Camera and GNOME apps like Cheese and Authenticator status

I would like to be able to use my Librem 5 with Authenticator for two factor authentication.
But Authenticator states: No Camera Found.
I installed Authenticator as flatpak.

Also Cheese, installed with apt, does not detect the camera.

What could be the problem here?

These apps only support simple USB cameras and don’t know how to work with more advanced phone cameras.

There’s a possibility of getting them to work using compatibility layers through libcamera, but that will still take some time to materialize.

4 Likes

The documentation you link to also says

QR code scanner using a camera or from a screenshot

so perhaps there is the possibility of using the existing Camera app to photograph the QR code, and then take the resulting JPEG file and call that a screenshot. (Of course this is just a workaround but it shouldn’t be that often that you are loading in new shared secrets for OTPs.)

Any nice authenticator app on Linux should allow loading of authentication material from the command line i.e. directly supply the otpauth: URL or even more directly supply the shared secret. So maybe ask the author about command line support.

2 Likes

The approach that I like is to use a YubiKey for storing the TOTP codes.
The Yubico Authenticator app works fine on Librem 5, iPhone, Android, and on notebooks using Windows, Linux, and Mac.
So you can scan the QR code on any device (like an old Android lying around) and then use the YubiKey for TOTP on the Librem 5.
This approach also has the advantage to represent a real second factor in the case when you do everything on your phone. Because if you do everything on your phone, then using the phone itself as a second factor makes somehow less sense anymore.

2 Likes

But then potentially the security of the process is only as good as its weakest link i.e. a compromise on the old Android phone could weaken the security on the Librem 5?

In other words, yes, it’s another reasonable workaround but longer term I wouldn’t want the security of my Librem 5 dependent on another device.

1 Like

Correct, if you scan the QR code on a compromised device, the code could potentially get stolen. But at the end of the day, the Librem 5 is also a Linux computer that can get compromised.
The huge difference is that you can have your Android at home and not let it track you all day long everywhere you go and for all activities you do.

1 Like

Thanks for this great tip! I used millipixels to try to take a photo of a QR code of Authenticator of my desktop computer, and then discovered that millipixels has support for scanning QR codes. The first time millipixels (or the kernel) crashed, and I killed millipixels. But I could not reproduce the crash, and now, when I click on the blue lines/string detected by millipixels, it opens Authenticator to add a new account based on the scanned QR code. With this, I dare to ask the service desk at my work to try to add the work 2FA to the Librem 5. This would solve a blocking issue to use only the Librem 5 as a phone. I cannot wait to go back to work next year :slight_smile:

3 Likes

I installed the plasma mobile authenticator app “Keysmith” as flatpak via the PureOS Store.
In “Keysmith” one can directly enter the shared secrets via the GUI. Works fine for me, and perfectly adapts to the L5 screen. The only inconvenience is that one has to start the on-screen-keyboard manually (This flaw seems to apply to all plasma mobile apps).

Even better.

Of course there is “support” and there is “support”. It can support http: and https: URLs without supporting other URLs - but apparently it does support otpauth: URLs, which is excellent - once the crash is fixed.

There are many other types of URL and even QR codes that encode text that does not even conform to the generic syntax of a URL - and some of those are poorly “standardised” - but I expect that, over time, the Librem 5 will be able to handle a wider variety of QR codes.

I would guess that a camera app can only launch the system default handler for a given URL scheme. So if you had more than one authenticator app installed then you might not get to choose which one gets launched - and if you needed to choose then you would either need to apply the workaround that I gave or wait for the work to be done so that random apps can use the camera on the Librem 5 (or the camera app is changed to allow you to configure in more detail what gets launched).

1 Like

It can also copy it into the clipboard, at which point you can do whatever you want with it.

2 Likes