2FA - Tools that work if you unfortunately need to use them
All, Github is forcing 2FA (two factor authentication) beginning Oct 12 for accounts that make contributions to other repositories or otherwise contribute. Why a goofy algorithm from my computer is better than my 2048 byte RSA key doesn't make much sense. (though likely a way to dupe users into providing a mobile phone number that can be monetized) If you find yourself having to come up with 2FA codes, then there are a few apps that do it without involving your phone. Commandline: The "oath-toolkit" package provides the oathtool command line utility to generate the timed one time passwords given the secret key you are assigned from the site: $ oathtool --totp --base32 KEY (the options needed depend on the key format) where KEY is the secret key you were given. If you have a number of sites, you can create a short script to read the key from a file which is fairly convenient. With a little thought you can have the function accept a filename or key. GUI App: keepassxc has a totp function and allows assigning the secret key to each entry in your password database. (rather odd interface done though the context menu - Right-click -> TOTP -> Set up TOTP, add your key, then you can open a window to see the timed one time password to use) After you configure it, you can just double-click the little timer icon next to the entry to copy to the clipboard (nice touch, somebody had their thinking cap on...) Phone: It kills me, but the google-authenticator is about a well recommended as anything else. You can use it without a google-account. Just add your key and it spits out the timed one time password. Summary: Another solution just looking for a problem to solve, but at least there are tools to combat the latest unwanted "feature" of the web. -- David C. Rankin, J.D.,P.E.
Le 29/08/2023 à 08:29, David C. Rankin a écrit :
The "oath-toolkit" package provides the oathtool command line utility to generate the timed one time passwords given the secret key you are assigned from the site:
$ oathtool --totp --base32 KEY
interesting, but what is this "KEY"?? For example, when PayPal asks me to give a number sent by mail or sms, how can I find this "KEY"? thanks jdd -- c'est quoi, usenet? http://www.dodin.org/wiki/pmwiki.php?n=Usenet.Usenet
On 8/29/23 01:36, jdd@dodin.org wrote:
Le 29/08/2023 à 08:29, David C. Rankin a écrit :
The "oath-toolkit" package provides the oathtool command line utility to generate the timed one time passwords given the secret key you are assigned from the site:
$ oathtool --totp --base32 KEY
interesting, but what is this "KEY"??
For example, when PayPal asks me to give a number sent by mail or sms, how can I find this "KEY"?
thanks jdd
The sites will have either (or both) a image to scan OR if you can't scan -- they will give you a KEY which is what the QC image would resolve to. It's just a ASCII, hex or base32 string of characters. That string you get from the QC image or that the site spits out if you can't scan the image is the "KEY". -- David C. Rankin, J.D.,P.E.
Hi Dne úterý 29. srpna 2023 8:29:30 CEST, David C. Rankin napsal(a):
Github is forcing 2FA (two factor authentication) beginning Oct 12 for accounts that make contributions to other repositories or otherwise contribute. Why a goofy algorithm from my computer is better than my 2048 byte RSA key doesn't make much sense. (though likely a way to dupe users into providing a mobile phone number that can be monetized)
[...]
keepassxc has a totp function and allows assigning the secret key to each entry in your password database. (rather odd interface done though the context menu - Right-click -> TOTP -> Set up TOTP, add your key, then you can open a window to see the timed one time password to use) After you configure it, you can just double-click the little timer icon next to the entry to copy to the clipboard (nice touch, somebody had their thinking cap on...)
Thank You! It works perfectly! You saved my day!
Another solution just looking for a problem to solve, but at least there are tools to combat the latest unwanted "feature" of the web.
I wonder if I could use login via OpenID (secured by 2FA), or directly YubiKey...? Does anyone know? -- Vojtěch Zeisek https://trapa.cz/ Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/
W dniu 29.08.2023 o 09:34, Vojtěch Zeisek pisze:
I wonder if I could use login via OpenID (secured by 2FA), or directly YubiKey...? Does anyone know?
