Random Geekage

One Time Pass

My current password manager of choice is pass. Runs in the terminal, uses my GPG smart card, does what it needs to and gets out of the way.

Now, for increased security, it is recommended to use multi-factor authentication to help prevent account takeovers. Usually this takes the form of something you know (passphrase) and something you have (software on a smartphone or a widget of some sort)1.

I have never been a massive fan of needing a separate device to do authentication with. Fortunately, I came across a solution in the form of pass-extension-otp which augments pass to provide one time passcode functionality.

To set up the account in your password store, you simply run pass otp insert <account name> and then paste in a string of the form

otpauth://totp/service:user@example.com?secret=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&issuer=service

twice. You will likely have to select the manual mode of getting the string instead of using the QR code to set up an app, though you can use a QR code reader and get the full string that way.

Running pass otp -c <account name> will generate a one time code and copy it to your clipboard, from which you can paste into whatever service you are accessing on your computer.

This also means your otp authentication codes are kept off of your smartphone (and by extension, associated cloud services) and can be backed up in a manner of your choosing.

Notes

1. There is also something you are, which can take the form of a fingerprint, but those are easy to duplicate and hard to revoke and replace. Retina scans, while not being easy to duplicate, can't be revoked (barring extreme measures).

© . Powered by Pelican.
Creative Commons Licence This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.