Authentification » Historique » Version 77
Version 76 (Laurent GUERBY, 24/07/2018 23:21) → Version 77/82 (Laurent GUERBY, 24/07/2018 23:22)
{{>toc}}
h1. Authentification
h2. Liens
https://krebsonsecurity.com/2018/07/google-security-keys-neutered-employee-phishing/
https://tech.slashdot.org/story/18/07/23/1944236/none-of-googles-85000-employees-have-been-phished-in-more-than-a-year-after-company-required-them-to-use-physical-security-keys-for-2fa
https://twofactorauth.org/
https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/
https://blog.mozilla.org/blog/2018/05/09/firefox-gets-down-to-business-and-its-personal/
https://hacks.mozilla.org/2018/01/using-hardware-token-based-2fa-with-the-webauthn-api/
https://en.wikipedia.org/wiki/YubiKey
https://0day.work/using-a-yubikey-for-gpg-and-ssh/
https://tech.slashdot.org/story/17/10/01/2130249/google-plans-upgrade-of-two-factor-authentication-for-politicians-and-ceos
https://www.evilsocket.net/2017/12/07/DIY-Portable-Secrets-Manager-with-a-RPI-Zero-and-the-ARC-Project/
https://lwn.net/Articles/734767/
Strategies for offline PGP key storage
https://blog.cloudflare.com/how-developers-got-password-security-so-wrong/
https://www.crowdsupply.com/sutajio-kosagi/tomu
https://www.tartarefr.eu/remplacer-les-mots-de-passe-par-linsertion-dune-cle-usb/
https://lwn.net/Articles/736231/
A comparison of cryptographic keycards
https://lwn.net/Articles/750430/
Free Nitrokey cryptographic cards for kernel developers
https://anarc.at/blog/2017-10-26-comparison-cryptographic-keycards/
https://mozilla-lockbox.github.io/
https://www.nextinpact.com/news/106385-connexion-securisee-api-webauthn-presque-finalisee-premiere-yubikey-fido2.htm
https://linode.com/docs/security/authentication/use-one-time-passwords-for-two-factor-authentication-with-ssh-on-ubuntu-16-04-and-debian-8/
https://support.yubico.com/support/solutions/articles/15000006444-losing-your-yubikey
https://hackaday.com/2017/12/14/using-gmail-with-oauth2-in-linux-and-on-an-esp8266/
https://www.imperialviolet.org/2017/10/08/securitykeytest.html
Testing Security Keys (08 Oct 2017)
https://github.com/hillbrad/U2FReviews#u2freviews
https://hackaday.com/2018/01/04/two-factor-authentication-with-the-esp8266/
https://hackaday.com/2017/10/16/inside-two-factor-authentication-apps
https://www.nextinpact.com/brief/protonmail-proposera-sa-propre-cle-de-securite-u2f-789.htm
https://www.crowdsupply.com/nth-dimension/signet
$39 kicad design
https://www.libre-parcours.net/post/comment-je-gere-mes-mots-de-passe/
https://protonmail.com/blog/encrypted_email_authentication/
https://tools.ietf.org/html/rfc2945
The SRP Authentication and Key Exchange System Secure Remote Password (SRP)
https://www.crowdsupply.com/third-pin/pastilda
$50 middle USB in out
pas vraiment de design file dispo ?
https://bitbucket.org/thirdpin_team/pastilda
old https://github.com/thirdpin/pastilda
https://www.ory.am/run-oauth2-server-open-source-api-security.html
https://github.com/ory/hydra
Oauth2 high performance
https://www.owasp.org/index.php/Authentication_Cheat_Sheet
The Open Web Application Security Project
https://github.com/conorpp/u2f-zero
U2F Zero
U2F Zero is an open source U2F token for 2 factor authentication. It is implemented securely. It works with Google accounts, Github, Duo, OpenSSH, and anything else supporting U2F.
http://hackaday.com/2017/01/17/shmoocon-2017-the-ins-and-outs-of-manufacturing-and-selling-hardware/
https://www.u2fzero.com/
https://plus.google.com/+LaurenWeinstein/posts/avKcX7QmASi
Do I really need to bother with Google's 2-Step Verification system? I don't need more hassle and my passwords are pretty good.
