On 06/08/2024 23:37, to...@tuxteam.de wrote:
On Tue, Aug 06, 2024 at 11:07:14PM +0700, Max Nikulin wrote:
On 06/08/2024 11:37, to...@tuxteam.de wrote:
TOTP is a standard (rfc6238 [1]) so it actually/should/ give the same
numbers regardless of the application.
It is mostly true, however authenticator applications may use
vendor-specific protocols that relies on network connection instead of
displaying TimeOTP code to confirm login. The worst case is when TOTP is
disabled for specific service and alternative applications can not be used.
I just today set up one more: it /was/ TOTP, after all.
You are lucky. I faced a configuration when TOTP was available (despite
the option was not apparent) for office365 web login, but VPN allowed
just some Microsoft Authenticator proprietary protocol and SMS, but not
TOTP. It took some time to make Thunderbird getting mail from Exchange
server, generation of application-specific passwords was broken.
The instructions,
of course didn't say so, but talked a lot about scanning the QR code with
your smartphone (there is the TOTP key beneath this ready for c&p, but no
mention of it).
QR code with a URL containing TOTP secret is de-facto standard way to
copy the secret to a phone. An option to copy the secret as clear text
may be available as well.
That's what I call nudging.
Educating people is quite expensive. If a company anyway stores mail on
Microsoft servers then they have no reason to not trust to Microsoft
Authenticator. Brief instruction allows to avoid malware published as
2FA applications on user devices.
Developing an application for TOTP requires enough care. It should
resist tracing/debugging, secrets should not appear in swappable memory
and should be properly wiped from RAM after usage. Hardware vault may
help to protect secrets from unauthorized copy. Should backup be
available? So it is not a so simple app under the hood. (The thread
started from: "I simply need to run a simple 2FA TOTP authenticator".)
https://lists.debian.org/msgid-search/zrbudbr0nuozn...@tuxteam.de
On 05/08/2024 11:26, to...@tuxteam.de wrote:
On Sun, Aug 04, 2024 at 09:19:33PM +0200, Detlef Vollmann wrote:
gpg --decrypt --quiet key.asc | oathtool -b --totp -
[...]
The xclip part just saves me the clickery.
Ideally clipboard should be avoided to avoid exposure codes to sniffers.
Some kind of input method might be better. X11 XTest extension allows to
send key events to applications (see xdotool and xvkbd), but it is
considered as an insecure feature per se and may be disabled.