Not all websites support U2F (universal second factor) keys like YubiKey, but github does. And for those websites, which does not support U2F, but use totp, you can use Yubico Authenticator app. It is available both on desktop (yes, even in openSUSE repo) and for mobile (for example https://f-droid.org/packages/com.yubico.yubioath/). Secrets are stored on yubikey.
On Tue, Aug 29, 2023 at 8:34 AM Vojtěch Zeisek <vojtech.zeisek@opensuse.org> wrote:
I wonder if I could use login via OpenID (secured by 2FA), or directly YubiKey...? Does anyone know?
Hi Vojtech, I'm using YubiKey directly on GitHub.com. It used to be for UFA only, but now it also supports it as a PassKey. I'm using openSUSE Leap 15.5 but it has been working, at least with UFA, for previous versions too. Regards, -- Rui Santos Veni, Vidi, Linux
Dne úterý 29. srpna 2023 10:30:47 CEST jste napsal(a):
On Tue, Aug 29, 2023 at 8:34 AM Vojtěch Zeisek wrote:
I wonder if I could use login via OpenID (secured by 2FA), or directly YubiKey...? Does anyone know?
I'm using YubiKey directly on GitHub.com. It used to be for UFA only, but now it also supports it as a PassKey. I'm using openSUSE Leap 15.5 but it has been working, at least with UFA, for previous versions too.
Thank You Adam and Rui. I didn't find this option and I have bit older key. I'll try more, but at least KeePassXC solution works. So it's solved at least for now. :-) -- Vojtěch Zeisek https://trapa.cz/ Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/
Tue, 29 Aug 2023 01:29:30 -0500 "David C. Rankin" <drankinatty@suddenlinkmail.com> :
All,
Github is forcing 2FA (two factor authentication) beginning Oct 12 for accounts that make contributions to other repositories or otherwise contribute. Why a goofy algorithm from my computer is better than my 2048 byte RSA key doesn't make much sense. (though likely a way to dupe users into providing a mobile phone number that can be monetized)
If you find yourself having to come up with 2FA codes, then there are a few apps that do it without involving your phone.
Commandline:
The "oath-toolkit" package provides the oathtool command line utility to generate the timed one time passwords given the secret key you are assigned from the site:
$ oathtool --totp --base32 KEY
(the options needed depend on the key format)
where KEY is the secret key you were given. If you have a number of sites, you can create a short script to read the key from a file which is fairly convenient. With a little thought you can have the function accept a filename or key.
GUI App:
keepassxc has a totp function and allows assigning the secret key to each entry in your password database. (rather odd interface done though the context menu - Right-click -> TOTP -> Set up TOTP, add your key, then you can open a window to see the timed one time password to use) After you configure it, you can just double-click the little timer icon next to the entry to copy to the clipboard (nice touch, somebody had their thinking cap on...)
Phone:
It kills me, but the google-authenticator is about a well recommended as anything else. You can use it without a google-account. Just add your key and it spits out the timed one time password.
Summary:
Another solution just looking for a problem to solve, but at least there are tools to combat the latest unwanted "feature" of the web.
-- David C. Rankin, J.D.,P.E.
Thank you for the post! I'm not smart enough yet to own a smart phone but it's comforting to know that I'm not the only one nauseated by nosy vermin intent on extracting a continuous streaming colonoscopy from everyone. -- https://imgur.com/SdrsEbs.png
On 8/29/23 15:59, David C. Rankin wrote:
All,
Github is forcing 2FA (two factor authentication) beginning Oct 12 for accounts that make contributions to other repositories or otherwise contribute. Why a goofy algorithm from my computer is better than my 2048 byte RSA key doesn't make much sense. (though likely a way to dupe users into providing a mobile phone number that can be monetized)
I have had to have 2FA setup with github for some time due to the requirements of some of the projects i'm involved with. When I push code to a repo with git it still just uses my ssh keys, the 2FA is only used when I login to the web front end and try and perform an action such as deleting a repository.
