Re: entering geli passphrase only once at FreeBSD boot

From: Steve O'Hara-Smith <steve_at_sohara.org>
Date: Sun, 09 Jan 2022 17:12:33 UTC
On Sun, 9 Jan 2022 11:28:36 -0500
Valeri Galtsev <galtsev@kicp.uchicago.edu> wrote:

> 
> 
> On 1/9/22 10:35 AM, Steve O'Hara-Smith wrote:
> > On Sun, 9 Jan 2022 10:20:59 -0500
> > Valeri Galtsev <galtsev@kicp.uchicago.edu> wrote:
> > 
> >> If RFID chip is involved, part of "hiding" [secret] is to keep card
> >> with RFID chip inside shielding sleeve. Or the guy with RF scanner
> >> standing next to will easily read it.
> > 
> > 
> > 	QR code and camera, typed password and shoulder surfer,
> > fingerprint and wine glass ... same problem different spaces, the
> > standard solutions are OTP and challenge/response neither of which is
> > an option for geli passphrases unfortunately which leaves only "be
> > careful".
> > 
> 
> I for one stay away from any "biometric" ways of authentication. I do 
> not want any part of my body "borrowed" from me for such authentication 

	Yeah, these people who embed RFID chips in their hands are just
asking for amateur surgery.

> ;-) But seriously: how secret is your fingerprint? We leave them 

	Not even slightly, it's a bit like the old bike locks that could be
opened by any key including a screwdriver - security theatre.

> everywhere. Or laptop magically unlocks thanks to face recognition, - I 
> don't even want to start rant about that (still: whose brain dead idea 
> is that!?)

	It would help if it required the face to be moving - a bit.

	The one that gets me is the dialogue that pops up on some sites
*after* authentication with my name in it and a request to confirm that I
am indeed the person named.

> These days with 2 factor authentication enforced widely we became 
> hostages of our cell phones ;-( Imagine you forgot it at home and need 
> to authenticate. Or the device just died.

	Yep, but the old RSA keyfobs had the same problems.

-- 
Steve O'Hara-Smith
Odds and Ends at http://www.sohara.org/