TOTP authentication with free software
The TOTP approach is simple enough; it starts with a secret shared between the client and server sides. The algorithm used to generate an OTP starts by looking at the current time, usually quantized to a 30-second interval. That time is combined with the secret, hashed, and used to generate a six-digit code that is used as the password. Both the client and server sides will generate a code at authentication time; if the client can provide the same code that the server calculates, then authentication succeeds. The code can only be used once and, in any case, is only valid for a short period.
TOTP can thus be used to prove possession of the shared secret at a specific point in time. It is convenient because it requires no special hardware; anything with a CPU and an accurate clock can generate a TOTP. On the client side, one program can be used to manage TOTPs for any number of sites. Users tend to default to proprietary phone apps like Google Authenticator, but there are some clear downsides to doing so. Among those are the unwise nature of trusting proprietary code with identity information and the pain that comes with losing the device running the app. In the free-software world, there should be a better way.
TOTP apps
A quick look on F-Droid turns up a number of free TOTP apps. Your editor gave two of them a try.
TOTP secrets are arbitrary base32 strings and, thus, not much fun to type on a handset keyboard. Happily, most sites implementing TOTP have the ability to generate a QR code with the secret, and Aegis can use the camera to read them. As a result, adding new sites is easily done.
By default, Aegis will show a screen with all known sites, displaying the current OTP for each. Tapping on a given site will copy the code for pasting into a form somewhere else. It is possible to assign sites to groups, providing a single level of organization that can be useful when the number of sites gets large. There are also facilities for searching for sites, but if that is required just to obtain an access code the usability battle has already been lost.
Aegis has various features for importing and exporting of its data. The import screen is a wonder to behold, with support for a large number of other apps. There are a few formats available for export, including an Aegis-specific JSON format and plain text. The export file will be encrypted unless the user taps past a couple of warnings about how dangerous that can be — and another warning that an unencrypted export has been made endures on the main screen.
Another popular TOTP app is FreeOTP+, which is a fork of the FreeOTP app originally released (under the Apache2 license) by Red Hat. Superficially, FreeOTP+ is similar to Aegis, in that it presents a screen full of known accounts. It does not actually display the code for any given account until it has been tapped on, though. This app seemingly does not encrypt its secrets data; it can be configured to require authentication at startup before providing any codes, but does not do so by default.
Like Aegis, FreeOTP+ can read TOTP secrets from a QR code, easing the process of setting up new sites. The import and export options for FreeOTP+ are more limited than those supported by Aegis, but they will suffice to get data into or out of the app. There is no support for organizing accounts into groups. In the end, FreeOTP+ comes across as being less well developed than Aegis but, in truth, it is more than good enough to get this simple job done.
TOTP on the desktop
Authenticator apps are convenient, but some of us still use real computers and often want to access sites that way. Your editor, unlike his offspring, does not have a phone surgically implanted, so logging into a site can lead to a scramble to figure out where the damn phone is so that the code can be produced. It sure would be nice to be able to generate the code directly on the system that is used to access a site.
The pass password manager has a number of nice features, including its command-line orientation, use of GnuPG, and use of Git to store password information. It turns out that there is also an extension called pass-otp that can be used to generate TOTP codes for a site. Once the extension is installed, using it is just a matter of adding an otpauth://totp/ line to the file for the site in question; this line is most easily obtained from a plain-text export from one of the above-mentioned apps.
The new line can be anywhere in the file, so it can coexist with the existing (reusable) password that must be the first line. The pass otp command will generate the code at any given time, likely requiring the entry of the user's GnuPG key passphrase to do it; there is an option to copy it to the clipboard for easy pasting into a web form. One thing pass otp lacks is an indication of how long the generated code will be valid.
