64 comments

[ 4.1 ms ] story [ 136 ms ] thread
For desktop I personally use:

https://github.com/arachsys/totp

It is a very simple application that can be reviewed quickly. I use it from a separate local account that does nothing else to make it at least a bit more second factor-y than a different application in the same account as the browser. You could use the scrypt utility on the data and "scrypt dec data.enc | ./totp" to get the TOTP.

For command-line use, there is oathtool, which is part of the OATH Toolkit by Simon Josefsson.

https://oath-toolkit.nongnu.org

Yes, this is what pass-otp uses under the hood.
Hi tadfisher! I sent you an email about pass-otp last month, wondering whether you got it or not.
My minimal, open-source implementations in a couple of languages: https://www.nayuki.io/page/time-based-one-time-password-tool...

The shortest one I have is a 6-line Python function using only the standard library.

I noticed that all the major tech companies support TOTP 2FA - e.g. Google, Amazon, Uber, Dropbox, etc. At the same time, I am very annoyed that seemingly none of the Canadian banks or CRA support it. They either use SMS/PSTN or a proprietary mobile-only application (no desktop version). Is the industry standard not good enough for ya?

(comment deleted)
Meanwhile a bunch of crappy apps like $BANK1 use Symantec's implementation which is just TOTP with extra steps (there's a Python script out there that masquerades like a macOS device to get you the raw TOTP code) and $BANK2 & $BANK3 only allow TOTP inside their application (security through obscurity). Icing the cake, most that prompt for a third-party option say something like “Scan the code with Google™ Authenicator™” instead of using a generic term. Why is it so _hard_ for folks to support generic TOTP?
Fortunately you can undo these steps for $BANK1 and use your TOTP authenticator of choice: https://github.com/dlenski/python-vipaccess

e: I think you added a reference to this as I was writing my comment :)

I did sneak that in after the post, but thanks for the link to those that didn't know about it.
Ask HN: If TOTPs are generated from desktop applications, can they still be called Two Factor Authentication?
I'm going off the assumption that you mean storing your password and TOTP secret in the same app.

Personally, I think storing your password and TOTP secret is worthwhile, but it ultimately depends on your threat model.

If your threat model is someone walking up to your unlocked desktop and unlocked password manager, then it's not very effective. That being said, I believe a determined enough attacker will always win -- just be more annoying to pwn than others and you will sift out the majority of attackers, imo.

But, if your threat model is that a website you use suffers a data breach and your username/password hashes are stolen, you have an extra line of defense with that second factor. This pretty much happens or will happen to everyone with online accounts at some point.

So my long-winded answer is that I do still consider it two factor auth, and I do think it's worthwhile -- but all effective security should be layered with extra defenses when possible.

EDIT: fixed some grammar, added some extra context.

It's also worth noting that the "physical attacker" scenario is outside of most people's threat models, even if they think that it isn't: most people leave their physical second factors plugged into their devices or on their desks, and interposing between a user's computer and their keyboard doesn't require any technical ability (only the ability to plug and unplug a USB).

The risk with same-device (or same-manager TOTP) isn't necessarily in a physical adversary (who's going to win anyways), but in a digital adversary who can run code (or read files) on one device but not several. That's one of the main reasons users are encouraged to use physical factors or, lacking that, an on-device factor that requires some kind of OS-mediated privileged interaction.

> I'm going off the assumption that you mean storing your password and TOTP secret in the same app.

Yes, correct.

> So my long-winded answer is that I do still consider it two factor auth.

Ok, thanks for sharing your thoughts.

Yes: to a first approximation, a second factor is something you are (or have), while a first factor is something you know. A second factor doesn't need to be unique, although uniqueness has separate benefits (especially when the unique factor is hard to clone or access physically).

TOTP isn't an ideal second factor, for most of the reasons above (combined with poor adherence to the standard, meaning that only the most basic subset of features tend to work). But is is still a second factor, unless you can do HMACs in your head :-)

> Yes: to a first approximation, a second factor is something you are (or have), while a first factor is something you know.

