Comment by al_borland
2 days ago
> I'm sure phones are just as stimulating for some.
This is one of my big objections do 2FA. My work has been pushing it hard, and from a security perspective, I get it. However, it’s all via an Authenticator app on the phone. We can no longer set down our phones and simply work. To start working, and periodically throughout the day, we are now forced to pickup our phones to authenticate. This invites the chance to see other notifications, check and app quickly, or more generally, break flow as we have to switch to another device and back again.
All of this seems like a suboptimal solution.
You should try a CLI-based workflow for 2FA. As long as you can exfiltrate the secret (and you often can by pretending you can't scan QR codes), then you can use oathtool to generate passcodes.
1. use 'pass' to save the secret: 'pass edit work.secret' <enter it and quit>
2. use oathtool to generate 2fa given a secret:
' #!/bin/bash
oathtool -b --totp "`pass show $1.secret`" >&1 '
use it like '2fa work'
If you have 'xsel' you can even do
'oathtool -b --totp "`pass show $1.secret`" | xsel -ib'
to copy it to clipboard automatically.
Even if you only have the QR code, you can download the image or screenshot it and then extract the secret without ever having to use a smartphone by using zbarimg and then manually extracting the secret from the URI:
Output:
If you have some 2FA that you need to enter 10 times per day, then you can also add a global shortcut to automatically paste it. Of course, this undermines the "second device" security. Some PC password managers also support 2FA, e.g. https://github.com/paolostivanin/OTPClient ( sudo apt install otpclient )
I have this little one-liner mapped to a hotkey combo:
`bash -c 'xfce4-screenshooter -r -o zbarimg | gxmessage -title "Decoded Data" -fn "Consolas 12" -wrap -geometry 640x480 -file -'`
Works great if you have xfce4-screenshooter, gxmessage, and zbarimg installed. It allows you to draw a box around a screen region, screenshots it, decodes it via zbarimg, and pipes the output into a dialog box with copyable text.
Just to add, 'pass' has an otp extension to simplify this a bit [1]
With that, you can do
[1] https://github.com/tadfisher/pass-otp
Heh, I use pass like this; but it's on my (Pine)Phone, so it doesn't solve the parent's original problem ;-)
Although the nice thing about CLI workflows is that I can easily run it by SSHing into my phone (just make sure you set up GPG so the passphrase prompt will appear in your terminal, and not as a popup on the phone!)
We also have Microsoft authentication that displays a number on the browser and asks you to enter in on the device! :-(
My company also uses MS auth + 2fa for everything. Even signing into corporate G-suite :-). But I do not like the Microsoft Authenticator - I previously had issues where it would not show the number - and I was able to switch to a different TOTP provider. It’s a bit buried in the menus but possible
Unless they have explicitly disabled it even m365 has the option to add a totp 2fa method. Might be worth double checking.
In my union contract we have language that requires the employer to provide us with a hardware 2FA token for just this reason. I and some of my coworkers don't use smartphones, and we didn't want to be obligated to use one for work.
"So long as [employer's] access management vendor... supports the use of physical two-factor authentication devices (for example, a YubiKey), [employer] shall make such devices available to Employees upon their submission of a request for the device."
I've worked in places that wanted to push cell phone apps on the team for auth and we also pushed for hardware tokens. It worked extremely well. The concerns we had were mainly centered on privacy since the app wanted location/camera access and apps can (or at least at the time could) get a ton of data from your device without requesting any permission at all like getting a list of every app you have installed, or data from sensors like the accelerometer, gyroscope, compass, barometer, thermometer, etc.
I'm old enough to have lived through the era of standalone authenticators. The downsides of that approach are also numerous.
I understand where you're coming from though, and I think this is where OS features like Focus Modes come into play.
When I'm in a "Work" mode, I literally don't see notifications from most of my apps. They don't show up in the notification center, or on app icon badges, or anywhere.
This takes a few minutes to set up, but once it's in place, it's fantastic. I also do this for other aspects of my life: Photography, Research, etc. When I'm in those modes, I don't want to see anything except for the apps that are specific to what I'm doing. It's worth the effort of setting this up IMO, and extends far beyond just work.
Hmm. I wonder if there would be a market for a super simple TOTP authentication device with an e-paper display. Kind of like those RSA tokens with the LCDs, but more modern and able to hold any number of TOTP credentials.