![[KeePassXC]](https://static.lwn.net/images/2023/keepassxc-otp-sm.png)
Pass provides everything that many of us need, but for people who are more
graphically inclined, KeePassXC can
also manage TOTPs. Enabling TOTP for a site is a matter of going into the
edit screen, hitting "Advanced", then entering the otpauth://totp/
line in the provided place. After that, the application will show a little
clock face that, when clicked on, will calculate and show the code. The
application's documentation
recommends storing TOTP data in a separate database from the one containing
passwords, "possibly even on a different computer
". Your editor
would guess that this advice is not often followed.
Summary
Given the number of options available, there is almost no reason to use a proprietary TOTP app if one does not want to. Using free-software for this purpose makes TOTP authentication available on more systems and allows the user to keep the sensitive identity information under their own control. The ease of backing up data from these applications and importing it into to others means that the loss of a phone need not cause the loss of access to important accounts on the net. This is one area where free-software users are well provided for.
Posted Apr 14, 2023 16:50 UTC (Fri)
by mbunkus (subscriber, #87248)
[Link] (3 responses)
I've been a very satisfied Aegis users for several years now. Two additions to the points you already made:
1. Yes, Aegis will ask for the password from time to time. While I consider it annoying, the screen asking for the password also contains a link you can click to log in with biometrics this time, effectively bypassing the password question. Next time you open Aegis, it will ask for the password again, of course, but still allowing you to bypass with another click on said link. This is quick enough for me for the situations in which I don't have the patience to enter the full password, making this a nag, not the end of the world.
2. The search function is really nice to have. I've accumulated over 70 entries (personal & work combined), and even though I'm very good and naming all entries consistently, searching is often times still a lot faster than scrolling. Don't knock it 'til you've drowned in tokens 😁
FreeOTP+ is an app that I haven't used myself, but I have colleagues that like & endorse it a lot.
Last but not least if anyone is curious what type of bad things a lot of other TOTP apps do & why you should use OSS ones such as the two tested here, there's a nice video from Naomi Brockwell on this topic from about a month ago that includes an interview with security researchers which tested some of the extremely popular ones such as Microsoft's TOTP app and Authy. Both Aegis & FreeOTP+ are recommended in said video, both by the researchers as well as by Naomi, due to not including any kind of tracking among other things. If you're interested: https://youtu.be/JHIAIzOPz3I
Posted Apr 14, 2023 18:59 UTC (Fri)
by jkingweb (subscriber, #113039)
[Link] (2 responses)
The prompt can also be disabled altogether in the "Security" section of its settings.
Posted Apr 14, 2023 19:02 UTC (Fri)
by mbunkus (subscriber, #87248)
[Link] (1 responses)
Posted Apr 20, 2023 11:49 UTC (Thu)
by jsegitz (subscriber, #102650)
[Link]
Posted Apr 14, 2023 17:56 UTC (Fri)
by somlo (subscriber, #92421)
[Link] (5 responses)
Posted Apr 14, 2023 19:04 UTC (Fri)
by brunowolff (guest, #71160)
[Link]
Posted Apr 14, 2023 19:35 UTC (Fri)
by dskoll (subscriber, #1630)
[Link] (1 responses)
I second the oathtool suggestion. I keep my TOTP secrets in an encrypted file system, and have a little Perl wrapper that I use when I need to respond to a challenge. Way more convenient than hunting down my phone.
Posted Apr 15, 2023 4:39 UTC (Sat)
by pabs (subscriber, #43278)
[Link]
Posted Apr 15, 2023 8:40 UTC (Sat)
by rcampos (subscriber, #59737)
[Link]
Posted Apr 16, 2023 12:08 UTC (Sun)
by gbailey (subscriber, #58)
[Link]
Posted Apr 14, 2023 19:05 UTC (Fri)
by flussence (guest, #85566)
[Link] (3 responses)
I used to use Aegis on my phone until they replaced the straightforward QR code scanner with some horrific "machine learning" bloat that caused the entire device to grind to a halt and OOM on every attempt to use it. They seemed quite proud of that despite many users' protests, so I went to FreeOTP+ and never looked back.
