Jump to content
Heikki H.

Allow manually inputting 2FA/MFA TOTP secret/key

Recommended Posts

Version Passwordstate 8.4 (Build 8411) added support for generating TOTP tokens withing PasswordState, feature is called  'One-Time Password Authenticator'. The setup is shown in this video Passwordstate - Whats New in Build 8411? starting around 1:41.

Discussed the missing manual setup issue with PasswordState support and they won't fix this if others won't need it too. So I ask you to vote for this feature.

 

Since PasswordState is a web app and in most cases I don't this it has access to device camera to scan a qr-code (specially if your desktop doesn't have one). So users would/might end up saving the issuer generated qr-code in a image file locally and uploading that image to PasswordState. That file might not get securely deleted afterwards, which it should since it has the shared secret in it. In worst scenario user leaves the qr-code in his/her Downloads directory.

 

There should be manual way of adding the TOTP token shared secret/key to PasswordState, one can get this from the most token issuers, quickly checked that 

  • Facebook shows key as default
  • Google asks “can’t scan it?” and gives out the shared secret.
  • Twtter also has “can’t scan code”.
  • AWS shows “Show secret key for manual configuration”.
  • Microsoft also provides “or enter code manually” as default option.
  • Dropbox also has the option to show the code.

 

Sure all of them default to qr-code, since it’s user friendly for personal use. But if using a password manager, best to use manual method and store the secret/key within password manager so you can migrate to another TOTP token generator easily. Most of those authenticator apps won’t let you restore/show the secret after adding a service, some do but most won't. It's fine if the authenticator and the shared secrets are in backup scope, like Github said in their blog post.

 

The manual setup method would be much user friendly in PasswordState, specially for a shared password list. And lets not forget the backup/restore/migration need, I might wan't to change my authenticator app. If the shared secret/key would be stored in a password manager, migration is easy.

 

When entering the secret manually, we would need to be able to enter also the time perioid (default 30s) and number of digits in token (default 6). Optionally token hash algorithm might be needed (default SHA-1). Since token issuers usually document which format are they using, PasswordState could have predefined list of Issuers where to derive the settings from (by quick googling found this project which has list of common Issuers) and have option to set them yourself.

 

 

 

 

 

Share this post


Link to post
Share on other sites

Forgot to mention that if one now has the shared secrets/keys in some password manager like Keepass and would like to share them to team and migrate the TOTP generator to PasswordState, it would require him/her to use some gr-generator to generate a image, upload that to PasswordState before being able to generate tokens from PasswordState. If the feature would have been done to support manually enterin secret/key, migrating to PasswordState would be just copy&paste. Way more secure and easier.

Share this post


Link to post
Share on other sites

+1


While I'm thrilled that PasswordState finally features TOTP generation internally, I've previously trained my clients to manually enter the keys. I feel that @sqhharsunen has made some valid concerns regarding QR codes potentially being saved/left behind on a machine, and as they've already pointed out for me to migrate a client from an existing solution to PasswordState would be much simpler if I could just copy and paste in the key manually, rather than having to deal with a QR Code.

 

Hopefully others feel the same.

Share this post


Link to post
Share on other sites

×
×
  • Create New...