TOTP authentication with free software program [LWN.net]

By Jonathan Corbet
April 14, 2023

One-time passwords (OTPs) are more and more used as a protection in opposition to
phishing and different password-stealing assaults, normally as part of a
two-factor authentication course of. Maybe probably the most generally
used approach is sending a numeric code to a cellphone by way of SMS, however SMS OTPs
have safety issues of their very own. An alternate is to make use of time-based
one-time passwords (TOTPs). The traditional TOTP scenario is to have all
of the info locked right into a proprietary cellphone app, nevertheless it needn’t be that
approach.

The TOTP strategy is straightforward sufficient; it begins with a secret shared between
the shopper and server sides. The algorithm used to generate an OTP begins
by trying on the present time, normally quantized to a 30-second
interval. That point is mixed with the key, hashed, and used to
generate a six-digit code that’s used because the password. Each the shopper
and server sides will generate a code at authentication time; if the shopper
can present the identical code that the server calculates, then authentication
succeeds. The code can solely be used as soon as and, in any case, is barely legitimate
for a brief interval.

TOTP can thus be used to show possession of the shared secret at a
particular cut-off date. It’s handy as a result of it requires no particular
{hardware}; something with a CPU and an correct clock can generate a TOTP.
On the shopper facet, one program can be utilized to handle TOTPs for any quantity
of websites. Customers are inclined to default to proprietary cellphone apps like Google
Authenticator, however there are some clear downsides to doing so. Amongst
these are the unwise nature of trusting proprietary code with identification
info and the ache that comes with dropping the system working the app.
Within the free-software world, there must be a greater approach.

TOTP apps

A fast look on F-Droid turns up a
variety of free TOTP apps. Your editor gave two of them a attempt.

The primary of these is Aegis, a
pretty full app for TOTP authentication. On the outset, Aegis desires to
configure authentication — to the app itself. TOTP secrets and techniques are saved
encrypted and should not accessible with out offering a password to the app
each time it begins. Aegis also can use the fingerprint sensor for
authentication, which speeds the method significantly, however it’s going to
annoyingly ask for the password anyway generally (“so you do not overlook
it”), normally when the person is in a rush to log in someplace and get
one thing finished.

TOTP secrets and techniques are arbitrary base32 strings and, thus, not a lot enjoyable to kind
on a handset keyboard. Fortunately, most websites implementing TOTP have the
skill to generate a QR code with the key, and Aegis can use the digicam
to learn them. Because of this, including new websites is well finished.

By default, Aegis will present a display with all identified websites, displaying the
present OTP for every. Tapping on a given web site will copy the code for
pasting right into a kind some place else. It’s doable to assign websites to
teams, offering a single stage of group that may be helpful when
the variety of websites will get giant. There are additionally amenities for looking
for websites, but when that’s required simply to acquire an entry code the
usability battle has already been misplaced.

Aegis has numerous options for importing and exporting of its knowledge. The
import display is a marvel to behold, with assist for numerous
different apps. There are a couple of codecs obtainable for export, together with an
Aegis-specific JSON format and plain textual content. The export file shall be
encrypted except the person faucets previous a few warnings about how
harmful that may be — and one other warning that an unencrypted export has
been made endures on the principle display.

One other fashionable TOTP app is FreeOTP+, which is a
fork of the FreeOTP app initially
launched (underneath the Apache2 license) by Purple Hat. Superficially, FreeOTP+
is just like Aegis, in that it presents a display stuffed with identified accounts.
It doesn’t really show the code for any given account till it has
been tapped on, although. This app seemingly does not encrypt its
secrets and techniques knowledge; it may be configured to require authentication at startup
earlier than offering any codes, however doesn’t accomplish that by default.

Like Aegis, FreeOTP+ can learn TOTP secrets and techniques from a QR code, easing the
means of establishing new websites.
The import and export choices for FreeOTP+ are extra restricted than these
supported by Aegis, however they may suffice to get knowledge into or out of the
app. There isn’t a assist for organizing accounts into teams. In the long run,
FreeOTP+ comes throughout as being much less properly developed than Aegis however, in
reality, it’s greater than ok to get this easy job finished.

TOTP on the desktop

Authenticator apps are handy, however a few of us nonetheless use actual computer systems
and infrequently wish to entry websites that approach. Your editor, in contrast to his
offspring, doesn’t have a cellphone surgically implanted, so logging right into a
web site can result in a scramble to determine the place the rattling cellphone is in order that
the code will be produced. It positive can be good to have the ability to generate the
code straight on the system that’s used to entry a web site.

The pass password supervisor has
quite a few good options, together with its command-line orientation, use of
GnuPG, and use of Git to retailer password info. It seems that
there may be additionally an
extension called pass-otp that can be utilized to generate TOTP codes for
a web site. As soon as the extension is put in, utilizing it’s only a matter of
including an otpauth://totp/ line to the file for the location in
query; this line is most simply obtained from a plain-text export from
one of many above-mentioned apps.

The brand new line will be wherever within the file, so it may possibly coexist with the
present (reusable) password that should be the primary line. The
move otp command will generate the code at any given time,
doubtless requiring the entry of the person’s GnuPG key passphrase to do it;
there may be an possibility to repeat it to the clipboard for simple pasting into an online
kind. One factor move otp lacks is a sign of how lengthy
the generated code shall be legitimate.

Cross supplies all the pieces that many people want, however for people who find themselves extra
graphically inclined, KeePassXC can
additionally handle TOTPs. Enabling TOTP for a web site is a matter of going into the
edit display, hitting “Superior”, then coming into the otpauth://totp/
line within the supplied place. After that, the appliance will present just a little
clock face that, when clicked on, will calculate and present the code. The
utility’s documentation
recommends storing TOTP knowledge in a separate database from the one containing
passwords, “probably even on a unique laptop“. Your editor
would guess that this recommendation shouldn’t be typically adopted.

Abstract

Given the variety of choices obtainable, there may be virtually no purpose to make use of a
proprietary TOTP app if one doesn’t wish to. Utilizing free-software for this
objective makes TOTP authentication obtainable on extra techniques and permits the
person to maintain the delicate identification info underneath their very own management.
The convenience of backing up knowledge from these functions and importing it into
to others signifies that the lack of a cellphone needn’t trigger the lack of entry
to essential accounts on the web. That is one space the place free-software
customers are properly supplied for.