Posted May 4, 2023 12:48 UTC (Thu)
by alexbakker (guest, #164910)
[Link] (2 responses)
Aegis does not and has never used "machine learning" for scanning QR codes.
Posted May 9, 2023 12:56 UTC (Tue)
by hummassa (subscriber, #307)
[Link]
Posted May 24, 2023 19:04 UTC (Wed)
by flussence (guest, #85566)
[Link]
It may have been prompted by various comments in https://github.com/beemdevelopment/Aegis/issues/802 , alongside the fact that opening up the QR scanner reliably caused my phone to freeze and reboot.
Posted Apr 14, 2023 19:38 UTC (Fri)
by huntears (subscriber, #160524)
[Link] (6 responses)
Posted Apr 14, 2023 22:00 UTC (Fri)
by denials (subscriber, #3413)
[Link] (5 responses)
I strongly suspect the BitWarden 1.0 licensed code doesn't qualify as free software. I haven't delved deeply enough into the code base to determine how crucial that code is to the app overall.
It also requires contributors to sign a CLA agreeing to assign their copyright to BitWarden Inc., which is heavy handed, although the CLA does grant a broad license back to the contributor.
Posted Apr 19, 2023 23:38 UTC (Wed)
by gdamjan (subscriber, #33634)
[Link] (4 responses)
Posted Apr 24, 2023 7:14 UTC (Mon)
by hickinbottoms (subscriber, #14798)
[Link] (3 responses)
Posted Apr 24, 2023 10:35 UTC (Mon)
by zdzichu (subscriber, #17118)
[Link] (2 responses)
Posted Apr 25, 2023 6:35 UTC (Tue)
by hickinbottoms (subscriber, #14798)
[Link] (1 responses)
The Bitwarden clients do seem to be free software (https://github.com/bitwarden/clients/tree/master/apps/bro... and https://github.com/bitwarden/mobile).
Posted Apr 25, 2023 7:17 UTC (Tue)
by zdzichu (subscriber, #17118)
[Link]
Vaultwarden's list of features starts with: In my experience, using Vaultwarden's web interface one can organise, create, see and copy all the credentials. It is usable without any other clients, mobile apps or browser extensions. They may provide some additional features (like autofill? I'm not sure), but Vaultwarden is certainely usable with a web browser only.
Posted Apr 14, 2023 19:52 UTC (Fri)
by jhoblitt (subscriber, #77733)
[Link] (6 responses)
Posted Apr 15, 2023 1:47 UTC (Sat)
by NYKevin (subscriber, #129325)
[Link] (2 responses)
* Fair warning to prospective buyers: Titan keys are compatible with WebAuthn/FIDO/U2F/whatever-we're-calling-it-this-week, but they are intentionally incompatible with TOTP and similar OTP-based protocols, because OTPs are insufficiently phishing-resistant (in comparison to WebAuthn/etc.). So don't buy a Titan key expecting it to replace your TOTP app.
Posted Apr 17, 2023 6:07 UTC (Mon)
by smurf (subscriber, #17840)
[Link] (1 responses)
There's lots of sites out there that support TOTP but not (yet?) WebAuthn.
Posted Apr 17, 2023 16:26 UTC (Mon)
by NYKevin (subscriber, #129325)
[Link]
Posted Apr 15, 2023 5:37 UTC (Sat)
by dxld (subscriber, #90530)
[Link] (2 responses)
I just saw that Nitrokey 3 also uses the same Rust based firmware as the Solo v2 so that could also be worth a look.
Posted Apr 15, 2023 18:42 UTC (Sat)
by NYKevin (subscriber, #129325)
[Link]
I disagree. This is a fault of your bank. You should complain to them.
