Librem 5 2FA Authenticator App

Will the Librem 5 ship with a 2FA authy app like Google Authenticator? Alternatively, are there any other Purism supported solutions for 2FA on websites/services that only support OTP and not FIDO U2F?

1 Like

It’s not in the core set of apps. There is an app called Authenticator that is designed for use on the phone. It is being developed by a developer in the GNOME community.

A list of apps under development by various people can be found on the List of Apps in Development wiki page.

6 Likes

Is there a command-line way of doing what a 2FA authenticator app does?

There are various command-line TOTP tools (note: I have not used any so cannot vouch for them):

2 Likes

Regarding Command Line Tool pass-otp Stores the otp secret gpg encrypted.
So it can be used with the Smartcard Reader of the librem5.

1 Like

@vmedea @Cc281080 That’s great! Assuming one of those command-line tools work, one approach could be to simply stick with that and make a simple GUI for it in a similar way as the flashlight app that was shown here: https://puri.sm/posts/easy-librem-5-app-development-flashlight/

For normal usage when you just want to get a code to login, all it needs to do is to show the generated code. So that’s a very simple GUI, that should be enough for basic usage. Then you just need to do something at the command-line once to set it up, after that you can use the “app” each time you want to get a new OTP code to login.

1 Like

I already started with such a GUI:
https://forums.puri.sm/t/compact-gui-for-pass/
But I haven’t used it a lot yet.

Double clicking in an entry copies the password / or OTP Code into the clipboard for a few seconds.
You can also add new passwords directly in the GUI. Just use slashes to put them in folders.

You need to set Up GPG and pass first in the shell.

I started to use it with pass-tomb. But currently I need to start it from the shell to be able to enter the sudo Password. (Something which needs to be fixed)

1 Like

Scanning a QR-code with the camera does not work in Authenticator on my Librem 5? Has someone been able to get the camera working in Authenticator?

A workaround may be to take a photo of the QR code, then use zbarimg in order to convert the QR code into a “URL” (scheme otpauth:, which encodes the shared secret and some other non-critical information), and finally use a command line interface to store the shared secret for use by the app. That is of course seriously clunky but it’s a one-off process.

After that, the existing app may then be able to produce your TOTP codes.

TOTP is less than 20 lines of code, providing that your environment gives you HMAC SHA1 as a built-in.

Thanks. The issue is that I want to ask someone from my work service desk to try if Authenticator works. I think that this process would be to much work for them, and take away the confidence in my non-standard authenticator. Standard we are asked to install OneSpan, and I would like to test if Authenticator also works. I now have to carry my Android phone with me for authentication with OneSpan. Therefore, fixing this is kind of high priority for my use as the Librem 5 as primary phone.

Ah, OK. In that case you need someone to answer who actually knows how the camera works and how the Authenticator app works.

Or you could try to automate the clunky process. I think at one stage I was using the Camera postprocess script to look for new images and see whether they are QR codes, so that the mere act of photographing a QR code results in the processing of the QR code (subject to personal security requirements). See also: QR code scanning via megapixels

Edit: Or eventually the Camera app may recognise QR codes automatically and then “all” you need to do is hook in the right processing for an otpauth: QR code if indeed the Camera app doesn’t do the right thing automatically.

1 Like

Is there any way that you can view the TOTP “secret” that you already have stored in your OneSpan app? If so, then, in your own time, you could copy that secret into Authenticator. Then, to see whether Authenticator is working properly, compare the OTPs generated by OneSpan with those generated by Authenticator. If the secret is the same, then the same code should be generated by both apps at any given ponit in time (though the exact timing might vary by some seconds).

Or, I suppose you could instead generate a “dummy” secret just to perform this test to see that both apps work the same.

1 Like

Even if that is not practical, if it can still be configured from the original QR code then you can extract the secret from the QR code.

To be on the safe side: You should never post either the QR code or the conversion of the QR code into a URL - since it really does directly reveal the secret, and having possession of the secret, as it is used in TOTP, an attacker can perpetually compromise the 2FA.

1 Like

I have started using KeePass XC and Gnome Password Manager to manage my 2FA needs. Maybe something for you to look into.

I just started using the pass command line version. I already had it configured using my laptop and android and had to only clone the git repo. It is a bit clunky (qtpass seems to not support the otp plugin).

I use keepassxc as a password manager on the librem5 even though it does not fit on the screen properly since I use it all the time on the desktop it’s enough to extract the current needed password and still talks to firefox with keepassxc-browser plugin… I have never seen it do much for 2Fa, and I always used authy even on my librem13 but the arm64 arch is not supported for authy , and I also have yet to find a viable alternative for that function on the librem 5

Here are some more 2FA apps: https://linuxphoneapps.org/categories/multi-factor-authentication/

1 Like

Yesterday I tried the Yubico Authenticator App and it seems to me to be a very good solution for TOTP 2FA on Librem 5.
You save the TOTP codes in a YubiKey (mine can save up to 28 accounts and comes with USB-C so that I can plug it directly to the Librem 5), so that the accounts are actually not on the Librem 5, but on the key.
And you can store the accounts to the YubiKey not only from the Librem 5, but also from another phone (like Android for example) or from your PC. So if you have a problem to scan the QR code with the Librem 5, you can scan it with an Android smartphone if you have one and then use it on the Librem 5. This eliminates any concerns regarding how to process the QR code.

The Yubico Authenticator App is in the Pure OS repositories on Librem 5:
sudo apt install yubioath_desktop

The app is a little bit blurry on Librem 5, but totally usable.

2 Likes