pass-otp: A pass extension for managing one-time-password tokens

Alexandre Pujol alexandre at pujol.io
Wed Feb 15 11:49:25 CET 2017


Hi,

> Le 15/02/2017 à 01:49, Tad a écrit :
>> Hello all,
>>
>> I got tired of loading up Chrome and Authy on my desktop whenever I
>> needed to generate a 2FA code, so I wrote a pass extension:
>>
>> https://github.com/tadfisher/pass-otp

Good job, I wanted to do the same extension, but your one is good
enough. Thank a lot for it.

>> Let me know what you think! I'm certainly willing to make changes and
>> improvements, so any feedback would be appreciated.

Regarding your code I think it is important to add a test suite.



> On 15/02/17 07:53, Gambiit wrote:
> - 2FA on the same device is not 2FA.

Well, this is not exactly true. The purpose of 2FA is to have a second
way to authenticate yourself. It can be something your have (a device in
opposition to something you know (the password)) but it is not mandatory.

Therefore if you have an other password repository (or a subfolder) to
store your OTP secrets with an other GPP key it is fine. Moreover you
can store this repo in a different device.

However, have the 2FA protected with the same GPG key than the password
is indeed not really useful. (Although it would still protect you if the
server DB is stolen and you password revealed).

In conclusion it always depends of your attacker model and of your own
security police. Therefore have a pass extension to support OTP makes
sense. Recommend the users to use a different repo (with a different
key) would also makes sense.


Alex


More information about the Password-Store mailing list