https://lauren.vortex.com/2017/06/10/google-users-who-want-to-use-2-factor-protections-but-dont-understand-how
https://it.slashdot.org/story/17/05/04/218210/google-was-warned-about-this-weeks-mass-phishing-email-attack-six-years-ago
https://oauth.net/
https://arstechnica.com/security/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/
http://arstechnica.com/security/2016/12/this-low-cost-device-may-be-the-worlds-best-hope-against-account-takeovers/
https://en.wikipedia.org/wiki/Universal_2nd_Factor
https://it.slashdot.org/story/16/12/24/0037256/u2f-security-keys-may-be-the-worlds-best-hope-against-account-takeovers
https://shop.nitrokey.com/shop/product/nitrokey-u2f-5
https://homepages.laas.fr/matthieu/talks/token-capitoul.pdf
https://github.com/ruimarinho/yubikey-handbook
https://research.kudelskisecurity.com/2017/04/28/configuring-yubikey-for-gpg-and-u2f/
http://hackaday.com/2016/09/29/taking-a-u2f-hardware-key-from-design-to-production/
https://m.nextinpact.com/news/102201-clefs-gpg-comment-stocker-et-utiliser-via-clef-usb-openpgp-card.htm
https://www.palkeo.com/sys/yubikey.html
http://www.limpkin.fr/index.php?post/2017/01/13/A-Mass-Programming-Bench-for-ATMega32u4-MCUs
https://www.themooltipass.com/
https://www.indiegogo.com/projects/mooltipass-open-source-offline-password-keeper
https://www.kickstarter.com/projects/limpkin/mooltipass-mini-your-passwords-on-the-go
https://raymii.org/s/articles/Get_Started_With_The_Nitrokey_HSM.html#SSH_Keys_with_the_HSM
https://media.ccc.de/v/33c3-8314-bootstraping_a_slightly_more_secure_laptop
https://portier.github.io/
https://sec2016.rmll.info/programme/#usb-armory
https://sec2016.rmll.info//files/
https://sec2016.rmll.info//files/20160704-02-Barisani-forging_the_usb_armory.pdf
https://www.crowdsupply.com/inverse-path/usb-armory
$130
kicad https://github.com/inversepath/usbarmory/tree/master/hardware
http://keithp.com/blogs/chaoskey/
http://saimei.acc.umu.se/pub/debian-meetings/2016/debconf16/Chaoskey_A_Hardware_Random_Number_Generator_for_Everyone.webm
http://www.nextinpact.com/news/100871-choisir-bon-mot-passe-regles-a-connaitre-pieges-a-eviter.htm
http://www.nextinpact.com/news/96167-u2f-double-authentification-par-clef-usb-se-repand-et-debarque-dans-dropbox.htm
https://forum.nextinpact.com/topic/157193-bien-g%C3%A9rer-ses-mots-de-passe/
https://fidoalliance.org/
https://blog.adafruit.com/2017/01/04/new-product-fido-u2f-security-key-u2f-usb-two-step-authentication-security/
https://www.ledgerwallet.com/products/12-ledger-nano-s
https://www.entrouvert.com/fr/identite-numerique/authentic-2/
https://indico.mathrice.fr/event/27/contribution/13/material/slides/0.pdf
Principe de fonctionnement OAuth2
http://blog.hansenpartnership.com/using-your-tpm-as-a-secure-key-store/
https://blog.filippo.io/giving-up-on-long-term-pgp/
https://www.ledgerwallet.com/products/12-ledger-nano-s
https://github.com/LedgerHQ
https://www.ledgerwallet.com/products/9-ledger-blue
http://digiposte.fr
edf, gdf, impots, assurances en auto via un id (?)
tu peux récupérer un zip des dossiers
https://lauren.vortex.com/2017/01/05/biting-the-bullet-its-time-to-require-2-factor-verified-logins
https://cloud.google.com/security/security-design/
https://github.com/google/key-transparency
https://www.facebook.com/notes/facebook-security/security-key-for-safer-logins-with-a-touch/10154125089265766
https://tech.slashdot.org/story/17/01/30/2023249/facebooks-new-tool-looks-to-replace-traditional-two-factor-authentication
https://www.facebook.com/notes/protect-the-graph/improving-account-security-with-delegated-recovery/1833022090271267
https://keybase.io/blog/keybase-chat
https://arstechnica.com/gadgets/2017/02/no-key-no-login-g-suite-admins-can-now-make-fido-security-keys-mandatory/
https://chown.me/blog/my-recent-journey-with-2FA.html
https://korben.info/keybox-console-centraliser-vos-acces-ssh.html
http://sshkeybox.com/
https://github.com/lipp/login-with
https://blog.plan99.net/building-account-systems-f790bf5fdbe0
