2fa.md (5161B)
1 # 2-factor authentication without a smartphone 2 3 I am mildly annoyed by the not-so-recent trend of every single website 4 and service forcing me into using a phone for 2-factor authentication. I 5 mean, I get it is very important for security reasons, but now every 6 time I try to log into some website I am forced to get up and pick 7 up my phone, which is usually lying on the other side of the room. You 8 can't just walk into a website nowadays. 9 10 Another reason I don't like this is that a mobile phone can easily be 11 lost, stolen or out of battery. I don't want to rely on it to get access 12 to imortant services. As a partial workaround I always use SMS 2fa, 13 which is quite insecure, but at least I just need to plug my SIM card 14 into another phone if for some reason I can't use my device. 15 16 And of course there are ways of using an authenticator app and sync your 17 keys via some external cloud service. But I don't want to be dependent 18 on external cloud services. 19 20 But there is nothing special about my smartphone: there is 21 no reason I should not be able to just use my laptop, or 22 any other device, as a 2fa device. In fact, most services use 23 [TOTP](https://en.wikipedia.org/wiki/Time-based_one-time_password), 24 which is an open protocol. Yesterday I decided to figure out how 25 this works, so that I would not need to detach my but from my chair 26 ever again! 27 28 ## How TOTP works, as far as I understood 29 30 Pairing an authenticator app with a website requiring 2fa is usually 31 done by scanning a QR code. This QR code is not magic, it just contains a 32 string that is going to be your *secret key* for this website. Then, every 33 time you need to login, you get some code from your authentication app. 34 The code is generated by the app by applying cryptography (which *is* 35 magic, by the way) to your secret key, and it is only valid for a limited 36 time span, usually 30 seconds. When you give this code to the website, 37 they know it must have been generated from your secret key because of 38 cryptographic magic. 39 40 So in principle 2fa is just a way of forcing everyone to use a second 41 properly-stored password, with your authenticator app as a password 42 manager. Actually the password is stored on your device and never shared 43 after the initial setup, so it is even safer than that. But it 44 still falls short from a proper 45 [public-key](https://en.wikipedia.org/wiki/Public-key_cryptography) 46 protocol, because the secret key is shared publicly at the time of the 47 initial setup. 48 49 ## Setting up 2fa with oathtool 50 51 To generate TOTP codes I use 52 [oathtool](https://man.archlinux.org/man/extra/oath-toolkit/oathtool.1.en), 53 a command-line utility available in most linux distros and other 54 operating systems. Keep in mind I have only used it on Void Linux 55 for now, though. 56 57 To generate a TOTP code from a `SECRET_KEY` you can simply use the 58 following command: 59 60 ``` 61 $ athtool -b --totp "SECRET_KEY" 62 ``` 63 64 And that's it. However, you should not write you secret key in plain text 65 like this: instead you should keep it encrypted and decrypt it just 66 when you need it to generate a code. I do this by using my simple 67 [2fa](https://git.tronto.net/scripts/file/2fa.html) 68 script, which is based on my 69 [secret](https://git.tronto.net/scripts/file/secret.html) 70 tool that encrypts and decrypts stuff using openssl and a master 71 password - which is obviously 72 [correcthorsebatterystaple](https://xkcd.com/936/). 73 74 ## Troubleshooting 75 76 The command as I wrote it above does not work for my laptop. The reason 77 is that for reasons unknown my laptop's clock is steadily drifting 78 - it is now 2 minutes and 4 seconds behind - and TOTP codes are only 79 valid for a 30-seconds timespan. Luckily, you can trick oathtool 80 into thinking we are in the future with the `--now` option: 81 82 ``` 83 $ athtool -b --totp "SECRET_KEY" --now=11:23 84 ``` 85 86 It's good to keep this in mind even when using other authentication 87 systems. If it does not work, check the time! 88 89 ## Is this actually safe? 90 91 This is a legit question, because by getting rid of your second device 92 kinda defeats the purpose of 2-factor authentication. The principle 93 of multi-factor authentication is that you should use at least two 94 factors among: 95 96 1. Something you know (e.g. a password) 97 2. Something you have (e.g. a device) 98 3. Something you are (e.g. a fingerprint) 99 100 And with the system I explained, I am pretty much only using passwords. 101 However, I would argue that I am still using two factors: 102 103 1. Something I have: my laptop, which sloppily stores some 104 passwords in my browser's "saved passwords" (this does not 105 count as "something I know", because anybody who has access 106 to the device can just use my browser's password auto-fill 107 functionality without knowing what these passwords are). 108 2. Something I know: the master password (which is not stored 109 anywhere) that protects the encrypted keys stored on my laptop. 110 111 If you are still not convinced and think using a smartphone for 112 security is safer, let me ask you this: do you ever login 113 in one of these services from your smarpthone, using the same 114 smartphone as a second factor? Then it's the same thing as I do. 115 You are probably just using a PIN code or a fingerprint instead 116 of my master password.