Time to break out the tinfoil and make myself a hat

So, Google Mail is going to switch to 2FA (two-factor authentication). It seems that somewhere along the chain a phone number is required. I am not happy.

Microsoft’s Github is going to switch on 2FA before the end of 2023. Although I haven’t figured out all the details, it looks like I can authenticate with command-line tools on Linux.

I am running out of a lot of trust with Google. They are too aggressive at trying to get my phone number. I am thinking seriously about hosting my own email. Fortunately, my ISP provides me with a sub-domain that I can use. I may just switch to some other free email provider, like AOL.

I’m also transitioning my Github stuff over to Gitlab. I might try their 2FA to see if I can get it working with my system after I have fully transitioned to Gitlab.

My other concern is with taxes. I have an app that generates one-time passwords on my Nexus, running Android. I use the official HMRC app. What’s annoying is that they keep wanting me to upgrade the app. It’s a 10M download. I think it just uses TOTP (Time-based One Time Password). It’s a massive download for what is actually a simple tool. It doesn’t reveal the secret key, though, so I don’t know how I’m going to transition away from the Nexus.

The Nexus is from 2012, it’s not a smartphone, so I am a bit worried about how long Android will support it. HMRC allows you to change how you log in to do your taxes, but the process seems impossible. Like, they require a valid passport. Mind has expired. Or I could submit a Northern Ireland driving license. Northern Island? I’ve never been to Northern Island. What the hell?

They do have an API for me to look at. I’m not sure I want to go down that particular rabbit-hole. Like I say, I suspect authentication is pretty straight-forward and standard if I could just get hold of the secret key.

I might try to install Android on VirtualBox for my PC, or for my Raspberry Pi. I had tried Android on my Pi a few years ago, IIRC, and walked away with the conclusion “needed some work.”

I’m not ultra-convinced that TOTP is such a great idea. We already have public-key encryption for things like ssh. And we have things like login passwords where the password is irrecoverable. If you do the TOTP stuff, then both the server and the client must store the actual key. If there’s a compromise, then the whole mechanism is useless. And sites seem to get compromised all the time.

There are always weak links in these schemes. Devices might break, be unavailable, be non-upgradeable, lost, and all manner of things. Then you risk being permanently locked-out.

There are apps out there that can help you. But one must be extra cagey about these things. How do you know you can trust them? How do you know how long they will be around? Some guy was talking about an app for Android. He said he moved off of it, because if his Android was stolen, and it wasn’t properly secured, then the whole 2FA thing is compromised anyway. As the saying goes, a chain is only as strong as the weakest link.

Vendor-lockin. This is a big issue. Companies just love to lock you in. Look at “Do no evil” Google. The temptation is just too strong. Vendors just love setting policy, too. “It’s either our way, or the highway.” I choose “highway.” Time and time again we see that vendors just can’t be trusted. We need to stop with the attitude of “It’ll be alright on the night.”

Lambs to the slaughter.

About mcturra2000

Computer programmer living in Scotland.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s