https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/
https://www.troyhunt.com/password-managers-dont-have-to-be-perfect-they-just-have-to-be-better-than-not-having-one/
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
https://blogs.dropbox.com/tech/2016/09/how-dropbox-securely-stores-your-passwords/
https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/
h2. Passwords
https://www.passwordstore.org/
https://keepassxreboot.github.io/project
https://ask.slashdot.org/story/17/03/08/212244/ask-slashdot-should-you-use-password-managers
h1. Authentification
h2. Liens
https://krebsonsecurity.com/2018/07/google-security-keys-neutered-employee-phishing/
https://tech.slashdot.org/story/18/07/23/1944236/none-of-googles-85000-employees-have-been-phished-in-more-than-a-year-after-company-required-them-to-use-physical-security-keys-for-2fa
https://twofactorauth.org/
https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/
https://blog.mozilla.org/blog/2018/05/09/firefox-gets-down-to-business-and-its-personal/
https://hacks.mozilla.org/2018/01/using-hardware-token-based-2fa-with-the-webauthn-api/
https://en.wikipedia.org/wiki/YubiKey
https://0day.work/using-a-yubikey-for-gpg-and-ssh/
https://tech.slashdot.org/story/17/10/01/2130249/google-plans-upgrade-of-two-factor-authentication-for-politicians-and-ceos
https://www.evilsocket.net/2017/12/07/DIY-Portable-Secrets-Manager-with-a-RPI-Zero-and-the-ARC-Project/
https://lwn.net/Articles/734767/
Strategies for offline PGP key storage
https://blog.cloudflare.com/how-developers-got-password-security-so-wrong/
https://www.crowdsupply.com/sutajio-kosagi/tomu
https://www.tartarefr.eu/remplacer-les-mots-de-passe-par-linsertion-dune-cle-usb/
https://lwn.net/Articles/736231/
A comparison of cryptographic keycards
https://lwn.net/Articles/750430/
Free Nitrokey cryptographic cards for kernel developers
https://anarc.at/blog/2017-10-26-comparison-cryptographic-keycards/
https://mozilla-lockbox.github.io/
https://www.nextinpact.com/news/106385-connexion-securisee-api-webauthn-presque-finalisee-premiere-yubikey-fido2.htm
https://linode.com/docs/security/authentication/use-one-time-passwords-for-two-factor-authentication-with-ssh-on-ubuntu-16-04-and-debian-8/
https://support.yubico.com/support/solutions/articles/15000006444-losing-your-yubikey
https://hackaday.com/2017/12/14/using-gmail-with-oauth2-in-linux-and-on-an-esp8266/
https://www.imperialviolet.org/2017/10/08/securitykeytest.html
Testing Security Keys (08 Oct 2017)
https://github.com/hillbrad/U2FReviews#u2freviews
https://hackaday.com/2018/01/04/two-factor-authentication-with-the-esp8266/
https://hackaday.com/2017/10/16/inside-two-factor-authentication-apps
https://www.nextinpact.com/brief/protonmail-proposera-sa-propre-cle-de-securite-u2f-789.htm
https://www.crowdsupply.com/nth-dimension/signet
$39 kicad design
https://www.libre-parcours.net/post/comment-je-gere-mes-mots-de-passe/
https://protonmail.com/blog/encrypted_email_authentication/
https://tools.ietf.org/html/rfc2945
The SRP Authentication and Key Exchange System Secure Remote Password (SRP)
https://www.crowdsupply.com/third-pin/pastilda
$50 middle USB in out
pas vraiment de design file dispo ?
https://bitbucket.org/thirdpin_team/pastilda
old https://github.com/thirdpin/pastilda
https://www.ory.am/run-oauth2-server-open-source-api-security.html
https://github.com/ory/hydra
Oauth2 high performance
https://www.owasp.org/index.php/Authentication_Cheat_Sheet
The Open Web Application Security Project
https://github.com/conorpp/u2f-zero
U2F Zero
U2F Zero is an open source U2F token for 2 factor authentication. It is implemented securely. It works with Google accounts, Github, Duo, OpenSSH, and anything else supporting U2F.
http://hackaday.com/2017/01/17/shmoocon-2017-the-ins-and-outs-of-manufacturing-and-selling-hardware/
https://www.u2fzero.com/
https://plus.google.com/+LaurenWeinstein/posts/avKcX7QmASi
Do I really need to bother with Google's 2-Step Verification system? I don't need more hassle and my passwords are pretty good.
