Most active commenters

    ←back to thread

    TOTP tokens on my wrist with the smartest dumb watch

    (blog.singleton.io)
    274 points alexmolas | 11 comments | 26 Jul 24 19:20 UTC | HN request time: 1.045s | source | bottom
    1. 627467 ◴[26 Jul 24 23:33 UTC] No.41083265[source]
    I love this, and have thought of doing the same with a dumb smartwatch but... is it good opsec to have top so visible/available? What about losing the watch or getting stolen?
    replies(4): >>41083301 #>>41083310 #>>41086601 #>>41087016 #
    2. 0cf8612b2e1e ◴[26 Jul 24 23:39 UTC] No.41083301[source]
    Unless the owner walks around proclaiming, “This is my second factor”, a casual observer is just going to think it is a broken watch.
    replies(2): >>41084249 #>>41084712 #
    3. mcsniff ◴[26 Jul 24 23:40 UTC] No.41083310[source]
    Eh, I keep TOTP codes on my Pebble and am fine with it, they are labeled in such a way that doesn't make it obvious what services they're for.

    There's basically no lock mechanism or security on a Pebble, but it's just a second factor.

    If you have my randomly generated password, have done your intel to know I might have the TOTP on my wrist, and can physically steal my watch, you've got me beat and I'm okay with that for the convenience it provides.

    replies(2): >>41084767 #>>41085645 #
    4. hn92726819 ◴[27 Jul 24 03:27 UTC] No.41084249[source]
    Also the firmware supports multiple faces. The default face can just be the time
    5. denysvitali ◴[27 Jul 24 05:58 UTC] No.41084712[source]
    This is why you create a blog post and share it with the world /s
    replies(1): >>41086002 #
    6. collingreen ◴[27 Jul 24 06:14 UTC] No.41084767[source]
    All security is a balance if the threat risk and the potential loss. I love that you have a mix that works for you while staying reasonable about it.

    We all have terrible, terrible tumbler locks on our doors because they are good enough to stop the extremely casual attempts but anywhere with unbarred windows is one rock from "unlocked" and we're generally fine with this for 99% of things.

    replies(1): >>41084781 #
    7. eurleif ◴[27 Jul 24 06:18 UTC] No.41084781{3}[source]
    Security film is another option for windows.
    8. justincormack ◴[27 Jul 24 10:36 UTC] No.41085645[source]
    Early totp devices were designed to look like pocket calculators when these things were less well known. But you are supposed to reset the key if you lose the device.
    9. marcus0x62 ◴[27 Jul 24 12:01 UTC] No.41086002{3}[source]
    What's the threat model here? An attacker is going to read this person's blog post, track them down in real life, and steal their watch to get access to their github account? That seems...unlikely.
    10. patrickdavey ◴[27 Jul 24 13:51 UTC] No.41086601[source]
    Less obvious than a ubikey though right?
    11. paulnpace ◴[27 Jul 24 15:00 UTC] No.41087016[source]
    "...so he hid it, in the one place he knew he could hide something..."