Two-factor authentication with pass and oathtool

published 2020-04-03 [ home ]

If you're like me, you don't want to depend on your phone to log into a website, and you wish your favorite password manager would support 2FA. Well, it can.

When asked to setup 2FA on a website, get a text code. If the website doesn't give you that option, just use zbar. For instance, with the QR code from the GitHub documentation:

$ zbarimg totp-click-enter-code.png
QR-Code:otpauth://totp/GitHub:LyaLya?secret=qmli3dwqm53vl7fy&issuer=GitHub
scanned 1 barcode symbols from 1 images in 0.03 seconds

Once you get the secret, put the command line to generate a code using oathtool in 2fa/github in pass like this:

oathtool --totp --base32 qmli3dwqm53vl7fy

Finally, add this to your .bashrc (or the equivalent for whatever shell you use):

2fa () { eval $(pass 2fa/$1) ; }

You can now get your 2FA codes like this:

$ 2fa github
795864

All the tools used in that article are available as packages in the Arch Linux repositories.

Complements

It was a post on Lobsters that prompted me to post this. Someone from the comments and a former colleague on Twitter told me about a pass extension I didn't know about which does almost the same thing.

Also, some people think that putting 2FA codes in a password manager defeats the purpose. But in practice TOTP 2FA does not really add much more to the security of my accounts than the strong random passwords I generate with pass. The "second factor" part isn't really the true benefit.

One actual advantage is that nobody on the network can sniff all of my credentials (like digest-based password verification methods). Another, and I think this is the main one, is that the owner of the website has chosen part of the credentials and hence ensured some degree of strength. What I do preserves both of those properties, so I'm fine with it. By the way, note that password managers like 1Password do the same thing.

The one thing I could do to really improve the security of the whole thing is use 2FA to access pass by storing my GPG key in a Yubikey. I probably will, someday.