Andrew McGlashan via luv-talk wrote:
I also don't like how Moxie Marlinspike requires everyone using his servers to have to be using his own app. You can run your own servers, but it isn't trivial and perhaps all the required code and steps are not easy to attain even though there is open source involved...
You can "run your own server", but it can't talk to anyone using the first-party server. https://www.jwz.org/blog/2018/08/signal/ https://www.jwz.org/blog/2017/03/signal-leaks-your-phone-number-to-everyone-...
The best option is to use offline TOTP, which I do with a Python script and some encrypted files that hold the keys as originally presented by the QR code -- no need to use Google Authenticator or any other /like/ app.
Depending on your threat model, the EMV approach might be a further refinement. That uses an applet running on your credit card (i.e. tamper-proof hardware and hardened algorithm), plugged into an airgapped device that looks like a desktop calculator. You manually transcribe data from the untrusted device to the calculator-like device, it generate a magic number, and you manually transcribe that back to the untrusted device. If your bank gives a shit about security, instead of just dismissing bank fraud as "identity theft", this is how you buy stuff online (a.k.a. "card-not-present transcation"). In theory the credit card's secret numbers are initialized by a device that's also airgapped and behind locks and guards. https://en.wikipedia.org/wiki/EMV The US military have something vaguely similar: https://en.wikipedia.org/wiki/Common_Access_Card rja14's mob have also built something similar for a SIM (also tamper-proof), which is DEAD SEXY, but still in proof-of-concept stage: https://www.lightbluetouchpaper.org/2016/10/31/digitally/