Re: OAUTH TOTP
Thank you for all your suggestions - I managed to log in! Cheers, Patrick
Re: OAUTH TOTP
bro are these legitimate keys?
On Mon, Apr 29, 2024, 6:14 PM Martin Neitzel <
neit...@hackett.marshlabs.gaertner.de> wrote:
> PW> Apparently I need to "purchase an inexpensive OATH TOTP compatible
> PW> token device."
>
> Here's another "thumbs-up" for the pkg "oath-toolkit".
>
> I drive its oathtool(1) with a simple, rwx-- shell wrapper which
> collects my personal seed secrets and tells me both the current and
> upcoming TOTP, syncing on the HH:MM:{00,30} switch-overs.
>
> (With an intentional off-by-one, cannot remember why I preferred
> it that way, though. The sample seeds below are not the real thing
> -- no worries.)
>
> Oh: exit the loop with Ctrl-C.
>
> Martin Neitzel
>
>
> #!/bin/sh
>
> case "$1" in
> -h*|-hzi) secret=LDCKNdVBUJUWMCDBCDOKQSDLC ;;
> -g*|-github)secret=KMSXBBSPVOFBWCKX ;;
> -m*|-microsoft) secret=sxok3dck8skxn9sx ;;
> -o*|-oci) secret="SLODCNCDJNCDJBDCJBDCJBSXNI" ;;
> -*) echo "$1: no such option" 1>&2 ; exit 1 ;;
> ?*) secret=$1 ;;
> "") echo "usage: $0 [ -h | -m | -g | -o | ]"
> exit 1
> ;;
> esac
>
> trap "exit 0" INT
>
> while true; do
> t=`date +%S`
> date +"%T, current & next token (changes on seconds :00 and :30):"
> oathtool --totp -w1 -b $secret
> # gotcha! $t may come as 08 or 09 which would be illegal octal
> # numbers -- so we need to nuke a leading "0":
> sleep $(( 1 + 30 - (${t#0} % 30) ))
> done
>
Re: OAUTH TOTP
On 4/29/24 21:09, Greg Troxel wrote: Benny Siegert writes: The cheapest way to have TOTP is to install Google Authenticator on your phone. Be careful when you choose a TOTP program that you are able to back up the seeds yourself, and that the program does not send the seeds to the cloud not adequately protected in the name of cross-device syncing. Last I heard Google Authenticator was not ok, but maybe that has changed and it is now impossible to sync without e2e encryption inaccessible to google. It used to be that google authenticator didn't automatically back up your secrets, so you had to be very careful to copy them over when you got a new phone and if your old phone was unusable you were hosed. This has since been fixed, and it will back them up to the google cloud like any other app's private data. I will leave any tinfoiling about backing up secrets to the cloud unsaid. AndOTP is an opensource alternative, and I will second a vote for KeePassXC in general. Staffan OpenPGP_signature.asc Description: OpenPGP digital signature
Re: OAUTH TOTP
totp must not be implemented yet... On Mon, Apr 29, 2024 at 2:10 PM Greg Troxel wrote: > Benny Siegert writes: > > > The cheapest way to have TOTP is to install Google Authenticator on > > your phone. > > Be careful when you choose a TOTP program that you are able to back up > the seeds yourself, and that the program does not send the seeds to the > cloud not adequately protected in the name of cross-device syncing. > Last I heard Google Authenticator was not ok, but maybe that has changed > and it is now impossible to sync without e2e encryption inaccessible to > google. > > > Hopefully, you can use proper Security Keys too (WebAuthn and > > whatnot), in which case I highly recommend a Yubikey. > > I also recommend yubikeys. > -- renegade6969...@gmail.com https://www.facebook.com/profile.php?id=61556020800880 https://twitter.com/Rose29283220654
Re: OAUTH TOTP
PW> Apparently I need to "purchase an inexpensive OATH TOTP compatible
PW> token device."
Here's another "thumbs-up" for the pkg "oath-toolkit".
I drive its oathtool(1) with a simple, rwx-- shell wrapper which
collects my personal seed secrets and tells me both the current and
upcoming TOTP, syncing on the HH:MM:{00,30} switch-overs.
(With an intentional off-by-one, cannot remember why I preferred
it that way, though. The sample seeds below are not the real thing
-- no worries.)
Oh: exit the loop with Ctrl-C.
