-- Leo's gemini proxy
-- Connecting to separateconcerns.com:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini;lang=en_US
published 2020-04-03,updated 2024-02-10
If you're like me, you don't want to depend on your phone to log into a website, and you wish your favorite password manager [1] would support 2FA. Well, it can.
When asked to setup 2FA on a website, get a text code for TOTP. If the website doesn't give you that option, just use zbar [2]. For instance, with the QR code from the GitHub documentation [3]:
$ zbarimg totp-click-enter-code.png QR-Code:otpauth://totp/GitHub:LyaLya?secret=qmli3dwqm53vl7fy&issuer=GitHub scanned 1 barcode symbols from 1 images in 0.03 seconds
Once you get the secret, put it in `2fa/github` in `pass`.
Finally, add this to your `.bashrc` (or the equivalent for whatever shell you use):
2fa () { oathtool --totp --base32 $(pass 2fa/"$1" | head -n 1) ; }
You can now get your 2FA codes like this:
$ 2fa github 795864
Finally, you can get Bash completion with this simple script, that you must put in `/usr/share/bash-completion/completions/2fa`:
#/usr/bin/env bash >/dev/null pushd "${PASSWORD_STORE_DIR:-$HOME/.password-store}/2fa" l="$(find . -type f | sed s#^./## | sed s#.gpg\$##)" >/dev/null popd complete -W "$l" 2fa
All the tools used in that article are available [4] as [5] packages [6] in the Arch Linux repositories.
It was a post on Lobsters [7] that prompted me to post this. Someone from the comments [8] and a former colleague on Twitter [9] told me about a pass extension [10] I didn't know about which does almost the same thing.
Also, some people think that putting 2FA codes in a password manager defeats the purpose. But in practice TOTP 2FA does not really add much more to the security of my accounts than the strong random passwords I generate with pass. The "second factor" part isn't really the true benefit.
One actual advantage is that nobody on the network can sniff all of my credentials (like digest-based password verification methods). Another, and I think this is the main one, is that the owner of the website has chosen part of the credentials and hence ensured some degree of strength. What I do preserves both of those properties, so I'm fine with it. By the way, note that password managers like 1Password [11] and Passbolt [12] do the same thing.
One thing you can do to improve the security of the whole thing is use 2FA to access pass by storing the GPG key in a Yubikey.
-- Response ended
-- Page fetched on Sat May 11 06:35:48 2024