It Me: Under the Hood of Web Authentication | Robinson, Zhu

Garrett Robinson, Yan Zhu; It Me: Under the Hood of Web Authentication; At Some Conference; circa 2017-10; N slides.


  1. Do not use (linear) string comparison, ever.
    Avoid: a == b
    Use: PRF(a) == PRF(b)
    where: Pseudo-Random Function PRF with HMACPRF
  2. Use U2F with Web Authentication
  3. 2FA is weakened by the Password Reset Flow
    • Uses SMTP to deliver secrets or capabilities.
    • SMTP is not encrypted.
    • SMTP’s STARTTLS is opportunistic and fails-open (fails to cleartext)


How to secure SSH login with one-time passwords on Linux | Xmodulo

How to secure SSH login with one-time passwords on Linux; Editor; In Xmodulo; 2015-03-30.


  • OTPW
  • Integrates via PAM
  • Not available on Fedora or Red Hat (you have to build from source).


  • git clone
  • The Makefile requires manual editing


  • otpw-gen
  • ~/.otpw contains (hashed) pregenerated passwords)



UsePrivilegeSeparation yes
ChallengeResponseAuthentication yes
UsePAM yes
PubkeyAuthentication yes
PasswordAuthentication no

/usr/sbin/sshd tries to write to user’s home directory, which is not allowed by default SELinux policy. You must manually update the SELinux policy.