The easiest approach is a provider-issued hardware dongle like a SecurID or Yubikey. Lack of end-user programmability is a feature, not a bug.

▲

yjftsjthsd-h an hour ago | parent [-]

> Lack of end-user programmability is a feature, not a bug.

I would argue that the problem is network accessibility, not programmability.

▲

dcrazy an hour ago | parent [-]

When designing a system for secure attestation, end-user programmability is not a feature.

It would not be an advantage for your front door lock to be infinitely reprogrammable. It’s just a liability.

▲

yjftsjthsd-h an hour ago | parent [-]

I mean, I guess attestation might have some value, but it feels like moving the goalposts. Under the threat model of a remote attacker who can compromise a normal networked computer, I can't think of an attack that would succeed with a programmable TOTP code generator that would fail if that code generator was not reprogrammable. Can you?

> It would not be an advantage for your front door lock to be infinitely reprogrammable. It’s just a liability.

Er, most door locks are infinitely reprogrammable, because being able to rekey them without having to replace the whole unit is a huge advantage and the liability/disadvantage is minimal (falling under "It rather involved being on the other side of this airtight hatchway" in an unusually almost-literal sense where you have to be inside the house in order to rekey the lock, at which point you could also do anything else).

	▲	dcrazy 17 minutes ago \| parent [-]
		Sorry, attestation is the goalpost. The community wants certainty that the package was published by a human with authority, and not just by someone who had access to an authority’s private keys. That is what distinguishes attestation from authentication or authorization.