From 048a2f0f8a185a9aa069bbd1d55cc50bec0a8dbd Mon Sep 17 00:00:00 2001 From: Knut Ahlers Date: Mon, 9 Sep 2019 19:08:27 +0200 Subject: [PATCH] Update README Signed-off-by: Knut Ahlers --- README.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/README.md b/README.md index eed4790..6e0a69d 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,7 @@ ![](https://badges.fyi/github/license/Luzifer/vault-otp-ui) ![](https://badges.fyi/github/downloads/Luzifer/vault-otp-ui) ![](https://badges.fyi/github/latest-release/Luzifer/vault-otp-ui) +![](https://knut.in/project-status/vault-otp-ui) # Luzifer / vault-otp-ui @@ -36,7 +37,3 @@ One of the key questions I found myself asking while developing this was whether On the one hand the first solution would work when being offline because it can be cached in the browser. But seriously: I've never seen a OTP query when not being online so this wasn't a valid reason. On the other hand transmitting the secrets into the browser IMHO would be a major security flaw as - given the case you loose control over your browser having all those secrets stored in the local storage - an attacker would have the chance to generate unlimited one-time passwords for your accounts. In the end I went with the solution to transmit only names and the currently valid code. This means being offline you are not able to generate a new code but also this means you can revoke access to the Vault keys and immediately stop the attackers ability to generate codes on your behalf. - ----- - -![project status](https://d2o84fseuhwkxk.cloudfront.net/vault-otp-ui.svg)