only system which does it securely is bitcoin cold wallet / offline computer signed transaction...

Calwestjobs • yesterday at 6:02 PM • 1 reply • view on HN

only system which does it securely is bitcoin cold wallet / offline computer signed transaction

or as you pointed out, signing it on smartcard with keypad reader.

but for login TOTP is better then anything else. i can put it on arduino with small oled board and have it in safe/vault offline.

and there is no way for attacker to MITM, and here lies the problem. companies can not blame you as easily as with currently deployed technologies... they hide breaches all the time, f... PCI

Replies

lxgr • yesterday at 7:22 PM

> but for login TOTP is better then anything else. i can put it on arduino with small oled board and have it in safe/vault offline. and there is no way for attacker to MITM

There totally is! How do you know you're entering the TOTP on a legitimate website?

WebAuthN prevents that, both by not letting you use a given key on the wrong website, and by including the origin in the signature generated using the key which the relying party can then check for plausibility.

alt Hacker News

Replies