If you find yourself having to come up with 2FA codes, then there are a few apps that do it without involving your phone.
Commandline:
The "oath-toolkit" package provides the oathtool command line utility to generate the timed one time passwords given the secret key you are assigned from the site:
$ oathtool --totp --base32 KEY
(the options needed depend on the key format)
where KEY is the secret key you were given. If you have a number of sites, you can create a short script to read the key from a file which is fairly convenient. With a little thought you can have the function accept a filename or key.
GUI App:
keepassxc has a totp function and allows assigning the secret key to each entry in your password database. (rather odd interface done though the context menu - Right-click -> TOTP -> Set up TOTP, add your key, then you can open a window to see the timed one time password to use) After you configure it, you can just double-click the little timer icon next to the entry to copy to the clipboard (nice touch, somebody had their thinking cap on...)
Phone:
It kills me, but the google-authenticator is about a well recommended as anything else. You can use it without a google-account. Just add your key and it spits out the timed one time password.
Summary:
Another solution just looking for a problem to solve, but at least there are tools to combat the latest unwanted "feature" of the web.
The Paid version of bitwarden also provides a browser extension for doing 2FA which is compatible and can be used in place of the google TOTP system. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
On 8/28/23 23:29, David C. Rankin wrote:
Summary:
Another solution just looking for a problem to solve, but at least there are tools to combat the latest unwanted "feature" of the web.
Thanks for the info, David. But I'd argue that this feature is indeed needed. Supply chain compromises are a huge security threat and 2FA can help to keep us safe. Regards, Lew
On 8/29/23 10:43, Lew Wolfgang wrote:
On 8/28/23 23:29, David C. Rankin wrote:
Summary:
Another solution just looking for a problem to solve, but at least there are tools to combat the latest unwanted "feature" of the web.
Thanks for the info, David. But I'd argue that this feature is indeed needed. Supply chain compromises are a huge security threat and 2FA can help to keep us safe.
Regards, Lew
I see the need, software supply-chain compromise is an Achilles heel. I'm just not sure this TOTP is the cure. You are given a key or QC/QR image that encodes the key, and an algorithm to generate a different one-time-password every 30 seconds based on the clock and the key. The clock, key and algorithm are invariant. My concern is how long before miscreant garner a way to snatch the key and compromise the entire operation? Processor credential attacks. The oathtool command line has its weakness in multi-user environment as the commandline is susceptible to being grabbed (but if you use a keyfile to hold the key -- it's a little better) Yes, there is the benefit that the QC/QR code is generated but never stored by the site and the algorithm on their end is sophisticated enough to validate what you send -- but that is exactly what password hashing does to begin with - minus the timed algorithm. I guess my biggest question is "is the incremental increase in security worth the inconvenience and impact on usability?" Seems line a ssh_agent type forwarding of public/private key auth (as it done for git push, etc..) done along with the normal password login would be better and more convenient. -- David C. Rankin, J.D.,P.E.
On 8/29/23 08:29, David C. Rankin wrote:
Phone:
It kills me, but the google-authenticator is about a well recommended as anything else. You can use it without a google-account. Just add your
There is also FreeOTP from RedHat. It even comes with a Backup/Restore functionality these days. https://freeotp.github.io/ - Adam
On 9/4/23 11:12, Adam Majer wrote:
On 8/29/23 08:29, David C. Rankin wrote:
Phone:
It kills me, but the google-authenticator is about a well recommended as anything else. You can use it without a google-account. Just add your
There is also FreeOTP from RedHat. It even comes with a Backup/Restore functionality these days.
- Adam
Thanks Adam, Interesting app, though, I've never been a giant fan of apps written in javascript. Just call me an old [c]urmudgeon. -- David C. Rankin, J.D.,P.E.
participants (9)
-
Adam Majer -
Adam Mizerski -
bent fender -
David C. Rankin -
jdd@dodin.org -
Lew Wolfgang -
Rui Santos -
Simon Lees -
Vojtěch Zeisek