I agree 100% 2FA code recovery really sucks and so do script kiddies! I had issues (noob) using Key Authentication with my remote servers so i went back to OTP. I like the extra TOTP protection for SSH and Hosts the best. I am noob who cant code but it seems possible to have Passbolt generate the OTP code for 2FA. Hoping it might be possible to implement Passbolt’s ability to take QR code pictures and process the data. So my password management and TOTP management would be in the same mobile app. I would be looking for the Passbolt mobile app to function as a TOTP OTP code generator. I guess, I would keep the QR codes on the thumb drive as well. I keep the backup data outside of Passbolt on a thumb drive. i keep a backup of the data that the app(s) allow you to export. I do not keep copies of the QR, but i really should. Not being able to get a 2FA code recovered is a huge headache. One question I have for the thread is how are people currently sharing/saving/backing up QR codes and strings related to TOTPs? If it’s outside of passbolt where are the pain points? I currently keep a file of them saved after taking a screenshot in the process. Workarounds in the past probably included creating a separate secret just for the OTP string key…but the string is not always provided or convenient to derive. Now that the Description section is able to be encrypted, it would be possible to share the TOTP string key with team members, who could then use their own apps to process. I have to change passwords pretty regularly, but never change the TOTP. When I think of the age of this feature request, it occurs to me that it was before the Description section of a secret could be encrypted. I know they are very knowledgable in how to implement all of these things, but like any project, decisions are made after consideration. With this in mind, I think the devs has gained a lot of wisdom along the way and have developed a very judicious approach regarding what to do next. (I think the library may have even changed along the way with improvements.) Yes, the idea is pretty straightforward, and while the commitment by the team to proceed with a feature will always include the goal of security, stability and proper support for the customers and the community, some things are support-heavy which is not always anticipated but can start to drag progress on other items. However, some devices did not play well with the process. When we rolled out the mobile app feature, it incorporated a QR code process not unlike what is used with establishing TOTP. In practice, however, there are other aspects to be considered once the overall app security model is considered, along with its existing structure. In addition to balancing out the expressed interest with other items on the active development list, I suspect with regard to this particular feature that it potentially could be as simple as implementing a TOTP generator based on a stored key. Threads in the Backlog section are exactly for voting up what is desired, and the devs use these threads to consider the roadmap forward. People can vote for this idea to show traction: As a user, I want the ability to add entries which have TOTP keys such as GitHub / Amazon (2FA/MFA) Login into github, past the OTP token in the second authentication step input form, press login.Login passbolt, right click on the github TOTP entry, click on “copy OTP to clipboard”.Copy the Github text code into passbolt create TOTP dialogĪs a user I want to use passbolt to generate a one time token to login into Github.Log into passbolt, on the password workspace, click on “new”, select “TOTP token”. Clicks on “Set up two-factor authentication”, click on “Set up using an app”, click on “enter this text code”.Loginto github, goes to settings, security under two-fractors authentication.In UI, attached to an existing password entry seems to be a good place.Īs a user I want to store TOTP initialization code in Passbolt I thinks, It’s possible to do that with the current GPG process. TOTP should be enough for a first shot but HOTP can be great also. So my idea is to share 2FA generator like we can already do with password. Q4 - What is your proposed solution? (optional) I am looking for a way to add TOTP tokens to entries/sites that support it (GitHub, Amazon, etc).Įase of use for system administrators will increase adoption. My Root account is secure by a MFA process, and I cannot share it securely. The strong password is already in my own Passbolt instance but isn’t enough. I’m trying to share the AWS root account of my company. What is the problem that you are trying to solve?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |