Re: [Passwordsafe-linux] [Passwordsafe-devel] Thoughts on TOTP/HOTP support in PasswordSafe?
Popular easy-to-use and secure password manager
Brought to you by:
ronys
Menu
▾
▴
Re: [Passwordsafe-linux] [Passwordsafe-devel] Thoughts on TOTP/HOTP support in PasswordSafe?
|
From: Bill B. <de...@bl...> - 2019-10-04 16:12:00
|
On Fri, Oct 04, 2019 at 08:13:07AM +0300, pwsafe.org wrote: > A few thoughts: > > - This will require format changes - at least one new field to indicate the > entry is for a OTP, and not a "regular" password. I was just looking through the format docs for V3 and V4, and they both list "Two-Factor Key" as a (yet to be implemented) field type (0x1b). Is it safe to assume we could use this? Though we would still need additional fields for OTP parameters (e.g., hash algorithm, length of the generated code, etc.) Since applications are supposed to be able to handle unknown fields in a forward-compatible way, it seems like there shouldn't be an issue with adding new fields to the existing formats (as opposed to waiting and adding it to the next format). Is this correct? > - Are the specs for the various authenticators out there (Authy, Google > Authenticator, etc.) publicly available and usable to implement a clone in > pwsafe? Yes, the HOTP spec is RFC4226 [1] and the TOTP spec is RFC6238 [2]. While I wouldn't be surprised if certain vendors had "peculiarities" with their implementation, I'd expect the vast majority of differences to be handled by changing the OTP parameters. > - The biggest challenge for implementing this is to do so in a way that > won't "penalize" the users of "classic" passwords. By "penalize" I mean > require extra clicks/keystrokes over what's required today to create and > use a given entry. I'm open to other ideas, but my initial thought for the UI is - The entry's view/edit dialog would get an additional tab for OTP-related configuration. On this tab, the user could enter their seed/key and configure their parameters. Since I expect that the average user doesn't want to have to know/care about which hash algorithm to choose and similar things, I think we could create some "presets" for common configurations, and give them user-friendly names/descriptions. Then also have a way for advanced users to manually set the parameters if needed. - The entry's right-click menu would get two additional items: - Display Authenticator Code - opens a dialog that shows the code and time remaining indicator (similar to how "Display Password as QR Code" opens a dialog today). This basically presents the same interface as most authenticator apps. There could optionally be a button here to copy the code to the clipboard. - Copy Authenticator Code to Clipboard - copies the code to the clipboard. If implemented as I described above, then the user might have to move past two additional items in the right-click menu. But I don't think there would be any additional clicks to create/use an entry unless the user decided to use OTP for that entry. Bill [1] https://tools.ietf.org/html/rfc4226 [2] https://tools.ietf.org/html/rfc6238 -- GPG: 5CDD 0C9C F446 BC1B 2509 8791 1762 E022 7034 CF84 |