Re: [Passwordsafe-devel] [Passwordsafe-linux] Thoughts on TOTP/HOTP support in PasswordSafe?
Popular easy-to-use and secure password manager
Brought to you by:
ronys
Menu
▾
▴
Re: [Passwordsafe-devel] [Passwordsafe-linux] Thoughts on TOTP/HOTP support in PasswordSafe?
|
From: Mark M. <mar...@gm...> - 2019-10-04 12:52:02
|
Hi there, I've done a bit of work on this for my app (Strongbox) which supports KeePass and Password Safe. In the KeePass windows world people used plugins to manage this feature. It has proven to be popular and has been made native in KeePassXC (A cross platform KeePass client) and also in my own app. I'd be happy to help with any queries you have. Currently if a user adds a TOTP via my app to their Password Safe database I support this by appending an OTPAUTH url to their notes field (less than ideal but functional). To answer one of the questions raised above: - Are the specs for the various authenticators out there (Authy, Google Authenticator, etc.) publicly available and usable to implement a clone in pwsafe? Yes (the standard is RFC 6238) Other things to think about off the top of my head for anyone looking to implement this: - Parameters are often required (Hash Algorithm (usually SHA1), Number of Digits (usually 6), Period (usually 30 seconds)) - OTPAUTH urls could be supported, they combine the parameters, the seed and some metadata like the Issuer, Name, Username and look like: otpauth://totp/ ACME%20Co:joh...@em...?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=8&period=31 They are usually scanned from a QR Code. - Some people use a variant of the standard RFC 6238 algo for use with "Steam" tokens, a gaming provider. FWIW, this is handled in the KeePass world by using "Custom Fields", basically a feature that allows for a set of Key-Value Pairs. I don't believe the equivalent exists in the Password Safe world and you might not want to go that route anyway, but in short a TOTP configuration can be added to any entry alongside a regular password. Hope that's helpful. Best, -Mark On Fri, 4 Oct 2019 at 09:07, pwsafe.org <ro...@pw...> wrote: > Hi Tom, > > I think that Bill meant adding one time password support for > different sites, not for authenticating PasswordSafe itself using TOTP/HOTP. > > Yubikey is currently supported, including the ability to configure a > backup device as you described. > > Rony > > On Fri, Oct 4, 2019 at 7:38 AM Tom Mitchell <mi...@ni...> wrote: > >> On Thu, Oct 3, 2019 at 8:55 PM Bill Blough via Passwordsafe-linux >> <pas...@li...> wrote: >> > >> > Hi all, >> > >> > I've been considering implementing TOTP/HOTP support in PasswordSafe. >> >> It seems possible and interesting but I would rather add YubiKey support >> first. >> One weakness with password managers is key management for the password >> manger >> software itself. Two YubiKey device support please. A pair of >> YubiKey devices allows a second device to be >> kept in a sealed tamper evident envelop of the managers or company >> office safe. The encrypted password-safe file >> can be replicated as needed for portability. >> >> One problem with the Google and Microsoft Authentication is they are >> tied to devices that >> are easy to misplace and also have fragile to strong unlock features. >> They are useful. >> >> >> >> -- >> T o m M i t c h e l l ( o n N i f t y E g g ) >> >> >> _______________________________________________ >> Passwordsafe-linux mailing list >> Pas...@li... >> https://lists.sourceforge.net/lists/listinfo/passwordsafe-linux >> > > > -- > Ubi dubium, ibi libertas (where there is doubt, there is freedom) > _______________________________________________ > Passwordsafe-devel mailing list > Pas...@li... > https://lists.sourceforge.net/lists/listinfo/passwordsafe-devel > |