Martin Neitzel
#!/bin/sh
case "$1" in
-h*|-hzi) secret=LDCKNdVBUJUWMCDBCDOKQSDLC ;;
-g*|-github)secret=KMSXBBSPVOFBWCKX ;;
-m*|-microsoft) secret=sxok3dck8skxn9sx ;;
-o*|-oci) secret="SLODCNCDJNCDJBDCJBDCJBSXNI" ;;
-*) echo "$1: no such option" 1>&2 ; exit 1 ;;
?*) secret=$1 ;;
"") echo "usage: $0 [ -h | -m | -g | -o | ]"
exit 1
;;
esac
trap "exit 0" INT
while true; do
t=`date +%S`
date +"%T, current & next token (changes on seconds :00 and :30):"
oathtool --totp -w1 -b $secret
# gotcha! $t may come as 08 or 09 which would be illegal octal
# numbers -- so we need to nuke a leading "0":
sleep $(( 1 + 30 - (${t#0} % 30) ))
done
Re: OAUTH TOTP
Staffan Thomen writes: > It used to be that google authenticator didn't automatically back up > your secrets, so you had to be very careful to copy them over when you > got a new phone and if your old phone was unusable you were hosed. > This has since been fixed, and it will back them up to the google > cloud like any other app's private data. As long as it's e2e so google can't read it, that's ok. > I will leave any tinfoiling about backing up secrets to the cloud unsaid. I think you're joking, but it's not fair to call it tinfoiling. Putting TOTP seeds in the cloud where the cloud provider can read them is like a password manager with cloud storage that does not encrypt the passwords. Except 2fa is supposed to be better than passwords. So that's just not a reasonable thing to do. Arguably, a password manager should also be encrypting the URLs, not just the passwords, as the set of places at which you have accounts is also sensitive. I suspect there's a problem with that too. > AndOTP is an opensource alternative, and I will second a vote for > KeePassXC in general. Yes, there are other open source TOTP apps, and yes you need to pay attention to backups. Also, my understanding is that bitwarden will store seeds and do TOTP, I think if you have a paid cloud account or if you are selfhosting (vaultwarden) -- but I haven't tried it yet.
Re: OAUTH TOTP
Benny Siegert writes: > The cheapest way to have TOTP is to install Google Authenticator on > your phone. Be careful when you choose a TOTP program that you are able to back up the seeds yourself, and that the program does not send the seeds to the cloud not adequately protected in the name of cross-device syncing. Last I heard Google Authenticator was not ok, but maybe that has changed and it is now impossible to sync without e2e encryption inaccessible to google. > Hopefully, you can use proper Security Keys too (WebAuthn and > whatnot), in which case I highly recommend a Yubikey. I also recommend yubikeys.
Re: OAUTH TOTP
On Mon 29 Apr 2024 at 18:04:23 +0100, Patrick Welche wrote: > Apparently I need to "purchase an inexpensive OATH TOTP compatible > token device." Pkgsrc has as options at least security/keepassxc (big but secure (at least it pretends to be)) and security/2fa (small but totally insecure) (but in go, so add overhead of go compiler if you didn't have it installed yet). -Olaf. -- ___ Olaf 'Rhialto' Seibert \X/ There is no AI. There is just someone else's work. --I. Rose signature.asc Description: PGP signature
Re: OAUTH TOTP
On 29 April 2024 18:04:23 BST, Patrick Welche wrote: >Apparently I need to "purchase an inexpensive OATH TOTP compatible >token device." > >$ wtf oath >wtf: I don't know what `oath' means! >$ wtf totp >TOTP: time-based one time password > >Any suggestions on something that works on NetBSD/amd64? > > >Cheers, > >Patrick I've used oath-toolkit before when I needed a cli based tool. That's in Pkgsrc.
Re: OAUTH TOTP
Am 29.04.24 um 19:04 schrieb Patrick Welche: Apparently I need to "purchase an inexpensive OATH TOTP compatible token device." $ wtf oath wtf: I don't know what `oath' means! That's because it's OAuth, not oath :) https://datatracker.ietf.org/doc/html/rfc6749 $ wtf totp TOTP: time-based one time password The cheapest way to have TOTP is to install Google Authenticator on your phone. Hopefully, you can use proper Security Keys too (WebAuthn and whatnot), in which case I highly recommend a Yubikey. -- Benny
Re: OAUTH TOTP
On Mon, Apr 29, 2024 at 06:04:23PM +0100, Patrick Welche wrote:
> Apparently I need to "purchase an inexpensive OATH TOTP compatible
> token device."
>
> $ wtf oath
> wtf: I don't know what `oath' means!
> $ wtf totp
> TOTP: time-based one time password
>
> Any suggestions on something that works on NetBSD/amd64?
There is simple python code available that does it, if you only have one
site that needs it and can guarantee security for your local scripts
you can do something very simple like:
--8<--
#!/usr/bin/env python3.10
import base64, datetime, hashlib, os, sys, unittest
from warnings import warn
from urllib.parse import urlparse, parse_qsl
sys.path.insert(0, os.path.join(os.path.dirname(__file__),
'../TOTP/pyotp-2.6.0/src'))
import pyotp # noqa
print(pyotp.TOTP('YOUR_SECRET_CODE_HERE').now())
-->8--
(importing the local pyotp lib is a historic artifact, I should clean it up)
When "registereing" the device with your web site you will be shown a QR
code typically, or often can get one after selecting "something else, not
Google or MS authenticator", sometimes with the cleartext code shown
that you add in above script instead of YOUR_SECRET_CODE_HERE.
If only a QR code is shown, point your mobile camera at it and copy the
URL, it contains the code and you can manually extract it.
All of TOTP is a mangling of the current time + the pre shared secret.
I think there are several more "password manager" like python
applications in pkgsrc, but for me the simple single-target python
script was most convenient for now (I avoid TOTP where possible, prefering
WebAuthN with a yubikey whenever supported).
Martin
OAUTH TOTP
Apparently I need to "purchase an inexpensive OATH TOTP compatible token device." $ wtf oath wtf: I don't know what `oath' means! $ wtf totp TOTP: time-based one time password Any suggestions on something that works on NetBSD/amd64? Cheers, Patrick
