Project:Infrastructure/Two-factor authentication

This article is a work in progress; treat its contents with caution - mgorny (talk | contribs).

This page mostly aims to amend different documentation on two-factor authentication software (e.g. on GitHub) that is usually incomplete and focused on using cell phones.

OTP algorithms

The following algorithms are frequently used to implement one-time passwords used as the second factor:

HOTP (HMAC-based): RFC4226
TOTP (time-based): RFC6238

Gentoo-related sites using OTP

GitHub — Gentoo organization requires 2FA enabled. The following 2FA options are supported:
- TOTP (‘mobile app’)
- OTP sent via SMS messages
- U2F [TODO: describe what that is]
blogs.gentoo.org — our WordPress installation supports optional
- TOTP (‘Google Authenticator’)

TOTP software

Android applications

Recommended: FreeOTP (Red Hat)
Official Google app: Google Authenticator

Console TOTP via oathtool

(courtesy of Ulrich Müller)

sys-auth/oath-toolkit provides command line tools to handle HOTP/TOTP.

Enable ‘mobile app’ authentication, display the key as text string (there's a link near the qrcode) and store it securely.

At any point, to get the current TOTP token:

user $oathtool -b --totp <key>

Console TOTP via pass-otp/gopass

(courtesy of Robin H. Johnson)

app-admin/pass-otp is an addon for app-admin/pass that adds 2FA/OTP support. The same functionality is also available in app-admin/gopass from some overlays. It uses your local GPG key to securely store passwords and other secrets (like 2FA keys).

Enable ‘mobile app’ authentication, display the key as text string (there's a link near the qrcode).

user $pass edit GitHub

user $gopass edit GitHub

This will give you an editor prompt, wherein you can save the secret in the otpauth:// URL format.

otpauth://totp/github.com:<accountname>?issuer=GitHub&secret=<key>

At any point, to get the current TOTP token:

user $gopass totp GitHub

112780 lasts 14s 	|----------------==============|

user $pass otp code GitHub

It will display the token along with the remaining time and countdown bar before it rotates again.

TOTP via app-admin/keepassxc

app-admin/keepassxc supports TOTPs. In order to add a one, create a new entry, then right click it and choose Time-based one-time password → Set up TOTP... and input the key string.

You can then generate TOTPs by choosing Show TOTP (Ctrl+Shift+T) or Copy TOTP (Ctrl+T) from the Time-based one-time password menu.