TOTP support in password-store
Reed Loden
reed at reedloden.com
Sat Dec 31 01:47:14 CET 2016
U2F solves that issue, and it's way more secure than TOTP. Sadly, not many
sites support it yet (Google, GitHub, and Dropbox all do). So, just find a
hardware token with U2F support and push sites to implement support for it.
:-)
~reed
On Fri, Dec 30, 2016 at 4:24 PM Bertrand Jacquin <bertrand at jacquin.bzh>
wrote:
> I get your point. While I trust more hardware tokens than phones, I
>
> usually can access a very limited set of slot to store private
>
> material. That is needed since I don't want or can use the same seed for
>
> Google, Gandi and other services offering MFA.
>
>
>
> It's probably not the place to discuss Yubikey. I'm not using Yubikey
>
> myself but OpenPGP hardware token and don't really know how I can then
>
> specify which slot of the Yubikey should be used depending on the need.
>
> Subject to investigate.
>
>
>
> Cheers
>
>
>
> On Fri, Dec 30, 2016 at 11:50:36PM +0000, Reed Loden wrote:
>
> > If I compromise your computer, I still get both the password and the TOTP
>
> > secret just from a simple keylogger. Not safe.
>
> >
>
> > If you don't want to use your phone, just get a hardware token of some
> sort
>
> > (Yubikey or similar).
>
> >
>
> > ~reed
>
> >
>
> > On Fri, Dec 30, 2016 at 3:31 PM Bertrand Jacquin <bertrand at jacquin.bzh>
>
> > wrote:
>
> >
>
> > > Well, they don't have to be stored on the password store directory nor
>
> > >
>
> > > encrypted using the same GPG key.
>
> > >
>
> > >
>
> > >
>
> > > On 30/12/2016 23:28, Reed Loden wrote:
>
> > >
>
> > > > How is that 2FA if both factors are stored on the same media? Seems
>
> > >
>
> > > > quite insecure to me.
>
> > >
>
> > > >
>
> > >
>
> > > > ~reed
>
> > >
>
> > > >
>
> > >
>
> > > > On Fri, Dec 30, 2016 at 3:16 PM Bertrand Jacquin
>
> > >
>
> > > > <bertrand at jacquin.bzh> wrote:
>
> > >
>
> > > >
>
> > >
>
> > > >> Hi,
>
> > >
>
> > > >>
>
> > >
>
> > > >> Thanks to everyone involve in this really nice password tool you've
>
> > >
>
> > > >>
>
> > >
>
> > > >> made, this is something I'm using every day and really enjoy using
>
> > >
>
> > > >> it.
>
> > >
>
> > > >>
>
> > >
>
> > > >> Have you ever considered adding an option to handle TOTP, meaning
>
> > >
>
> > > >> that the
>
> > >
>
> > > >>
>
> > >
>
> > > >> seed could be stored in a gpg file and pass could provide an easy
>
> > >
>
> > > >> way to get
>
> > >
>
> > > >>
>
> > >
>
> > > >> current OTP by using oathtool. For example:
>
> > >
>
> > > >>
>
> > >
>
> > > >> $ oathtool -v --base32 --totp XXX
>
> > >
>
> > > >>
>
> > >
>
> > > >> Hex secret: YYY
>
> > >
>
> > > >>
>
> > >
>
> > > >> Base32 secret: XXX
>
> > >
>
> > > >>
>
> > >
>
> > > >> Digits: 6
>
> > >
>
> > > >>
>
> > >
>
> > > >> Window size: 0
>
> > >
>
> > > >>
>
> > >
>
> > > >> Step size (seconds): 30
>
> > >
>
> > > >>
>
> > >
>
> > > >> Start time: 1970-01-01 00:00:00 UTC (0)
>
> > >
>
> > > >>
>
> > >
>
> > > >> Current time: 2016-12-18 17:42:53 UTC (1482082973)
>
> > >
>
> > > >>
>
> > >
>
> > > >> Counter: 0x2F1D38D (49402765)
>
> > >
>
> > > >>
>
> > >
>
> > > >> 799465
>
> > >
>
> > > >>
>
> > >
>
> > > >> Thanks you be really handle for me to just run:
>
> > >
>
> > > >>
>
> > >
>
> > > >> $ pass show -c --totp Web/gandi.net [1]
>
> > >
>
> > > >>
>
> > >
>
> > > >> And being able to paste when Gandi ask for it.
>
> > >
>
> > > >>
>
> > >
>
> > > >> Cheers
>
> > >
>
> > > >>
>
> > >
>
> > > >> --
>
> > >
>
> > > >>
>
> > >
>
> > > >> Bertrand
>
> > >
>
> > > >>
>
> > >
>
> > > >> _______________________________________________
>
> > >
>
> > > >>
>
> > >
>
> > > >> Password-Store mailing list
>
> > >
>
> > > >>
>
> > >
>
> > > >> Password-Store at lists.zx2c4.com
>
> > >
>
> > > >>
>
> > >
>
> > > >> https://lists.zx2c4.com/mailman/listinfo/password-store
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > > Links:
>
> > >
>
> > > > ------
>
> > >
>
> > > > [1] http://gandi.net
>
> > >
>
> > >
>
> > >
>
> > > --
>
> > >
>
> > > Bertrand
>
> > >
>
> > >
>
>
>
> --
>
> Bertrand
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20161231/c2c83a14/attachment.html>
More information about the Password-Store
mailing list