@yarmo a website could generate a random hex, set a timeout and tell the user to sign it with the SSH key and paste the signature before the timeout expires. One time password.
force the user to sign the current time with a private key
server verifies using shared public key
That way, the secret can’t be obtained – even if the login server gets hacked.
@yarmo Ready :)
A bit of PITA as user experience goes, but that was expected. Piping the sig to xclip is a small improvement
chaos.social – a Fediverse instance for & by the Chaos community