Two-factor authentication with pass and oathtool

published 2020-04-03, updated 2024-02-10 [ home ]

If you’re like me, you don’t want to depend on your phone to log into a website, and you wish your favorite password manager would support 2FA. Well, it can.

When asked to setup 2FA on a website, get a text code for TOTP. If the website doesn’t give you that option, just use zbar. For instance, with the QR code from the GitHub documentation:

$ zbarimg totp-click-enter-code.png
QR-Code:otpauth://totp/GitHub:LyaLya?secret=qmli3dwqm53vl7fy&issuer=GitHub
scanned 1 barcode symbols from 1 images in 0.03 seconds

Once you get the secret, put it in 2fa/github in pass.

Finally, add this to your .bashrc (or the equivalent for whatever shell you use):

2fa () { oathtool --totp --base32 $(pass 2fa/"$1" | head -n 1) ; }

You can now get your 2FA codes like this:

$ 2fa github
795864

Finally, you can get Bash completion with this simple script, that you must put in /usr/share/bash-completion/completions/2fa:

#/usr/bin/env bash

>/dev/null pushd "${PASSWORD_STORE_DIR:-$HOME/.password-store}/2fa"
    l="$(find . -type f | sed s#^./## | sed s#.gpg\$##)"
>/dev/null popd

complete -W "$l" 2fa

All the tools used in that article are available as packages in the Arch Linux repositories.

Complements

It was a post on Lobsters that prompted me to post this. Someone from the comments and a former colleague on Twitter told me about a pass extension I didn’t know about which does almost the same thing.

Also, some people think that putting 2FA codes in a password manager defeats the purpose. But in practice TOTP 2FA does not really add much more to the security of my accounts than the strong random passwords I generate with pass. The “second factor” part isn’t really the true benefit.

One actual advantage is that nobody on the network can sniff all of my credentials (like digest-based password verification methods). Another, and I think this is the main one, is that the owner of the website has chosen part of the credentials and hence ensured some degree of strength. What I do preserves both of those properties, so I’m fine with it. By the way, note that password managers like 1Password and Passbolt do the same thing.

One thing you can do to improve the security of the whole thing is use 2FA to access pass by storing the GPG key in a Yubikey.