From 1c28f0095987d61e7ee4c8ce2b5a3b55782c6ce0 Mon Sep 17 00:00:00 2001 From: Ben Harris Date: Wed, 4 Mar 2020 23:50:50 -0500 Subject: [PATCH] tidy up googleauth.md --- wiki/source/googleauth.md | 71 +++++++++++++++++++-------------------- 1 file changed, 34 insertions(+), 37 deletions(-) diff --git a/wiki/source/googleauth.md b/wiki/source/googleauth.md index e835101..3a45024 100644 --- a/wiki/source/googleauth.md +++ b/wiki/source/googleauth.md @@ -3,61 +3,58 @@ title: Using Google Authenticator on tilde.club author: deepend --- - # Using Google Authenticator. -To get started with google authenticator run the following command +To get started, run the following command: - `google-authenticator` + google-authenticator -Allow the command to update your Google Authenticator. After running the -command, you’ll be asked a couple of questions, the first one being: +Allow the command to update your Google Authenticator. After running the +command, you’ll be asked a couple of questions, the first one being: This one you need to answer 'yes'(y). - `Do you want authentication tokens to be time-based (y/n)` + Do you want authentication tokens to be time-based (y/n) -You’ll then be presented with a secret key and multiple “scratch codes”. -We strongly suggest saving these emergency scratch codes in a safe place, -like a password manager. These codes are the only way to regain access if -you lose your phone or lose access to your TOTP app, and each one can -only be used once, so they really are in case of emergency. +You’ll then be presented with a secret key and multiple “scratch codes”. +We strongly suggest saving these emergency scratch codes in a safe place, +like a password manager. These codes are the only way to regain access if +you lose your phone or lose access to your TOTP app, and each one can +only be used once, so they really are in case of emergency. -You’ll then be prompted with several questions, The choices are all -about balancing security with ease-of-use. It begins with: +You’ll then be prompted with several questions, The choices are all +about balancing security with ease-of-use. It begins with: - `Do you want me to update your "~/.google_authenticator" file (y/n)` + Do you want me to update your "~/.google_authenticator" file (y/n) You will need to answer 'yes'(y) for google authenticator to work with your login. Next question we also suggest answering yes to prevent a replay attack: - `Do you want to disallow multiple uses of the same authentication -token? This restricts you to one login about every 30s, but it -increases your chances to notice or even prevent -man-in-the-middle attacks (y/n)` + Do you want to disallow multiple uses of the same authentication + token? This restricts you to one login about every 30s, but it + increases your chances to notice or even prevent + man-in-the-middle attacks (y/n) For security reasons we strongly suggest answering 'no'(n) to this next question: - `By default, tokens are good for 30 seconds and in order to -compensate for possible time-skew between the client and the server, -we allow an extra token before and after the current time. If you -experience problems with poor time synchronization, you can increase -the window from its default size of 1:30min to about 4min. -Do you want to do so (y/n)` - -On the next question we suggest answering 'yes'(y) since rate-limiting -means that a remote attacker can only attempt a certain number of guesses before being blocked. - - `If the computer that you are logging into isn't hardened against -brute-force login attempts, you can enable rate-limiting for the -authentication module. By default, this limits attackers to no more -than 3 login attempts every 30s. - -`Do you want to enable rate-limiting (y/n)` - -Now your configured. Your next login you can login without an SSH key. Make sure you know your account password -because login using google-authenticator will still require your password before letting you in. + By default, tokens are good for 30 seconds and in order to + compensate for possible time-skew between the client and the server, + we allow an extra token before and after the current time. If you + experience problems with poor time synchronization, you can increase + the window from its default size of 1:30min to about 4min. + Do you want to do so (y/n) +On the next question we suggest answering 'yes'(y) since rate-limiting +means that a remote attacker can only attempt a certain number of guesses +before being blocked. + If the computer that you are logging into isn't hardened against + brute-force login attempts, you can enable rate-limiting for the + authentication module. By default, this limits attackers to no more + than 3 login attempts every 30s. + Do you want to enable rate-limiting (y/n) +Now you're configured. You can now login without an SSH key. Make sure you +know your account password because login using google-authenticator will +still require your password before letting you in.