Thank you and team for implementing the new TOTP authentication feature. In my test of Password Safe v3.65.0pre new TOTP authentication feature, it appears to work and match what I get if I used an Authenticator app such as Authy or Google Authenticator. Currently the authentication code can only be copied to the clipboard, which is fine. I would like to see an enhancement for Password Safe to be able to display the authentication code. I believe this can be accomplished in the same area where the button to copy the authentication code is now (see enclosed picture). Thanks.
I would like to see an enhancement for Password Safe to be able to display the authentication code.
Hi MrMe, Was this in relationship to general everyday usage or during setup of an entry's TOTP? I'm discussing the latter case w/Rony. For everyday usage, where you are not in Add/Edit, you can use Display Auth Code accessible via toolbar button and entry right-click menu (see attached video clip). Thanks.
It was in relation to general everyday usage. I hadn't noticed that Display Auth Code was accessible via toolbar button and entry right-click menu. My feedback/request can be ignored. Thank you.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Excellent question.
Simplest way to use this as "true" 2-factor is to keep one database for the "first factor" (password), and the second database for the TOTP.
Classic security/convenience trade-off.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
A concern worth to be considered. I would rather like to see PasswordSafe to support 2FA in a way that I could use Google Authenticator as a second factor for login to PasswordSafe. This should however be done in consideration with the pwsafe apps on iOS and Android so interoprability is not lost.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The problem with using Google Authenticator (or the likes) is that this can only prove that you have the secret which is used to derive the OTP. There's no way to tie this into the database encryption key(s) in a way that can't be trivially broken.
The only 2FA that I found usable for protecting the PasswordSafe database is one which is required to derive the actual encryption key(s), such as Yubico's Yubikey in HMAC mode.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
My problem with this kind of solution is that I need it to work also on iOs and Android. I haven't been able to find a Yubikey that would work on a Windows PC, an iPhone 14 plus, an iPad Air 5 and an Android smartphone.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've also wondered if iOS pwSafe could support Password Safe databases protected with password and YubiKey using HMAC-SHA1 Challenge-Response mode. I believe it might now be possible.
So, perhaps all we need now is for the iOS pwSafe and Android PasswdSafe developers to offer support for databases protected with Yubikey HMAC-SHA1 Challenge-Response mode.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The YubiKey 5Ci with its USB-C and Lightning attachments might be the right thing. However, on the web page they make claims about all kinds of systems but iPhone and iPad are not mentioned at all. And, on the front panel of my PC, I only have USB-A ports. A USB-C port is only at the backside, barely reachable.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Your next PC will probably have only USB-C on the front and USB-A only on the back.
See "Why aren't the iPhone and iPad supported?" at https://pwsafe.info/yubikey for what the developer of the pwSafe app for iOS & MacOS had said about YubiKey support.
Now that the software libraries mobile developers need and YubiKeys that work on mobile are available, us users need to to start requesting YubiKey HMAC-SHA1 Challenge-Response support from the iOS/Android app developers of Password Safe compatible apps.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The Android port of PasswdSafe should support USB and NFC based Yubikeys on phones and tablets. Unfortunately, Chromebooks are not supported as the OS doesn't allow Android apps to access the devices correctly. There are notes at https://sourceforge.net/p/passwdsafe/wiki/Home/#yubikey-support for using the key.
There should be converter cables to convert between USB-A and USB-C.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
@ronys - Has this feature been ported into the Linux version yet? Currently using 1.19 on Debian Bookworm. Please disregard -- I see the open issue as GH1297
Last edit: Trevor Vance 2024-07-26
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello Rony,
Thank you and team for implementing the new TOTP authentication feature. In my test of Password Safe v3.65.0pre new TOTP authentication feature, it appears to work and match what I get if I used an Authenticator app such as Authy or Google Authenticator. Currently the authentication code can only be copied to the clipboard, which is fine. I would like to see an enhancement for Password Safe to be able to display the authentication code. I believe this can be accomplished in the same area where the button to copy the authentication code is now (see enclosed picture). Thanks.
