Discussion:
pass-otp: A pass extension for managing one-time-password tokens
Tad
2017-02-15 00:49:51 UTC
Permalink
Hello all,

I got tired of loading up Chrome and Authy on my desktop whenever I
needed to generate a 2FA code, so I wrote a pass extension:

https://github.com/tadfisher/pass-otp

Let me know what you think! I'm certainly willing to make changes and
improvements, so any feedback would be appreciated.

Tad Fisher
Thomas Harning Jr.
2017-02-15 03:21:21 UTC
Permalink
Awesome enhancement! One suggestion that I have would be the ability
to store the OTP in the URI format (ex:
https://github.com/google/google-authenticator/wiki/Key-Uri-Format )
... although looking deeper, I cannot seem to find any other
references that use it.

The nice bit about the key URI format is that it bundles all the OTP
details in an optional way with defined defaults and helps keep all
the OTP details in one place.


So - rather than inserting all your OTP values in the neat and
detailed set of lines, you'd be storing your data in just one
format... and plus the URI export mechanism I just noticed in the
source code would be a one-time deal, generated / stored at import
time (if the manual pieces were used). Of course it would need to be
decoded each time to do some useful work.

I envision that if the parameter format was standardized well, this
would be a very useful addition to the mobile phone implementations -
perhaps with a setup where the password was stored AND the OTP
generator with the option to capture the OTP URI at import / edit time
(although this is well beyond the scope of this pass extension).

If I find time, I'll try to track down a useful URI decoder mechanism for bash,
Post by Tad
Hello all,
I got tired of loading up Chrome and Authy on my desktop whenever I
https://github.com/tadfisher/pass-otp
Let me know what you think! I'm certainly willing to make changes and
improvements, so any feedback would be appreciated.
Tad Fisher
_______________________________________________
Password-Store mailing list
https://lists.zx2c4.com/mailman/listinfo/password-store
--
Thomas Harning Jr. (http://about.me/harningt)
Brian Candler
2017-02-15 08:44:30 UTC
Permalink
Post by Thomas Harning Jr.
The nice bit about the key URI format is that it bundles all the OTP
details in an optional way with defined defaults and helps keep all
the OTP details in one place.
Plus it can be rendered as a QR code, and hence auto-loaded into a
device like a phone.

In fact, "pass show --qrcode" is in git already.
Tad
2017-02-15 17:42:15 UTC
Permalink
Post by Thomas Harning Jr.
Awesome enhancement! One suggestion that I have would be the ability
https://github.com/google/google-authenticator/wiki/Key-Uri-Format )
... although looking deeper, I cannot seem to find any other
references that use it.
The nice bit about the key URI format is that it bundles all the OTP
details in an optional way with defined defaults and helps keep all
the OTP details in one place.
That makes a lot of sense. In fact, it should be trivial to append an
otpauth:// URI to any
existing password entry, and to simply match the first occurrence of
such a URL when
decoding.
Post by Thomas Harning Jr.
I envision that if the parameter format was standardized well, this
would be a very useful addition to the mobile phone implementations -
perhaps with a setup where the password was stored AND the OTP
generator with the option to capture the OTP URI at import / edit time
(although this is well beyond the scope of this pass extension).
If we store plain URIs, then I'd imagine the standard "pass insert"
functionality would
suffice.
Post by Thomas Harning Jr.
If I find time, I'll try to track down a useful URI decoder mechanism for bash,
This is the main rub. If people blindly insert something decoded from
a QR image, for
example, decoding could be vulnerable to script injection. Although it
could be useful
to display a warning prompt on insert (which would require one to use
the extension
to insert OTP URIs).

Anyway, I've found this URI parser for Bash:

http://wp.vpalos.com/537/uri-parsing-using-bash-built-in-features/

Does this look reasonable? I can change the extension now, which is
probably a good
idea before too many users insert OTP secrets in the old format.
Gambiit
2017-02-15 07:53:48 UTC
Permalink
Hello tad,

I've had the same idea some time ago but only to totp 2FA. Take a look
on my own improvements
https://github.com/Gambiit/password-store
So, my first feedback is the same as those I had for my contribution :
- keep the code as simple as possible.
- 2FA on the same device is not 2FA.
But I find very interesting your implementation of a hotp 2FA. So, thanks :)

Gambiit

<ps>
Do you know about this kickstarter : https://www.themooltipass.com/ ? I
saw it at the last fosdem show of brussel. It's a very nice solution to
all our question about ID management.
</ps>
Post by Tad
Hello all,
I got tired of loading up Chrome and Authy on my desktop whenever I
https://github.com/tadfisher/pass-otp
Let me know what you think! I'm certainly willing to make changes and
improvements, so any feedback would be appreciated.
Tad Fisher
_______________________________________________
Password-Store mailing list
https://lists.zx2c4.com/mailman/listinfo/password-store
Alexandre Pujol
2017-02-15 10:49:25 UTC
Permalink
Hi,
Post by Gambiit
Post by Tad
Hello all,
I got tired of loading up Chrome and Authy on my desktop whenever I
https://github.com/tadfisher/pass-otp
Good job, I wanted to do the same extension, but your one is good
enough. Thank a lot for it.
Post by Gambiit
Post by Tad
Let me know what you think! I'm certainly willing to make changes and
improvements, so any feedback would be appreciated.
Regarding your code I think it is important to add a test suite.
Post by Gambiit
- 2FA on the same device is not 2FA.
Well, this is not exactly true. The purpose of 2FA is to have a second
way to authenticate yourself. It can be something your have (a device in
opposition to something you know (the password)) but it is not mandatory.

Therefore if you have an other password repository (or a subfolder) to
store your OTP secrets with an other GPP key it is fine. Moreover you
can store this repo in a different device.

However, have the 2FA protected with the same GPG key than the password
is indeed not really useful. (Although it would still protect you if the
server DB is stolen and you password revealed).

In conclusion it always depends of your attacker model and of your own
security police. Therefore have a pass extension to support OTP makes
sense. Recommend the users to use a different repo (with a different
key) would also makes sense.


Alex
Alexandre Pujol
2017-02-15 14:02:25 UTC
Permalink
For ArchLinux user, I just did a package in the AUR [1] for this
extension. You can install it with:
pacaur -S pass-otp

[1] https://aur.archlinux.org/packages/pass-otp/
Post by Tad
Hello all,
I got tired of loading up Chrome and Authy on my desktop whenever I
https://github.com/tadfisher/pass-otp
Let me know what you think! I'm certainly willing to make changes and
improvements, so any feedback would be appreciated.
Tad Fisher
_______________________________________________
Password-Store mailing list
https://lists.zx2c4.com/mailman/listinfo/password-store
HacKan
2017-02-15 23:28:34 UTC
Permalink
This extension is awesome!

+1 to adding a test suite

Keep it up!
Post by Alexandre Pujol
For ArchLinux user, I just did a package in the AUR [1] for this
pacaur -S pass-otp
[1] https://aur.archlinux.org/packages/pass-otp/
Post by Tad
Hello all,
I got tired of loading up Chrome and Authy on my desktop whenever I
https://github.com/tadfisher/pass-otp
Let me know what you think! I'm certainly willing to make changes and
improvements, so any feedback would be appreciated.
Tad Fisher
_______________________________________________
Password-Store mailing list
https://lists.zx2c4.com/mailman/listinfo/password-store
_______________________________________________
Password-Store mailing list
https://lists.zx2c4.com/mailman/listinfo/password-store
--
HacKan || Iván
GPG: 0x35710D312FDE468B
Loading...