What does HackerNews think of pass-otp?
A pass extension for managing one-time-password (OTP) tokens
I've moved to using the pass otp extension[0] which gives me secure storage of the totp seeds without being tied to a single device.
Umm, why not?
First, you can use a different app (like aegis) to generate OTPs.
Second, pass has an extension (https://github.com/tadfisher/pass-otp) that can be used to generate OTPs.
Third, you can use something like oathtool to generate your otp using your totp secret
oathtool -b --totp "your-totp-secret"
It allows one to get OTP secrets via a simple:
pass otp secretname # Add -c for clipboard, as usual
And because the OTP side is just a otpauth:// URL on a line of the GPG file, we can still use the rest of the secret for other things:
pass secretname -c
Real smooth!
Alternatively, gopass[2], which re-implements pass in golang, has this functionality built in[3].
[0] https://github.com/tadfisher/pass-otp
[1] https://www.passwordstore.org/
[3] https://github.com/gopasspw/gopass/blob/master/docs/commands...
https://github.com/browserpass/ https://github.com/tadfisher/pass-otp https://www.passwordstore.org/
https://github.com/tadfisher/pass-otp
That gives you "pass otp github.com", etc. You can also export the QRcode, and do similar things.
I put together a simple distribution of pass with a couple of plugins I use, including otp, which is easy to setup - just clone beneath `/opt/pass`:
https://github.com/tadfisher/pass-otp
Like others have mentioned, it unlike Authy this doesn't use your phone number as identity
pass: https://www.passwordstore.org/
otp extension: https://github.com/tadfisher/pass-otp
It kind of defeats the purpose of 2FA, but I keep my pass repo relatively secure, and the convenience is worth it.
* FreeOTP https://github.com/freeotp/freeotp-android
* FreeOTP+ https://github.com/helloworld1/FreeOTPPlus
* Password Store[3] (pass[4]) supports pass-otp[5]
3: https://github.com/zeapo/Android-Password-Store
pass-otp(1)[0] already has encryption ready; and it also adds another warning:
> This method is provided as a means to transport your TOTP tokens to other devices, disconnected from your single factor authentication part. If you add those secrets into the same basket of eggs, you will be defeating the whole purpose of the multi factor authentication[1] mantra. Please think it through before running this migration.
[0] https://github.com/tadfisher/pass-otp
[1] https://en.wikipedia.org/wiki/Multi-factor_authentication
https://www.passwordstore.org/ https://github.com/tadfisher/pass-otp
Then to insert the pass... something like this to convert from QRCode if text format isn't available:
zbarimg -q --raw /tmp/canvas.png | pass otp insert some-new-otp
to retrieve
pass otp some-new-otp -c
https://github.com/tadfisher/pass-otp
Even works with Browserpass and the Pass Android client:
A great great plugin is pass-otp [1], using this I have migrated the storage of all OTP secrets from my phone to pass. And then I export it from pass to my phone. That way I still have my OTP secrets if I loose my phone and don't have to hassle with recovery of accounts just because of loosing the phone. For sure the OTP needs to be changed at that point but still worth it.
It's also worth to mention that browserpass [0] integrates pass-otp [1] so whenever I log in to a page (that has an OTP secret) using browserpass it shows a litle box in the top right corner with the current OTP code that I can copy-paste to the site.
Personally it's a perfect combination of security and convenience. The design is incredibly simple, if all these apps fail I can just use gpg to decrypt secrets.
The only downside is that filenames are stored unencrypted in git repository so Bitbucket can see what sites do I use but can't see usernames or passwords (obviously).
[0]: https://www.fossmint.com/pass-commandline-password-manager-f...
[1]: https://qtpass.org/
[2]: https://play.google.com/store/apps/details?id=com.zeapo.pwds...