Hi MrMe, Was this in relationship to general everyday usage or during setup of an entry's TOTP? I'm discussing the latter case w/Rony. For everyday usage, where you are not in Add/Edit, you can use Display Auth Code accessible via toolbar button and entry right-click menu (see attached video clip). Thanks.
Hi Ashley,
It was in relation to general everyday usage. I hadn't noticed that Display Auth Code was accessible via toolbar button and entry right-click menu. My feedback/request can be ignored. Thank you.
But I like your suggestion, since it increases the visibility of this feature.
Hi there,
I've just seen that this option is under development.
Is it really a good idea in terms of security?
Everything you need to login to a system would be stored in a single place.
It seems to destroy the whole concept of 2FA.
Excellent question.
Simplest way to use this as "true" 2-factor is to keep one database for the "first factor" (password), and the second database for the TOTP.
Classic security/convenience trade-off.
A concern worth to be considered. I would rather like to see PasswordSafe to support 2FA in a way that I could use Google Authenticator as a second factor for login to PasswordSafe. This should however be done in consideration with the pwsafe apps on iOS and Android so interoprability is not lost.
The problem with using Google Authenticator (or the likes) is that this can only prove that you have the secret which is used to derive the OTP. There's no way to tie this into the database encryption key(s) in a way that can't be trivially broken.
The only 2FA that I found usable for protecting the PasswordSafe database is one which is required to derive the actual encryption key(s), such as Yubico's Yubikey in HMAC mode.
My problem with this kind of solution is that I need it to work also on iOs and Android. I haven't been able to find a Yubikey that would work on a Windows PC, an iPhone 14 plus, an iPad Air 5 and an Android smartphone.
Hello Ulrich,
I've also wondered if iOS pwSafe could support Password Safe databases protected with password and YubiKey using HMAC-SHA1 Challenge-Response mode. I believe it might now be possible.
This page shows various YubiKey 5 models https://www.yubico.com/product/yubikey-5-series/yubikey-5c-nfc/. With Android devices and now iPhone 15 supporting using USB-C, perhaps the YubiKey 5C model would work for both.
Also, these github sites https://github.com/Yubico/yubikit-ios/issues/3 and https://github.com/Yubico/yubikit-ios/commit/8f4b26a1bb800c2f12680f9e7ce0c23c86be41b4 seems to suggest that Yubico Mobile iOS SDK (YubiKit) has been updated with support for HMAC-SHA1 Challenge-Response mode.
So, perhaps all we need now is for the iOS pwSafe and Android PasswdSafe developers to offer support for databases protected with Yubikey HMAC-SHA1 Challenge-Response mode.
The YubiKey 5Ci with its USB-C and Lightning attachments might be the right thing. However, on the web page they make claims about all kinds of systems but iPhone and iPad are not mentioned at all. And, on the front panel of my PC, I only have USB-A ports. A USB-C port is only at the backside, barely reachable.
Your next PC will probably have only USB-C on the front and USB-A only on the back.
See "Why aren't the iPhone and iPad supported?" at https://pwsafe.info/yubikey for what the developer of the pwSafe app for iOS & MacOS had said about YubiKey support.
Now that the software libraries mobile developers need and YubiKeys that work on mobile are available, us users need to to start requesting YubiKey HMAC-SHA1 Challenge-Response support from the iOS/Android app developers of Password Safe compatible apps.
The Android port of PasswdSafe should support USB and NFC based Yubikeys on phones and tablets. Unfortunately, Chromebooks are not supported as the OS doesn't allow Android apps to access the devices correctly. There are notes at https://sourceforge.net/p/passwdsafe/wiki/Home/#yubikey-support for using the key.
There should be converter cables to convert between USB-A and USB-C.
@ronys - Has this feature been ported into the Linux version yet? Currently using 1.19 on Debian Bookworm. Please disregard -- I see the open issue as GH1297
Last edit: Trevor Vance 2024-07-26