But the typical totp-in-password-manager setup is missing the other factor, there is nothing you know in such setup.

In that case, the thing you know would be the password to the password manager.

But yes, I agree. I keep my TOTP on my phone (I use Aegis) and my password manager on my desktop computer.

> But is is still a second factor, unless you can do HMACs in your head

Ok. Thanks for sharing your thoughts.

I think yes.

While PCI DSS 4.0 says nothing specific about TOTP, it on page 171 also has this phrase about certificates:

"A digital certificate is a valid option for “something you have” if it is unique for a particular user".

So it is not an unreasonable analogy to claim that the TOTP seed stored in a desktop application is also "something that you have", as not having it prevents you e.g. from logging in from your friend's laptop.

> PCI DSS 4.0 has this phrase...

Oh, ok. This is very convincing. Thanks for sharing.

Of course they can, and are, specially if you have two separate apps under two different passwords, one for the passwords vault, other for the TOTP.
> if you have two separate apps under two different passwords

If you have two different passwords, aren't they still only one factor (knowledge)?

> specially if you have...

You mean to say in case the password and the TOTP seed are stored in the same password manager, then it is no longer 2FA?

Yup. I use oath for everything with one exception.

Screw "Duo," the company running my workplace that won't let me have my generating token without hackery.

I avoid them like a plague. They are in some of our B2B systems and it's using their proprietary push rather than TOTP. I don't know what Duo has done to fool these Saas/B2B providers into integrating with them.

Of course people who don't know better don't even understand the complaint and say "It's just an app on your phone".

I was going to add something on Duo before seeing that. If you have to use OTP with it, rather than FIDO, which I guess costs more, as my site doesn't support it, the hacks are fairly straightforward. On an Android phone, register a "tablet" (at least in the interface I see) using https://f-droid.org/en/packages/net.scintill.duotp/ and then use Aegis with the secret. (Why do people persist on suggesting Google Authenticator?) On a desktop, see https://github.com/simonseo/nyuad-spammer/tree/master/spamme... with an appropriate value of "start.nyu.edu". I use the secret with pass otp. Note that this is HOTP, not TOTP, so if you use the same secret on multiple devices, you need to synchronize the counter somehow, perhaps with a git hook under pass. (There are more baroque hacks to get the secret that I started with before finding those solutions.)

If you do want something like Duo for an organization, possibly self-hosted, and free-software-friendly, then https://www.privacyidea.org/ looks like a good option, but i have no experience with it.

Nice, I'll have to try this. I was under the impression that it had to be done with something rooted and I just never got around to it.
If you want to stay in the command line there is an excellent cli you can use https://github.com/yitsushi/totp-cli.

It’s an excellent tool that has great encryption and handles multiple accounts and can paste into your clipboard with `totp account.name|pbcopy` and asks for a password on stderr. Pretty cool stuff.

https://freeotp.github.io/ is yet another TOTP provider by Red Hat. It's the only app that I've used so far. Available from F-Droid plus the usual places. There's also a fork FreeOTP+ by some people who have different ideas about the security model and enabling backup of keys.
FreeOTP supports backups itself these days.

Backups can go to local or cloud storage.

Backups are encrypted with a passphrase that you enter when you set the app up, so the cloud storage providers can't grab your keys.

Going digital detox but still want that sweet 2FA? My J2ME vintage feature phone HOTP/TOTP app has you covered. https://github.com/baumschubser/hotpants
This is awesome. Especially for businesses that need to share a 2FA device between members for occasional uses. This is our case and the good old Iphone 7 we use for that is always battery empty when we need it !
Thank you for sharing, this will come in handy at my workplace.
What if something happens to the phone?
You backed up the key.
That is good to hear. I was under the impression that with TOTP you could only initialise once.
It can depend on the vendors implementation, but usually they will provide the key in some readable form for the purposes of backup. If they don't, but do use QR codes, screen grabbing the QR code may work for the purpose.

