i’ve been told i need to install an “app” like “microsoft authenticator” or “google authenticator” or “authy” and i’ve been given a key that looks like I0JK1LM3NO4PQ5RS6TU7VW8XYZ (i.e., 26 characters that are either digits or capital letters).
what is this key? what standard does it follow?
how do i do whatever these authenticator “apps” do without installing non-open software on hardware i own?
Rather hard to answer that question about blackbox software but, if any standard,
a) probably either HOTP or TOTP (both of which need a shared secret i.e. key, to be configured in the app)
b) some apps need the key as a QR code to be scanned in - don’t know how the listed suggestions work in that regard
c) if the open source app gives a 6 digit number that is accepted as the one-time-password then it’s probably working.
In my experience this really depends on the generating solution.
Microsot/Google/most others provide a secret that goes into a standardized algorithm to generate one time codes. This is as described by others above.
Some however, OKTA/FortiToken/DuoMobile/and others, default to providing you a secret that cannot be used in this way and must use their own respective app which includes push notifications. Some of their integrations may be able to be configured without push and then work with any OTP application, however some of the solutions will either require push thus locking you to their application, or be configured to not offer anything except their customized solution thus also locking you to their application.
If this is for personal use, it’s likely using rfc6238 and any totp client will suffice. If this is for the company you work for however, you may be locked to the software they provide.
I think the moral and ethical debate regarding the closed source options and companies choosing vendors that lock the client to specific software is better suited for another thread as that conversation will likely bury the technical conversation that has started here.
i tried gnome authenticator. i have no idea how to proceed. apparently i need to have an “account” with one of a list of 100s of providers. this list includes Apple, Amazon, Bugzilla@Mozilla, and zillions of others. the people who gave me the key said i could use the key with any one of google authenticator, microsoft authenticator, authy, and likely other apps. as far as i can tell, this is using TOTP. why do i need an “account” with a “provider” for this?
With TOTP authentication, the process would be something like this:
Install an authentication app like the ones mentioned.
From the online account (bank, Amazon, etc.) where you want to set up 2-factor authentication by TOTP app (as opposed to by SMS), select the authentication app option (whatever the organization is calling it), and see if they give you a QR code to scan with your device. If so, open the authentication app you installed, select “scan QR,” it will launch the camera, and then you point the camera at the QR code. The organization will be added automatically to your authentication app. If you can’t scan a QR code, then inside the app, select “Enter token,” and manually type or paste the token number you were given.
After that, whenever you log in to your account at the organization, they will broadcast generate a short numerical code that changes every 30 seconds or so. Type the code that you see inside the app into the blank on the website, and then you’ve logged in with TOTP 2FA.
Its not that you need an account with some provider to use the authenticator, but rather you need an account with some provider to have a use for the authenticator (2FA isn’t any use if you’re not logging into anything, yknow?). I don’t use gnome authenticator myself, but on the one I do use, accounts presented like that are really for organizational purposes.
Creating an account (as a name on a list/db) is how the tokens are managed (you may have several, to different sites and services), which is ok and just for your benefit, but some apps also (like microsoft and google) link and automatize the authetication event so, that the online authenticator prompts you to use it when you try to login. So let’s not mix managing a list of info on an offline app with using an online auth app (them mostly we may want to avoid for privacy reasons, although from an organization side may seem like an appealing security choice). Its that key that you were given that makes offline auth possible as it’s based on an algorithmic calculations. As can be seen from app screengrabs and how-tos, there are manual and semi-automatic (QR) ways to create an account and have all the settings in place.
So to clarify the question about account … a given authentication app can hold the shared key for many, many different web sites or other things that need 2FA to login on. Each shared key is therefore named in some way, so that you can keep track of what keys the app is storing and identify the right key for a given login. (This is not dissimilar to the way that the Gnome Keyring app works i.e. a keyring holds a zillion keys and each key therefore has to be given a name.)