Getting the credentials loaded could be a bit of a pain without a camera for QR code scanning. Easiest solution would be via Bluetooth to a companion app, which you would probably want anyway for periodic time sync (likely wouldn't be worth it to embed a GNSS receiver just to update the time).
Probably be a pretty small market, but as a niche Kickstarter device? I could see a small but loyal customer base.
Sounds like a job for a second phone, one which you'd just be extra careful to only use for one purpose. It can be cheap as balls, but it will have a QR-compatible camera and whatever else we may have come to expect from such a device. :)
Yup. Just use a secondary 5-year old phone for dirt cheap. I was actually considering doing it once, but the convenience takes a hit.
Make sure your GNSS receiver supports OSNMA, and be _extremely_ trusting of your battery-backed RTC and profoundly skeptical of time jumps over a certain magnitude.
GNSS spoofing is trivial now and it's an extremely useful way to manipulate a target device's idea of time, which breaks all sorts of things. (SSL certificate validity periods...)
This is nearly what you’re looking for (well, not that close, but it’s got the right spirit):
https://blog.singleton.io/posts/2022-10-17-otp-on-wrist/
I would love this, but only if it also successfully implemented a few disparate authentication protocols that essentially do the same things (prove identity) but are regrettably proprietary - like the de facto standard electronic ID in Sweden, BankID.
Token2 make this: https://www.token2.com/shop/product/molto-2-v2-multi-profile...
They also do single-token cards: https://www.token2.com/shop/category/programmable-tokens
Yubikey?
Yubikey does TOTP on-board, but you need to connect it to a phone or computer (no display or on-board power). It solves a different problem, where you want to have your TOTP credentials on a tamper resistant hardware security module. It doesn't solve the "don't want to carry around a phone for TOTP" problem.
3 replies →
A yubikey works great for this
I used to use a yubikey but have now moved onto a fingerprint sensor and passkeys. Doesnt work for all sites but does for most of them.
they exist, in my country they are available as alternative to smartphone apps for identity auth. (ie you can choose between android, iphone, and TOTP LCD device.)
Flipper Zero supports that
[dead]
Have you tried a smart watch? The Duo 2FA app lets you add an arbitrary TFA code based authenticator with same QR code Google Authenticator supports and generate those from their Apple WatchOS [0] or Android WearOS apps. I have used it successfully for years, it's a huge reason I got an Apple Watch in fact. Now you'll have to configure your watch with a "work" focus mode that turns off all notifications and not install any fancy apps on the watch (do those still exist?), but it can free you from your phone.
Along the same lines the Meta Wayfarer[2] smart glasses lets you take slice of life photos and videos without needing to whip out your phone. You lose a ton of quality but stay in the moment more. The AI features are getting better so eventually you'll be able to use it for basic information lookup.
0 - https://guide.duo.com/apple-watch
1 - https://guide.duo.com/duo-wear
2 - https://www.meta.com/ai-glasses/wayfarer
Yubikey nanos are the way out of that specific problem
I imagine Yubikey doesn't support all the stupid custom-app-2fa that companies push out.
I really wish they'd just stick to classic TOTP.
Is there a way of getting them to store a dozen or so totp secrets? And if so, how do you select which one you want to use?
Check this out: https://github.com/Authenticator-Extension/Authenticator
Taking the 2 out of 2FA since 2017!</sarcasm>
Thanks for sharing a potentially useful tool but I will not use it without a lot more details about how this browser extension secures the 2FA secrets from sketchy websites/ads.
Most trusted desktop password manager apps can manage and autofill OTPs in browsers as well, e.g. KeepassXC and 1password. (If you're making the tradeoff anyway, I think you may as well use a password manager you already trust with other secrets.)
1 reply →
This is one of the thing that smart watches should be doing, or even better, something like https://blog.singleton.io/posts/2022-10-17-otp-on-wrist/.
First of all, I'm not a fan of constantly needing to re-authenticate.
But for your specific problem there is a simple solution that isn't particularly expensive. Buy a new phone. Install 2FA on it, and don't install anything else.
I just use an old phone that I've wiped clean and removed the SIM. Sits on the desk and I just glance at it when I need a new 2FA code.
I imagine you've considered it already, but maybe your work would be willing to put the 2FA secret into something like 1Password, which you could access on your computer instead of your phone.
