using to login and authorise at the same time defeats the purpose of the 2FA.
We are try now to teach our users and employees to stop using desktop apps for 2FA code generators and I encourage you to do the same, even if it adds a second layer (as expected) of effort for you.
Thanks,
-- Bogdan-Stefan Rotariu
On 25 Mar 2024, at 13:13, Ernst J. Oud <ernstoud@gmail.com> wrote:
Hi,
I enabled 2FA for Atlas website access. Works fine on my iPad and Android phone, using the Google Authenticator. However not always I have these devices with me when I want access via my Windows PC.
I installed WinAuth on my PC but it needs the secret key that is generated when 2FA is enabled. Is there a way to get this secret key for this purpose? Tried exporting from Google Authenticator but that only supplies a QR code, not the key.
Is there a way to use both a tablet/phone and a PC for authentication?
I read that in Q1 2FA will be enforced. I am a bit amazed that there has been no further announcement in this group with some help. The page on 2FA only mentions the Oauth Toolkit for Linux. No help whatsoever for Windows users.
Any clues?
Regards,
Ernst J. Oud -- ripe-atlas mailing list ripe-atlas@ripe.net https://lists.ripe.net/mailman/listinfo/ripe-atlas
-- ripe-atlas mailing list ripe-atlas@ripe.net https://lists.ripe.net/mailman/listinfo/ripe-atlas
Wow! On the profile page now you can add authenticators and copy the secret key if you add one. This works fine with WinAuth. Thanks! Met vriendelijke groet / Regards, Ernst J. Oud
On 25 Mar 2024, at 20:14, Ernst J. Oud <ernstoud@gmail.com> wrote:
L.S.
Oh well, I installed the Authenticator Chrome Extension (https://chromewebstore.google.com/detail/authenticator/bhghoamapcdpbohphigoo...) on my PC which could scan (nifty!) the QR code exported from Google Authenticator. All is fine now. Can use 2FA via Chrome on my PC.
Regards,
Ernst
From: "Ernst J. Oud" <ernstoud@gmail.com> Date: 25 March 2024 at 13:39:45 CET To: Bogdan-Stefan Rotariu <bogdan@rotariu.ro> Subject: Re: [atlas] 2FA
Bogdan-Stefan,
I agree with your remark about the fact that 2FA using an Authenticator on the same system used for the login defeats its purpose.
However, RIPE refers on the 2FA instruction page (https://www.ripe.net/membership/member-support/ripe-ncc-access/two-step-veri...) under the heading “What if I don't have or want to use a smartphone?” to the OATH Toolkit for Linux.
Thus, if I accept the risk that my PC could be hacked and RIPE clearly also accepts running 2FA on a PC running Linux then I reckon that running a 2FA Authenticator on Windows or even macOS should also be made possible.
I therefore stand by my question how to enable an Authenticator on a PC if already enabled on another device. More than 95% of users don’t use Linux on their desktop. Then only referring to an arcane Linux CLI tool is a bit limiting.
I installed that toolkit on WSL2 on my PC and it installed fine but to use it I still need the secret key that was used to enable 2FA. Which I don’t have and is also not available on my profile page. Tried exporting it in Google Authenticator which gives a QR code, pointed WinAuth to the URL where I stored it. Didn’t work.
Regards,
Ernst J. Oud
On 25 Mar 2024, at 12:40, Bogdan-Stefan Rotariu <bogdan@rotariu.ro> wrote:
Hello,
The scope of 2FA is to use a secondary device to get the authorisation codes. We saw hacked PC’s that had Authy or any other 2FA Apps, and the attackers used those to obtain the codes and hijacked accounts. So using a 2FA App on the same device that you’re using to login and authorise at the same time defeats the purpose of the 2FA.
We are try now to teach our users and employees to stop using desktop apps for 2FA code generators and I encourage you to do the same, even if it adds a second layer (as expected) of effort for you.
Thanks,
-- Bogdan-Stefan Rotariu
On 25 Mar 2024, at 13:13, Ernst J. Oud <ernstoud@gmail.com> wrote:
Hi,
I enabled 2FA for Atlas website access. Works fine on my iPad and Android phone, using the Google Authenticator. However not always I have these devices with me when I want access via my Windows PC.
I installed WinAuth on my PC but it needs the secret key that is generated when 2FA is enabled. Is there a way to get this secret key for this purpose? Tried exporting from Google Authenticator but that only supplies a QR code, not the key.
Is there a way to use both a tablet/phone and a PC for authentication?
I read that in Q1 2FA will be enforced. I am a bit amazed that there has been no further announcement in this group with some help. The page on 2FA only mentions the Oauth Toolkit for Linux. No help whatsoever for Windows users.
Any clues?
Regards,
Ernst J. Oud -- ripe-atlas mailing list ripe-atlas@ripe.net https://lists.ripe.net/mailman/listinfo/ripe-atlas
-- ripe-atlas mailing list ripe-atlas@ripe.net https://lists.ripe.net/mailman/listinfo/ripe-atlas
participants (1)
-
Ernst J. Oud