The spec allows the remote site to restrict keys on the basis of manufacturer, so that employers can force employees to use keys that were provisioned by the employer (usually on the basis of "we don't trust anyone else's supply chain" and/or "we have agreed to comply with [spec], and [spec] says our security keys have to [satisfy some arbitrary requirement]"). It is not intended to function as a general-purpose security boundary for public log-ins, and your bank shouldn't be deploying it in that way.
Posted Apr 17, 2023 6:14 UTC (Mon)
by smurf (subscriber, #17840)
[Link]
At the same time, most still allow you to use a simple keyfile, locally encrypted with whichever password you choose, if you ask them nicely and promise that the file is on an encrypted stick and your network is firewalled off and all that.
Bottom line, their threat model is severely out of touch with reality.
Posted Apr 14, 2023 20:14 UTC (Fri)
by hjb (subscriber, #25523)
[Link]
Posted Apr 14, 2023 20:26 UTC (Fri)
by mss (subscriber, #138799)
[Link]
Posted Apr 14, 2023 22:54 UTC (Fri)
by kop316 (guest, #152169)
[Link] (2 responses)
Posted Apr 15, 2023 5:59 UTC (Sat)
by linmob (guest, #156617)
[Link]
- OTPClient github.com/paolostivanin/OTPClient
Reading this article and seeing the small number of desktop apps mentioned made me wonder whether I should bring LinuxPhoneApps to the attention of desktop users, too.
Posted Apr 15, 2023 14:23 UTC (Sat)
by pothos (subscriber, #116075)
[Link]
Posted Apr 14, 2023 22:56 UTC (Fri)
by NUXI (subscriber, #70138)
[Link]
Posted Apr 15, 2023 4:24 UTC (Sat)
by pabs (subscriber, #43278)
[Link]
Posted Apr 15, 2023 4:44 UTC (Sat)
by pabs (subscriber, #43278)
[Link] (10 responses)
https://github.com/bulwarkid/virtual-fido
Posted Apr 15, 2023 10:44 UTC (Sat)
by mbunkus (subscriber, #87248)
[Link] (9 responses)
Second, WebAuthn has the serious disadvantage of requiring additional hardware whereas TOTP can be installed for free on any existing device. It's a hurdle a lot of people aren't going to want to take.
Posted Apr 15, 2023 11:14 UTC (Sat)
by Wol (subscriber, #4433)
[Link] (1 responses)
And to prevent "exhaustion" attacks (where the attacker just tries repeatedly until the victim gives in), the login screen displays a number that has to be typed in to the phone along with the fingerprint. I *hope* that the authorisation app refuses to deal with subsequent requests until the first one has been processed, so if the victim simply ignores their phone the attack is blocked.
Cheers,
Posted Apr 15, 2023 12:05 UTC (Sat)
by tialaramex (subscriber, #21167)
[Link]
In WebAuthn, our "Relying Party ID" is a DNS name under an eTLD, so e.g. "customer-login.bigcorp.example"
With the custom phone biometric APIs they're both doing the same thing but the Relying Party ID is some arbitrary app-specific platform value so e.g. maybe it's "android::example.bigcorp.auth-app-1234"
So you can use the same backend code for all of them by making this a parameter, the web code passes "customer-login.bigcorp.example", the Android code checks that android ID, the iOS code does the same for Apple's
So long as all these IDs are designed so you can't e.g. make an iPhone app that has the same rpIDs as google.com, or an Android app owned by you which mimics Apple apps from somebody else, which I believe was easy, this allows you to leverage the same technology for different applications.
For WebAuthn the phone operating systems have to actually bless a browser to let it pick rpIDs, if it betrays you it could cause serious problems. On iOS this is not a big deal because there's really only one browser, Apple's, but on Android phone vendors, Mozilla, and Google all ship browsers, so they're all blessed specially. Mozilla actually needs to get each release build of Firefox blessed by Google (as de facto Android OS owner) to make this work. For non-WebAuthn, they just lock every app down to only get the single rpID that relates to its own unique ID.