If anyone needs help converting between QR code and shared key, it’s not that subtle or complicated, although as with most things some app writers introduce proprietary features that then may not be recognised by other apps.
Definitely not broadcast. I’m using a hardware token for TOTP and I am quite sure that it is not hacking into my WiFi in order to communicate with the internet, either transmit or receive.
Using TOTP, once the web site and the app / token have a shared key, as one-off initial configuration, then every 30 seconds (default, may vary) they can each guarantee to generate matching 6 (default, may vary) digit numbers forever. No communication of any kind is needed.
I’ll provide the link for RFC 6238 in case anyone wants some bedtime reading.
I used GNOME Authenticator for a little while until I realized KeePassXC, which I had been using for a long time, also handles TOTP, so I uninstalled GNOME Authenticator. TOTP stands for Time-based One-Time Password, which is what most 2FA (2-Factor Authentication) systems use. KeePassXC is free software, of course, and in the PureOS repository.
thanks for all the advice. here’s my final status on this:
it turns out what i need is software that parses a 128-bit number written in the base-32 format of rfc 4648 and uses that together with the number of 30-second intervals since the beginning of 1970 in UTC time zone as the input to the TOTP algorithm of rfc 6238 truncating the output to 6 decimal digits.
i got things working using oathtool (in debian package of same name), which does exactly what’s needed if you run “oathtool --totp --base32 SECRETKEY” but i’m thinking of trying keepassxc for more secure storage of the secret.
i ended up giving up on gnome-authenticator. i could not figure out how to proceed through the account setup stage without making a non-sensical choice of a “provider”. if software forces me to make nonsense decisions i view that as a sign to stay away.
further update: for more secure storage of the secret, i am now using gnome-keyring. but this is poor compared to the greater difficulty that i could cause for an attacker by having some kind of agent that would hand out one-time passwords (valid only for the very near future) instead of the configuration i have now where gnome-keyring-daemon gives out the secret itself as long as i am logged in to any process running with my user privileges or better. does anyone know of anything that automates this in software? a daemon which will compute OTPs from a secret and lock the secret in memory that can’t be swapped out? without running qubes, as in my experience i am not qubes-compatible.
of course, the fully correct solution is for this agent to be embedded in a hardware token which has some resistance to extraction of secrets. i do not currently want to go to this level.
You may be able to improve things by having multiple keyrings. So you unlock the keyring that contains only the secret for the OTP, get the secret, then lock the keyring.
At least then the secret won’t be available immediately to anyone who can compromise your user login.
Depends on your programming skills?
If you are using TOTP then by default the one-time passwords are valid only for a maximum of the following 30 seconds (or such other interval as is agreed up front between the generator and the verifier). I don’t know whether you are looking for something more than that.
I have a hardware OTP token for internet banking and it even gives a visual indication on the screen of where the countdown towards the current OTP becoming invalid has reached.
Maybe I am asking a stupid question, but doesn’t it kill the idea of second factor authentication if you store both the TOTP secrets and your account passwords on the same device or even worse in the same programm?
Maybe a separate hardware solution like a TOTP capable Yubikey or something like that would be better?
But let’s say your government makes 2FA mandatory and the 2FA app only runs on iOS and Android then it can be a good choice to be able to continue to use the web site at all.
The whole idea of the 2FA app assumes that people don’t use the smartphone itself to access the web site, which is somewhat outdated.
Once you get it working you can of course move the open source 2FA app to any device e.g. have two phones, one for the web site and one for the 2FA app. So there’s some benefit in that. You still need to spend the time getting the open source 2FA app working.
I use Yubico Authenticator app which looks beautiful and works with or without a yubico hardware key.
The only disadvantage is its QT based. The native Gnome gtk authenticator app for some reasons didnt work with all private security codes, for example it balked at Protonmail i believe it was, while yubico handled all i threw at it so far.
Yubico and all QT apps should really be portable or ported to gnome gtk.