It is possible however that a vendor can choose to obfuscate the key in an app or through some other method. Technically it's in there somewhere, but may be hard to extract. In the case of this phone however the only way in is to have a key.

For many services you can onboard more than one device. I have one old laptop staying at home that just does that, being used as secondary 2fa device.

It won't help me much if I lose my phone while abroad on holidays but if I am close to home this is no big deal. Most services still allows you to use email or sms as other 2FA anyway.

You can save QR code as a file and initialize as many devices with it as you want.

And by devices I mean proper smart cards personally, not old phones, but whatever floats your boat.

This https://developers.yubico.com/ykneo-oath/Releases installed on a java card (cheaper than a yubikey) is perfectly usable with Yubico Authenticator on a modern smartphone over contactless interface.

This is something that's really similar to what I want.

Ideally I would like a standalone device to display TOTP codes, but the only devices I've found only have a support for a single code.

I guess a feature phone with a custom app is the next best thing.

Related: I have EU bank accounts and each bank wants me to use some app as a second factor (it's not TOTP). The apps are large, I don't trust them, and I don't have access to e.g. Play store (of course, no bank serves the app on F-Droid) because I use google-free LineageOs on my phone.

Is there any way to use a single FOSS app instead of the crap each bank is serving me?

Both desktop and phone apps would be ok.

I use Microsoft Authenticator personally on iOS and Windows.

BitWarden is a good Open Spurce option, it’s cross platform but the TOPT stuff is available only with a paid plan.

Microsoft Authenticator is the app that would literally refuse to work unless you first consented to data sharing and telemetrics. No fucking go. Thankfully, F-Droid has a useful alternative (Android only, of course):

https://github.com/beemdevelopment/Aegis

Pro tip: install a VPN firewall (such as NetGuard on Android). Now watch MS Authenticators do tons of network connections to various Microsoft services and analytics servers every 5 seconds or so.

Probably same with Googles app.

The issue with TOTP here is it can only provide a 6-digit code, whereas an app can show for example "Do you want to authorise $6.21 at McDonalds?" before sending a transaction through. Grudgingly, I will accept that for most of the customer base this is probably the correct solution.

If there is a move in this area, I predict it will come from something like EU regulations on interoperability (we already have rules on Open Banking to some extent) - something to bear in mind next time the EU's approach to regulation is criticised as "anti-tech".

> If there is a move in this area, I predict it will come from something like EU regulations on interoperability (we already have rules on Open Banking to some extent) - something to bear in mind next time the EU's approach to regulation is criticised as "anti-tech".

This would actually be really cool! Over here in the Baltics most banks expect you to use SmartID, which admittedly is fine and has some source up on GitHub, even some nice documentation: https://github.com/SK-EID/smart-id-documentation

But more implementations and support for less vendor lock-in is nice, except that in the case of confirming bank authentication/transactions, there's probably a rather serious matter of trust and security at play (made harder by all of the complexity that you have to deal with). That said, if there was a large community effort, I'm sure that the end result would still be good for creating something like that.

My bank (in NL) provides a separate device for authorization. It has a camera to scan a colour-coded QR code, then lets you see the total amount you're authorizing on its screen, and gives you a TOTP code to confirm the transaction.

Having a separate device may not be what you're looking for, but for me it beats installing a closed-source app on my phone.

Just a note that Bitwarden can store and display TOTP - But with the default service a paid account is required (it can be enabled if you run your own vaultwarden afaik - or if you are on any paid plans).

TIL that you can manually edit the otp URI - so I'm guessing it's possible to use it for Blizzard Battle.net too?

https://bitwarden.com/help/authenticator-keys/#support-for-m...

https://discussion.enpass.io/index.php?/topic/14284-totp-for...

(From the last one - relevant URI):

> blizzard otpath string in this format: otpauth://totp/BattleNet:Battlenet?secret=<SECRET GOES HERE>&issuer=BattleNet&digits=8&serial=<SERIAL GOES HERE>