Project:Infrastructure/Two-factor authentication

From Gentoo Wiki
Jump to: navigation, search
Warning
This page is a work in progress by mgorny (talk | contribs). Treat its contents with caution.

This page mostly aims to amend different documentation on two-factor authentication software (e.g. on GitHub) that is usually incomplete and focused on using cell phones.

OTP algorithms

The following algorithms are frequently used to implement one-time passwords used as the second factor:

Gentoo-related sites using OTP

  • GitHub — Gentoo organization requires 2FA enabled. The following 2FA options are supported:
    • TOTP (‘mobile app’)
    • OTP sent via SMS messages
    • U2F [TODO: describe what that is]
  • blogs.gentoo.org — our WordPress installation supports optional
    • TOTP (‘Google Authenticator’)

TOTP software

Android applications

Console TOTP via oathtool

(courtesy of Ulrich Müller)

sys-auth/oath-toolkit provides command line tools to handle HOTP/TOTP.

Enable ‘mobile app’ authentication, display the key as text string (there's a link near the qrcode) and store it securely.

At any point, to get the current TOTP token:

user $oathtool -b --totp <key>


Console TOTP via pass-otp/gopass

(courtesy of Robin H. Johnson)

app-admin/pass-otp is an addon for app-admin/pass that adds 2FA/OTP support. The same functionality is also available in app-admin/gopass from some overlays. It uses your local GPG key to securely store passwords and other secrets (like 2FA keys).

Enable ‘mobile app’ authentication, display the key as text string (there's a link near the qrcode).

user $pass edit GitHub
user $gopass edit GitHub

This will give you an editor prompt, wherein you can save the secret in the otpauth:// URL format.

otpauth://totp/github.com:<accountname>?issuer=GitHub&secret=<key>

At any point, to get the current TOTP token:

user $gopass totp GitHub
112780 lasts 14s 	|----------------==============|
user $pass otp code GitHub
112780

It will display the token along with the remaining time and countdown bar before it rotates again.

TOTP via app-admin/keepassxc

app-admin/keepassxc supports TOTPs. In order to add a one, create a new entry, then right click it and choose Time-based one-time passwordSet up TOTP... and input the key string.

You can then generate TOTPs by choosing Show TOTP (Ctrl+Shift+T) or Copy TOTP (Ctrl+T) from the Time-based one-time password menu.