Defeats the purpose of 2FA though. I'd argue a cheap 2FA-only phone would be good, if they're struggling to touch their real phone without being consumed by distractions.
It does not defeat the purpose of 2FA as possession of the decrypted 1Password vault is the second factor.
10 replies →
Time to get a “work” phone.
I carried 2 phones for many years. It was more trouble than it’s worth. Especially these days. Working from home, my only work use of the phone is for the Authenticator app.
The optics of that can be questionable. Just ask Skyler White or her brother-in-law.
If it's Authenticator you can use bitwarden from your browser, that's what I do. If you're using a custom app or something different then yeah it's annoying
Apple Watch with Authy is a great solution for this. I don’t need to have my phone in the same room to use 2FA.
Get a keyboard with a usb port on the side. Insert yubikey nano. Now instead of annoying 2FA you just reach your finger over and touch.
Why does it have to be an app on your phone? IT should be able to support yubikeys (or similiar) and even printed OTP lists.
I see some evidence that yubikeys are used somewhere in the organization, but not sure where or how.
The only information we were sent to get this all setup was specifically for a phone. The portal that exists to add devices only appears to support phones.
I have a co-worker who simply tried to use Authy instead of MS Authenticator and it didn’t work. There is a lot of bureaucracy that typically makes it not worth the fight.
> However, it’s all via an Authenticator app on the phone.
Why not save the secret on your laptop and generate the OTP on your laptop?
I use MS Authenticator for work too. It doesn't do standard TOTP, at least not for Entra. The QR codes don't contain the secret. IDK that anyone has been able to exfiltrate a secret and generate codes with a third party app.
I personally use an Android emulator on my laptop, which achieves the same goal. It saves and restores state automatically for quick startup.
You can use the Freedom app.
url freedom.to
Or just disable notifications. The iphone has a do not disturb mode that can be scheduled.
Ever since I disabled all the notifications on my phone my life has been happier. It won't work for everyone (50% of the time it doesn't even work for me), but I can't help but write this anecdote here.
These look swish https://www.reiner-sct.com/en/produkt/reiner-sct-authenticat...
For Windows, here's a free little authenticator app that lives in your system tray: https://github.com/richard-green/Authentiqr.NET
Get a Yubikey or similar, have a USB port close, one finger tip, done.
Reminds me of when I was developing an application 'in' Facebook (when it was mostly friends but with adds for addictive games in the sidebar)
1Password can be your 2fa and autofill those fields. It has a built in scanner which will look at your screen and read the QR code on the screen (no separate device needed).
The comments here have the genre of "2 factor, 1 device"...
Two Factor doesn't mean 2 devices. Two factor generally has been thought of as "something you know, and something you have."
Let's do a quick threat model on putting both passwords and MFA tokens in a 1password vault.
1Password employees a recovery key + password login by default, and logging into a vault requires you to either have a device with the encrypted vault on it and your password, or have knowledge of your password and knowledge of your recovery key (normally in a file which makes it something you have) essentially traditional 2fa needed to log into a new device.
If someone steals your phone with 1password installed - they need your 1password to be able to access your credentials on the physical device. At that point they already have both your factors - your phone (have) and your password (know) - still protected by 2fa.
If someone manages to fully root your computer, they could wait until you unlock your vault and then extract your credentials. However, if you use traditional 2fa on a separate device - then they can just wait until you log into the target app, and then ride your session and get the same level of access to the target. While there may be a small difference in level of effort or how long it takes, the same access level is possible, and the requirements are that they have very privileged access to your operating system. Someone rooting the device that you login to services is grants them "single factor" access to your services when you access them.
There is some subtle differences between these, but except for situations where you have very high privileged requirements, at which point you should be using yubikeys or standalone MFA devices, using 1Password with OTP and password is very comparable to using a separate device for MFA.
I'm a previous red teamer and currently a blue teamer.
It was never meant to be two device authentication.
Invest in a password manager that stores it all, including the rolling codes
Use a yubikey
Most password managers (Bitwarden, 1Password etc) have a function for generating TOTP codes.
do you use a pw manager? bitwarden (OSS) has it built in if you pay for premium. i think it's an extra 1-3/mo but well worth it to support the team
It's not your job's responsibility to cater to your lack of self control
Even doing nothing beyond the authentication, it is still requiring task switching, changes devices, waiting for codes, entering them, switching back. It’s very disruptive to any type of flow state.
But it's in their best interests.