TOTP support in password-store
Bertrand Jacquin
bertrand at jacquin.bzh
Sat Dec 31 01:24:29 CET 2016
I get your point. While I trust more hardware tokens than phones, I
usually can access a very limited set of slot to store private
material. That is needed since I don't want or can use the same seed for
Google, Gandi and other services offering MFA.
It's probably not the place to discuss Yubikey. I'm not using Yubikey
myself but OpenPGP hardware token and don't really know how I can then
specify which slot of the Yubikey should be used depending on the need.
Subject to investigate.
Cheers
On Fri, Dec 30, 2016 at 11:50:36PM +0000, Reed Loden wrote:
> If I compromise your computer, I still get both the password and the TOTP
> secret just from a simple keylogger. Not safe.
>
> If you don't want to use your phone, just get a hardware token of some sort
> (Yubikey or similar).
>
> ~reed
>
> On Fri, Dec 30, 2016 at 3:31 PM Bertrand Jacquin <bertrand at jacquin.bzh>
> wrote:
>
> > Well, they don't have to be stored on the password store directory nor
> >
> > encrypted using the same GPG key.
> >
> >
> >
> > On 30/12/2016 23:28, Reed Loden wrote:
> >
> > > How is that 2FA if both factors are stored on the same media? Seems
> >
> > > quite insecure to me.
> >
> > >
> >
> > > ~reed
> >
> > >
> >
> > > On Fri, Dec 30, 2016 at 3:16 PM Bertrand Jacquin
> >
> > > <bertrand at jacquin.bzh> wrote:
> >
> > >
> >
> > >> Hi,
> >
> > >>
> >
> > >> Thanks to everyone involve in this really nice password tool you've
> >
> > >>
> >
> > >> made, this is something I'm using every day and really enjoy using
> >
> > >> it.
> >
> > >>
> >
> > >> Have you ever considered adding an option to handle TOTP, meaning
> >
> > >> that the
> >
> > >>
> >
> > >> seed could be stored in a gpg file and pass could provide an easy
> >
> > >> way to get
> >
> > >>
> >
> > >> current OTP by using oathtool. For example:
> >
> > >>
> >
> > >> $ oathtool -v --base32 --totp XXX
> >
> > >>
> >
> > >> Hex secret: YYY
> >
> > >>
> >
> > >> Base32 secret: XXX
> >
> > >>
> >
> > >> Digits: 6
> >
> > >>
> >
> > >> Window size: 0
> >
> > >>
> >
> > >> Step size (seconds): 30
> >
> > >>
> >
> > >> Start time: 1970-01-01 00:00:00 UTC (0)
> >
> > >>
> >
> > >> Current time: 2016-12-18 17:42:53 UTC (1482082973)
> >
> > >>
> >
> > >> Counter: 0x2F1D38D (49402765)
> >
> > >>
> >
> > >> 799465
> >
> > >>
> >
> > >> Thanks you be really handle for me to just run:
> >
> > >>
> >
> > >> $ pass show -c --totp Web/gandi.net [1]
> >
> > >>
> >
> > >> And being able to paste when Gandi ask for it.
> >
> > >>
> >
> > >> Cheers
> >
> > >>
> >
> > >> --
> >
> > >>
> >
> > >> Bertrand
> >
> > >>
> >
> > >> _______________________________________________
> >
> > >>
> >
> > >> Password-Store mailing list
> >
> > >>
> >
> > >> Password-Store at lists.zx2c4.com
> >
> > >>
> >
> > >> https://lists.zx2c4.com/mailman/listinfo/password-store
> >
> > >
> >
> > >
> >
> > > Links:
> >
> > > ------
> >
> > > [1] http://gandi.net
> >
> >
> >
> > --
> >
> > Bertrand
> >
> >
--
Bertrand
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: Digital signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20161231/cdb90004/attachment-0001.asc>
More information about the Password-Store
mailing list