sebastiano.tronto.net

commit ede8e81a4738c864970c9d8d276bbf86e9055307
parent 53a7024dc41a8750ceb15071b053ea67d48ff496
Author: Sebastiano Tronto <sebastiano@tronto.net>
Date:   Tue,  3 Dec 2024 09:15:21 +0100

Blog post

Diffstat:
A
src/blog/2024-12-03-2fa/2fa.md
 | 
116
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

1 file changed, 116 insertions(+), 0 deletions(-)
diff --git a/src/blog/2024-12-03-2fa/2fa.md b/src/blog/2024-12-03-2fa/2fa.md
@@ -0,0 +1,116 @@
+# 2-factor authentication without a smartphone
+
+I am mildly annoyed by the not-so-recent trend of every single website
+and service forcing me into using a phone for 2-factor authentication. I
+mean, I get it is very important for security reasons, but now every
+time I try to log into some website I am forced to get up and pick
+up my phone, which is usually lying on the other side of the room. You
+can't just walk into a website nowadays.
+
+Another reason I don't like this is that a mobile phone can easily be
+lost, stolen or out of battery. I don't want to rely on it to get access
+to imortant services. As a partial workaround I always use SMS 2fa,
+which is quite insecure, but at least I just need to plug my SIM card
+into another phone if for some reason I can't use my device.
+
+And of course there are ways of using an authenticator app and sync your
+keys via some external cloud service. But I don't want to be dependent
+on external cloud services.
+
+But there is nothing special about my smartphone: there is
+no reason I should not be able to just use my laptop, or
+any other device, as a 2fa device. In fact, most services use
+[TOTP](https://en.wikipedia.org/wiki/Time-based_one-time_password),
+which is an open protocol. Yesterday I decided to figure out how
+this works, so that I would not need to detach my but from my chair
+ever again!
+
+## How TOTP works, as far as I understood
+
+Pairing an authenticator app with a website requiring 2fa is usually
+done by scanning a QR code. This QR code is not magic, it just contains a
+string that is going to be your *secret key* for this website. Then, every
+time you need to login, you get some code from your authentication app.
+The code is generated by the app by applying cryptography (which *is*
+magic, by the way) to your secret key, and it is only valid for a limited
+time span, usually 30 seconds.  When you give this code to the website,
+they know it must have been generated from your secret key because of
+cryptographic magic.
+
+So in principle 2fa is just a way of forcing everyone to use a second
+properly-stored password, with your authenticator app as a password
+manager.  Actually the password is stored on your device and never shared
+after the initial setup, so it is even safer than that. But it
+still falls short from a proper
+[public-key](https://en.wikipedia.org/wiki/Public-key_cryptography)
+protocol, because the secret key is shared publicly at the time of the
+initial setup.
+
+## Setting up 2fa with oathtool
+
+To generate TOTP codes I use
+[oathtool](https://man.archlinux.org/man/extra/oath-toolkit/oathtool.1.en),
+a command-line utility available in most linux distros and other
+operating systems. Keep in mind I have only used it on Void Linux
+for now, though.
+
+To generate a TOTP code from a `SECRET_KEY` you can simply use the
+following command:
+
+```
+$ athtool -b --totp "SECRET_KEY"
+```
+
+And that's it. However, you should not write you secret key in plain text
+like this: instead you should keep it encrypted and decrypt it just
+when you need it to generate a code. I do this by using my simple
+[2fa](https://git.tronto.net/scripts/file/2fa.html)
+script, which is based on my
+[secret](https://git.tronto.net/scripts/file/secret.html)
+tool that encrypts and decrypts stuff using openssl and a master
+password - which is obviously
+[correcthorsebatterystaple](https://xkcd.com/936/).
+
+## Troubleshooting
+
+The command as I wrote it above does not work for my laptop. The reason
+is that for reasons unknown my laptop's clock is steadily drifting
+- it is now 2 minutes and 4 seconds behind - and TOTP codes are only
+valid for a 30-seconds timespan. Luckily, you can trick oathtool
+into thinking we are in the future with the `--now` option:
+
+```
+$ athtool -b --totp "SECRET_KEY" --now=11:23
+```
+
+It's good to keep this in mind even when using other authentication
+systems.  If it does not work, check the time!
+
+## Is this actually safe?
+
+This is a legit question, because by getting rid of your second device
+kinda defeats the purpose of 2-factor authentication. The principle
+of multi-factor authentication is that you should use at least two
+factors among:
+
+1. Something you know (e.g. a password)
+2. Something you have (e.g. a device)
+3. Something you are (e.g. a fingerprint)
+
+And with the system I explained, I am pretty much only using passwords.
+However, I would argue that I am still using two factors:
+
+1. Something I have: my laptop, which sloppily stores some
+   passwords in my browser's "saved passwords" (this does not
+   count as "something I know", because anybody who has access
+   to the device can just use my browser's password auto-fill 
+   functionality without knowing what these passwords are).
+2. Something I know: the master password (which is not stored
+   anywhere) that protects the encrypted keys stored on my laptop.
+
+If you are still not convinced and think using a smartphone for
+security is safer, let me ask you this: do you ever login
+in one of these services from your smarpthone, using the same
+smartphone as a second factor? Then it's the same thing as I do.
+You are probably just using a PIN code or a fingerprint instead
+of my master password.