This means "Addictive New Game" on your phone can't add a "fun" challenge where you perform biometric authentication and it sends them to bad guys, since all authentications it performs have a unique rpID for the game and that's not an rpID that anybody else has any reason to trust.
Posted Apr 15, 2023 14:18 UTC (Sat)
by Rigrig (subscriber, #105346)
[Link] (4 responses)
I sadly agree that all sites upgrading is not going to happen, but I'm at least hopeful that it will improve things on the sites that *do*: WebAuthn should "just work" for auto-fill extensions, instead of having to detect login fields hidden in some javascript-of-the day framework mess.
Posted Apr 15, 2023 20:52 UTC (Sat)
by mbunkus (subscriber, #87248)
[Link] (3 responses)
• WebAuthn is nice in principal, but has the serious drawback of being tied to a device. Multi-device WebAuthn (meaning you register one device & can authenticate on a different device) is in the works, or there are thoughts about it, but no real solution.
What my point is in all of that is how it'll mesh with the vast majority of the population which simply is neither very tech-savvy nor security-conscious and oftentimes lazy. When I argued that the day will "never come", this is what I had in mind I fear that WebAuthn will never really gain traction with the general public because it's simply way too much hassle to implement compared to TOTP 2FA (the general public often enough doesn't even want to use that).
And for Passkeys my fear is that the general public will simply chose the most convenient implementation, which means that the vast majority of them will have their passkeys stored with Apple or Google, depending on the eco system they're part of. Furthermore if Chrome is the sync mechanism of choice in the Google world I question how other apps will gain access to synced Passkeys — on mobile via the embedded Chrome thingy or Play services or such, and on desktop? I have doubts.
Now us more tech-savvy people will probably like WebAuthn for its properties, rejoice about Passkeys & set up our own storage and sync solution. For the whole world as such I'm not optimistic that this shift is a net positive.
Posted Apr 17, 2023 6:51 UTC (Mon)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
You don't have to. The cloud sync service can use opaque blobs encrypted by the key you enter locally. I believe that's how Apple's implementation works, it just rides on top of Keychain synchronization that is encrypted by your iCloud password in the cloud.
Posted Apr 17, 2023 7:19 UTC (Mon)
by zdzichu (subscriber, #17118)
[Link] (1 responses)
JK, there are limits to paranoia.
Posted Apr 17, 2023 16:53 UTC (Mon)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Apr 15, 2023 22:38 UTC (Sat)
by MarcB (guest, #101804)
[Link]
It will still protect against credential stuffing, it can still partially compensate for weak passwords, but that is about it. On the negative side, there is the complicated and expensive reset process.
A proper authentication system absolutely must enforce two-way authentication. This is a lesson we supposedly learned decades ago, yet we are still deploying a solution were one part of the authentication literally is "the users must ensure that they are entering their credentials on the correct web page".
Posted Apr 15, 2023 23:47 UTC (Sat)
by pabs (subscriber, #43278)
[Link]
The worst thing about WebAuthn for me is that authenticating with a website *requires* that you have JavaScript enabled because there is simply no common HTTP based protocol/headers for that. That may eventually be defined, but in the interim, folks who don't run JavaScript are going to need to reverse engineer every website and write a WebExtension that does the authentication protocols for them.
Posted Apr 15, 2023 14:49 UTC (Sat)
by jejb (subscriber, #6654)
[Link]
https://www.nongnu.org/oath-toolkit/
It's available on every distribution as a simple install. Its oathtool can generate both HOTP and TOTP verification. It requires the secret on the command line, so I tend to script its use (remembering to secure the script location). For HOTP, you have to implement your own counter system, but this is the one I use:
#!/bin/bash
HOTP is annoying in that if you use the above script *and* a phone app, you have to keep them in sync.