https://lauren.vortex.com/2017/06/10/google-users-who-want-to-use-2-factor-protections-but-dont-understand-how
https://it.slashdot.org/story/17/05/04/218210/google-was-warned-about-this-weeks-mass-phishing-email-attack-six-years-ago
https://oauth.net/
https://arstechnica.com/security/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/
http://arstechnica.com/security/2016/12/this-low-cost-device-may-be-the-worlds-best-hope-against-account-takeovers/
https://en.wikipedia.org/wiki/Universal_2nd_Factor
https://it.slashdot.org/story/16/12/24/0037256/u2f-security-keys-may-be-the-worlds-best-hope-against-account-takeovers
https://shop.nitrokey.com/shop/product/nitrokey-u2f-5
https://homepages.laas.fr/matthieu/talks/token-capitoul.pdf
https://github.com/ruimarinho/yubikey-handbook
https://research.kudelskisecurity.com/2017/04/28/configuring-yubikey-for-gpg-and-u2f/
http://hackaday.com/2016/09/29/taking-a-u2f-hardware-key-from-design-to-production/
https://m.nextinpact.com/news/102201-clefs-gpg-comment-stocker-et-utiliser-via-clef-usb-openpgp-card.htm
https://www.palkeo.com/sys/yubikey.html
http://www.limpkin.fr/index.php?post/2017/01/13/A-Mass-Programming-Bench-for-ATMega32u4-MCUs
https://www.themooltipass.com/
https://www.indiegogo.com/projects/mooltipass-open-source-offline-password-keeper
https://www.kickstarter.com/projects/limpkin/mooltipass-mini-your-passwords-on-the-go
https://raymii.org/s/articles/Get_Started_With_The_Nitrokey_HSM.html#SSH_Keys_with_the_HSM
https://media.ccc.de/v/33c3-8314-bootstraping_a_slightly_more_secure_laptop
https://portier.github.io/
https://sec2016.rmll.info/programme/#usb-armory
https://sec2016.rmll.info//files/
https://sec2016.rmll.info//files/20160704-02-Barisani-forging_the_usb_armory.pdf
https://www.crowdsupply.com/inverse-path/usb-armory
$130
kicad https://github.com/inversepath/usbarmory/tree/master/hardware
http://keithp.com/blogs/chaoskey/
http://saimei.acc.umu.se/pub/debian-meetings/2016/debconf16/Chaoskey_A_Hardware_Random_Number_Generator_for_Everyone.webm
http://www.nextinpact.com/news/100871-choisir-bon-mot-passe-regles-a-connaitre-pieges-a-eviter.htm
http://www.nextinpact.com/news/96167-u2f-double-authentification-par-clef-usb-se-repand-et-debarque-dans-dropbox.htm
https://forum.nextinpact.com/topic/157193-bien-g%C3%A9rer-ses-mots-de-passe/
https://fidoalliance.org/
https://blog.adafruit.com/2017/01/04/new-product-fido-u2f-security-key-u2f-usb-two-step-authentication-security/
https://www.ledgerwallet.com/products/12-ledger-nano-s
https://www.entrouvert.com/fr/identite-numerique/authentic-2/
https://indico.mathrice.fr/event/27/contribution/13/material/slides/0.pdf
Principe de fonctionnement OAuth2
http://blog.hansenpartnership.com/using-your-tpm-as-a-secure-key-store/
https://blog.filippo.io/giving-up-on-long-term-pgp/
https://www.ledgerwallet.com/products/12-ledger-nano-s
https://github.com/LedgerHQ
https://www.ledgerwallet.com/products/9-ledger-blue
http://digiposte.fr
edf, gdf, impots, assurances en auto via un id (?)
tu peux récupérer un zip des dossiers
https://lauren.vortex.com/2017/01/05/biting-the-bullet-its-time-to-require-2-factor-verified-logins
https://cloud.google.com/security/security-design/
https://github.com/google/key-transparency
https://www.facebook.com/notes/facebook-security/security-key-for-safer-logins-with-a-touch/10154125089265766
https://tech.slashdot.org/story/17/01/30/2023249/facebooks-new-tool-looks-to-replace-traditional-two-factor-authentication
https://www.facebook.com/notes/protect-the-graph/improving-account-security-with-delegated-recovery/1833022090271267
https://keybase.io/blog/keybase-chat
https://arstechnica.com/gadgets/2017/02/no-key-no-login-g-suite-admins-can-now-make-fido-security-keys-mandatory/
https://chown.me/blog/my-recent-journey-with-2FA.html
https://korben.info/keybox-console-centraliser-vos-acces-ssh.html
http://sshkeybox.com/
https://github.com/lipp/login-with
https://blog.plan99.net/building-account-systems-f790bf5fdbe0
https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/
https://www.troyhunt.com/password-managers-dont-have-to-be-perfect-they-just-have-to-be-better-than-not-having-one/
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
https://blogs.dropbox.com/tech/2016/09/how-dropbox-securely-stores-your-passwords/
https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/
h2. Passwords
https://www.passwordstore.org/
https://keepassxreboot.github.io/project
https://ask.slashdot.org/story/17/03/08/212244/ask-slashdot-should-you-use-password-managers