💾 Archived View for separateconcerns.com › 2020-04-03-2fa-pass-oathtool.gmi captured on 2023-12-28 at 15:22:24. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-09-28)
-=-=-=-=-=-=-
published 2020-04-03
If you're like me, you don't want to depend on your phone to log into a website, and you wish your favorite password manager [1] would support 2FA. Well, it can.
When asked to setup 2FA on a website, get a text code. If the website doesn't give you that option, just use zbar [2]. For instance, with the QR code from the GitHub documentation [3]:
$ zbarimg totp-click-enter-code.png QR-Code:otpauth://totp/GitHub:LyaLya?secret=qmli3dwqm53vl7fy&issuer=GitHub scanned 1 barcode symbols from 1 images in 0.03 seconds
Once you get the secret, put the command line to generate a code using oathtool [4] in `2fa/github` in `pass` like this:
oathtool --totp --base32 qmli3dwqm53vl7fy
Finally, add this to your `.bashrc` (or the equivalent for whatever shell you use):
2fa () { eval $(pass 2fa/$1) ; }
You can now get your 2FA codes like this:
$ 2fa github 795864
All the tools used in that article are available [5] as [6] packages [7] in the Arch Linux repositories.
1: https://www.passwordstore.org
2: http://zbar.sourceforge.net
3: https://help.github.com/en/github/authenticating-to-github/configuring-two-factor-authentication
4: https://www.nongnu.org/oath-toolkit/oathtool.1.html
5: https://archlinux.org/packages/extra/any/pass/
6: https://archlinux.org/packages/extra/x86_64/oath-toolkit/
7: https://www.archlinux.org/packages/extra/x86_64/zbar/
It was a post on Lobsters [8] that prompted me to post this. Someone from the comments [9] and a former colleague on Twitter [10] told me about a pass extension [11] I didn't know about which does almost the same thing.
Also, some people think that putting 2FA codes in a password manager defeats the purpose. But in practice TOTP 2FA does not really add much more to the security of my accounts than the strong random passwords I generate with pass. The "second factor" part isn't really the true benefit.
One actual advantage is that nobody on the network can sniff all of my credentials (like digest-based password verification methods). Another, and I think this is the main one, is that the owner of the website has chosen part of the credentials and hence ensured some degree of strength. What I do preserves both of those properties, so I'm fine with it. By the way, note that password managers like 1Password do the same thing [12].
The one thing I could do to really improve the security of the whole thing is use 2FA to access pass by storing my GPG key in a Yubikey. I probably will, someday.
8: https://lobste.rs/s/abmkdz/2fa_2_factor_authentication_terminal_app
9: https://lobste.rs/s/abmkdz/2fa_2_factor_authentication_terminal_app#c_c0y9io
10: https://twitter.com/gawenr/status/1245973593453932544