For we pages, if you use Nextcloud, the passman password manager has the ability to store TOTP (but not HOTP) secrets and make them available on the web page (it can't recognize a TOTP request, like it can a password request, so it's mostly cut and paste)
Posted Apr 15, 2023 17:28 UTC (Sat)
by mb (subscriber, #50428)
[Link] (1 responses)
I integrated TOTP into my password manager tool a couple of years ago:
Posted Apr 16, 2023 4:56 UTC (Sun)
by gutschke (subscriber, #27910)
[Link]
It's been years though and I lost the code. Shouldn't take long to reproduce if anybody gave it a try. Maybe, it's even easier these days. The biggest issue was that JavaScript lacked a small number of the required crypto primitives
Posted Apr 16, 2023 15:15 UTC (Sun)
by droundy (subscriber, #4559)
[Link]
Posted Apr 17, 2023 6:53 UTC (Mon)
by tchernobog (guest, #73595)
[Link]
I really like its import/export features and smooth appearance.
Posted Apr 17, 2023 9:50 UTC (Mon)
by madhatter (subscriber, #4665)
[Link] (2 responses)
The second part of that is true, but I'm not so sure about the first part. For HOTP OATH, the stored counter increments on successful authentication, so the code is implicitly non-reusable; for TOTP OATH, I don't think the protocol requires the authenticating site to keep a record of recently-used codes, so if a second attempt is made with the same code inside the configured window of code acceptability, I would expect it to succeed.
I tried it with one site that uses TOTP OATH, and a single code was indeed usable for two successive logins within a 30-second window.
Posted Apr 17, 2023 14:17 UTC (Mon)
by mricon (subscriber, #59252)
[Link] (1 responses)
Note that a prover may send the same OTP inside a given time-step window multiple times to a verifier. The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.
Posted Apr 17, 2023 14:31 UTC (Mon)
by madhatter (subscriber, #4665)
[Link]
I might drop a quick email to the provider who accepted the same code twice, though. Considering they're a big wheel in the internet infrastructure business, it's a bit poor that they've done that.
Posted Apr 17, 2023 13:53 UTC (Mon)
by Aissen (subscriber, #59976)
[Link] (5 responses)
AFAIU those aren't open source nor based on inter-operable protocols. I'm wondering if it isn't yet another domain where open source is falling behind.
Posted Apr 17, 2023 13:59 UTC (Mon)
by pizza (subscriber, #46)
[Link] (1 responses)
You're conflating _services_ with _software_. "Open Source" can only ever provide the latter, whereas multi-factor authentication is a _service_ that is itself bolted onto another service.
You or I could write the bestest MFA authentication system evar, and release it under the most liberal of F/OSS licenses, but unless service providers adopt and deploy it en masse, it might as well not exist for all the good it will do end-users.
Posted Apr 18, 2023 8:24 UTC (Tue)
by Aissen (subscriber, #59976)
[Link]
I'm talking about protocols and software. Whether services use any of the two is orthogonal. I'm saying there are neither right now. If I want an MFA solution for my org that has mobile push notifications, there is neither an open protocol one, nor open clients and servers.
Otherwise I agree with your points about the biggest identity providers having the most power. Doesn't mean there can't be alternatives.
Posted Apr 17, 2023 15:03 UTC (Mon)
by MarcB (guest, #101804)
[Link] (2 responses)
The major problems of MFA are convenience of usage and recovery. TOTP really sucks at recovery. To provide some numbers: our worst-case costs are ~3-6€ per case, depending on market.
If you can simply tie your MFA to another account that is worth a lot.
Posted Apr 18, 2023 8:26 UTC (Tue)
by Aissen (subscriber, #59976)
[Link] (1 responses)
Posted Apr 18, 2023 18:15 UTC (Tue)
by MarcB (guest, #101804)
[Link]
The huge advantage of using a service operate by "someone else" for your MFA is, that "someone else" has to deal with the tricky parts of MFA(*). Open Source will never be able to compete with that. The value is in the complete service i.e. software + infrastructure + support processes (in reverse order of cost).
