Will the Librem 5 ship with a 2FA authy app like Google Authenticator? Alternatively, are there any other Purism supported solutions for 2FA on websites/services that only support OTP and not FIDO U2F?
It’s not in the core set of apps. There is an app called Authenticator that is designed for use on the phone. It is being developed by a developer in the GNOME community.
A list of apps under development by various people can be found on the List of Apps in Development wiki page.
Is there a command-line way of doing what a 2FA authenticator app does?
There are various command-line TOTP tools (note: I have not used any so cannot vouch for them):
Regarding Command Line Tool pass-otp Stores the otp secret gpg encrypted.
So it can be used with the Smartcard Reader of the librem5.
@vmedea @Cc281080 That’s great! Assuming one of those command-line tools work, one approach could be to simply stick with that and make a simple GUI for it in a similar way as the flashlight app that was shown here: https://puri.sm/posts/easy-librem-5-app-development-flashlight/
For normal usage when you just want to get a code to login, all it needs to do is to show the generated code. So that’s a very simple GUI, that should be enough for basic usage. Then you just need to do something at the command-line once to set it up, after that you can use the “app” each time you want to get a new OTP code to login.
I already started with such a GUI:
But I haven’t used it a lot yet.
Double clicking in an entry copies the password / or OTP Code into the clipboard for a few seconds.
You can also add new passwords directly in the GUI. Just use slashes to put them in folders.
You need to set Up GPG and pass first in the shell.
I started to use it with pass-tomb. But currently I need to start it from the shell to be able to enter the sudo Password. (Something which needs to be fixed)
Scanning a QR-code with the camera does not work in Authenticator on my Librem 5? Has someone been able to get the camera working in Authenticator?
A workaround may be to take a photo of the QR code, then use
zbarimg in order to convert the QR code into a “URL” (scheme
otpauth:, which encodes the shared secret and some other non-critical information), and finally use a command line interface to store the shared secret for use by the app. That is of course seriously clunky but it’s a one-off process.
After that, the existing app may then be able to produce your TOTP codes.
TOTP is less than 20 lines of code, providing that your environment gives you HMAC SHA1 as a built-in.
Thanks. The issue is that I want to ask someone from my work service desk to try if Authenticator works. I think that this process would be to much work for them, and take away the confidence in my non-standard authenticator. Standard we are asked to install OneSpan, and I would like to test if Authenticator also works. I now have to carry my Android phone with me for authentication with OneSpan. Therefore, fixing this is kind of high priority for my use as the Librem 5 as primary phone.
Ah, OK. In that case you need someone to answer who actually knows how the camera works and how the Authenticator app works.
Or you could try to automate the clunky process. I think at one stage I was using the Camera postprocess script to look for new images and see whether they are QR codes, so that the mere act of photographing a QR code results in the processing of the QR code (subject to personal security requirements). See also: QR code scanning via megapixels
Edit: Or eventually the Camera app may recognise QR codes automatically and then “all” you need to do is hook in the right processing for an
otpauth: QR code if indeed the Camera app doesn’t do the right thing automatically.
Is there any way that you can view the TOTP “secret” that you already have stored in your OneSpan app? If so, then, in your own time, you could copy that secret into Authenticator. Then, to see whether Authenticator is working properly, compare the OTPs generated by OneSpan with those generated by Authenticator. If the secret is the same, then the same code should be generated by both apps at any given ponit in time (though the exact timing might vary by some seconds).
Or, I suppose you could instead generate a “dummy” secret just to perform this test to see that both apps work the same.
Even if that is not practical, if it can still be configured from the original QR code then you can extract the secret from the QR code.
To be on the safe side: You should never post either the QR code or the conversion of the QR code into a URL - since it really does directly reveal the secret, and having possession of the secret, as it is used in TOTP, an attacker can perpetually compromise the 2FA.
I have started using KeePass XC and Gnome Password Manager to manage my 2FA needs. Maybe something for you to look into.
I just started using the pass command line version. I already had it configured using my laptop and android and had to only clone the git repo. It is a bit clunky (qtpass seems to not support the otp plugin).