Project:Infrastructure/Two-factor authentication

This page mostly aims to amend different documentation on two-factor authentication software (e.g. on GitHub) that is usually incomplete and focused on using cell phones.

OTP algorithms
The following algorithms are frequently used to implement one-time passwords used as the second factor:
 * HOTP (HMAC-based): RFC4226
 * TOTP (time-based): RFC6238

Gentoo-related sites using OTP

 * GitHub — Gentoo organization requires 2FA enabled. The following 2FA options are supported:
 * TOTP (‘mobile app’)
 * OTP sent via SMS messages
 * U2F [TODO: describe what that is]
 * blogs.gentoo.org — our WordPress installation supports optional
 * TOTP (‘Google Authenticator’)

Android applications

 * Recommended: FreeOTP (Red Hat)
 * Official Google app: Google Authenticator

Console TOTP via oathtool
(courtesy of Ulrich Müller)

provides command line tools to handle HOTP/TOTP.

Enable ‘mobile app’ authentication, display the key as text string (there's a link near the qrcode) and store it securely.

At any point, to get the current TOTP token:

Console TOTP via pass-otp/gopass
(courtesy of Robin H. Johnson)

is an addon for that adds 2FA/OTP support. The same functionality is also available in from some overlays. It uses your local GPG key to securely store passwords and other secrets (like 2FA keys).

Enable ‘mobile app’ authentication, display the key as text string (there's a link near the qrcode).

This will give you an editor prompt, wherein you can save the secret in the otpauth:// URL format.



At any point, to get the current TOTP token:

It will display the token along with the remaining time and countdown bar before it rotates again.

TOTP via app-admin/keepassxc
supports TOTPs. In order to add a one, create a new entry, then right click it and choose Time-based one-time password → Set up TOTP... and input the key string.

You can then generate TOTPs by choosing Show TOTP (Ctrl+Shift+T) or Copy TOTP (Ctrl+T) from the Time-based one-time password menu.