(*) Obviously you become depended one "someone else", but it might be a good deal for a while.
Posted Apr 17, 2023 17:46 UTC (Mon)
by patrakov (subscriber, #97174)
[Link]
It stores data encrypted if the encryption password is set, and on Chromium with keys, synchronizes the secrets using Google as the intermediary. Also, it can scan QR codes from the screen.
Posted Apr 19, 2023 17:47 UTC (Wed)
by vjanelle (subscriber, #44943)
[Link]
Matt Rubin's authenticator for ios is OSS, and stores the tokens in encrypted iphone backups so you can migrate them between devices if necessary.
Posted Apr 24, 2023 1:13 UTC (Mon)
by ssmith32 (subscriber, #72404)
[Link] (1 responses)
https://www.rfc-editor.org/rfc/rfc6238
Years ago I was writing up a TOTP client for whatever reason, and was slowly working through, reading the RFC and typing out code snippets as I went.. then I got to the bottom, and realized I can just copy and paste it in.
Imagine my joy when my code was in sync with Google's authenticator on the first run! (The only way I could think if verifying it was to load the key into both apps..)
Given the code in the RFC. It's definitely a nice "straightforward, eminently doable, but genuinely useful" project to work on. Surprised there aren't more examples.
Of course, kind of transitioning to Yubikeys wherever I can now, but there's something to be said for running code you actually understand, with respect to security..
Let alone not understanding the code, I actually didn't realize PINs were optional in non-BIO Yubikeys, which was sort of disconcerting.. With TOTP, I like that someone can't just steal my phone, and simply plug it in as the second factor, which you could do with a non-BIO one.
Posted Apr 24, 2023 11:20 UTC (Mon)
by farnz (subscriber, #17727)
[Link]
Yubikeys without PINs make sense to me; a PIN is just a password, and when I'm using the Yubikey as a second factor, I've already entered one password (the account password) to get access. A second password is not materially harder for the attacker to get hold of than the first password; whereas keeping my Yubikey on my keyring with my house keys etc means that I'm going to be aware very early on that the Yubikey has been lost or stolen, and go to get my backup key out of the safe.
Posted Apr 27, 2023 12:41 UTC (Thu)
by turistu (guest, #164830)
[Link]
And no, that wouldn't have been much bigger even if I had to implement the HMAC/SHA1 by hand instead of using the browser's API.
There's actually no reason to use any extra "app" at all, open source or proprietary. This is an example where a problem (and a market for solving it) was artificially created.
Posted Apr 27, 2023 21:44 UTC (Thu)
by moxfyre (guest, #13847)
[Link] (1 responses)
Behind the scenes, many proprietary/closed-source authenticator apps are actually based on TOTP. The Symantec VIP Access app is a rather commonly-deployed example of such: many companies require their employees to use it for 2FA for access to VPNs and other corporate systems. Symantec VIP Access turns out to be entirely based on standard TOTP. This means that if you can intercept the TOTP secret/key from the HTTPS-based provisioning process, you can use it with a standard TOTP-based authenticator app. Happily, we’ve known how to do this since ~2014, when the Symantec VIP Access provisioning process was first studied and reimplemented in Python. I'm now the maintainer of python-vipaccess, which will allow you to provision a Symantec VIP Access soft-token using a simple command line tool. If you need to use Symantec VIP Access but don't want to use the proprietary app, simply run python-vipaccess as follows to provision and test a new soft-token. Then take the otpauth:// URL from the output and load it into any TOTP authenticator app (perhaps via QR code), and register the credential ID with whatever company is telling you to use Symantec VIP Access for 2FA: It should be possible to reimplement other proprietary 2FA apps in a similar way. We have an outstanding feature request (issue #58) to do so for Fortitoken. Similar contributions would be most welcome :-)
Posted Apr 27, 2023 21:46 UTC (Thu)
by moxfyre (guest, #13847)
[Link]
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
oathtool, anyone?
oathtool, anyone?
stopped working. (My theory on that is that Microsoft was tracking time skew for that entry and when I fixed the time skew I was too far away from what Microsoft had for it to work and no easy way to discover what value they might have had for the skew.) Currently if you have multiple entries of this type set up, codes are checked against each of them, so I don't need to indicate whether I'm using oathtool or my backup hard token when supplying a code.
oathtool, anyone?
oathtool, anyone?
oathtool, anyone?
oathtool, anyone?
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
It also allows me to selfhost an instance which allows me to sync all my 2FA codes over multiple devices including computers.
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
Vaultwarden implements the Bitwarden APIs required for most functionality, including:
- Web interface (equivalent to https://vault.bitwarden.com/)
[…]
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
For TOTP authentication with free software
pass(1) there exists a multi-platform GUI called QtPass.
It also supports the pass-otp extension and QR code generation (but it has no TOTP QR code recognition capability yet).
TOTP authentication with free software
TOTP authentication with free software
- Keysmith https://apps.kde.org/keysmith/
The apps relevant to this article can be found under https://linuxphoneapps.org/categories/multi-factor-authen...
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
https://github.com/psanford/tpm-fido
https://git.kernel.org/pub/scm/linux/kernel/git/jejb/fido...
https://news.ycombinator.com/item?id=33943008
TOTP authentication with free software
TOTP authentication with free software
Wol
TOTP authentication with free software
TOTP authentication with free software
(Which is good, because keeping hardware-token backups for every site is not something I look forward to…)
TOTP authentication with free software
• That realization led to yet another development called Passkeys, which are authentication tokens that can be synced between devices (e.g. Google Chrome on your desktop & mobile devices will all use the same tokens). The huge drawback is that in order for it to work the actual authentication information isn't only stored on your devices but on with a third party (with Google Chrome: on Google's servers), meaning you have to trust those providers with your credentials.
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software [Other desktop and Commandline Tools]
count=`cat $HOME/.rhcounter`
oathtool --hotp -c $count -b <secret>
count=$[$count+1]
echo $count > $HOME/.rhcounter
TOTP authentication with free software
There's no reason to use or trust any proprietary app, if you can write the TOTP tool yourself or if you can review an open source application's TOTP implementation.
https://bues.ch/cgit/pwman.git/tree/libpwman/otp.py
I use that daily and it works flawlessly for me.
TOTP authentication with free software
The relevant xkcd
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
Push dual factor
Push dual factor
Push dual factor
Push dual factor
Push dual factor
But I was just lamenting the lack of push-based open (even partial) solutions.
Push dual factor
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
TOTP authentication with free software
The TOTP algorithm is trivial and could be implemented in a couple of javascript lines.
TOTP authentication with free software
Substituting open/standard TOTP authenticators for proprietary apps
$ vipaccess provision -p -t SYDC
Generating request...
Fetching provisioning response from Symantec server...
Getting token from response...
Decrypting token...
Checking token against Symantec server...
Credential created successfully:
otpauth://totp/VIP%20Access:SYDC94595813?secret=HBRXYG6HH64VPFLMTSV57GSGGK6QY6I6&digits;=6&algorithm;=SHA1ℑ=https%3A%2F%2Fraw.githubusercontent.com%2Fdlenski%2Fpython-vipaccess%2Fmaster%2Fvipaccess.png.=30
This credential expires on this date: 2026-04-26T21:38:53.998Z
You will need the ID to register this credential: SYDC94595813
You can use oathtool to generate the same OTP codes
as would be produced by the official VIP Access apps:
oathtool -b --totp HBRXYG6HH64VPFLMTSV57GSGGK6QY6I6 # output one code
oathtool -v -b --totp HBRXYG6HH64VPFLMTSV57GSGGK6QY6I6 # ... with extra information
Substituting open/standard TOTP authenticators for proprietary apps