Re: [Passwordsafe-linux] [Passwordsafe-devel] Thoughts on TOTP/HOTP support in PasswordSafe?
Popular easy-to-use and secure password manager
Brought to you by:
ronys
Menu
▾
▴
Re: [Passwordsafe-linux] [Passwordsafe-devel] Thoughts on TOTP/HOTP support in PasswordSafe?
|
From: Bill B. <de...@bl...> - 2019-10-04 16:22:11
|
Hi Mark, Thanks for the info! This definitely gives me more to think about. Also, I very much appreciate the offer to answer questions. I may take you up on that at some point. Regards, Bill On Fri, Oct 04, 2019 at 01:51:11PM +0100, Mark McGuill wrote: > Hi there, > > I've done a bit of work on this for my app (Strongbox) which supports > KeePass and Password Safe. > > In the KeePass windows world people used plugins to manage this feature. It > has proven to be popular and has been made native in KeePassXC (A cross > platform KeePass client) and also in my own app. > > I'd be happy to help with any queries you have. Currently if a user adds a > TOTP via my app to their Password Safe database I support this by appending > an OTPAUTH url to their notes field (less than ideal but functional). > > To answer one of the questions raised above: > > - Are the specs for the various authenticators out there (Authy, Google > Authenticator, etc.) publicly available and usable to implement a clone in > pwsafe? > Yes (the standard is RFC 6238) > > Other things to think about off the top of my head for anyone looking to > implement this: > > - Parameters are often required (Hash Algorithm (usually SHA1), Number of > Digits (usually 6), Period (usually 30 seconds)) > - OTPAUTH urls could be supported, they combine the parameters, the seed > and some metadata like the Issuer, Name, Username and look like: > > otpauth://totp/ > ACME%20Co:joh...@em...?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=8&period=31 > > They are usually scanned from a QR Code. > > - Some people use a variant of the standard RFC 6238 algo for use with > "Steam" tokens, a gaming provider. > > FWIW, this is handled in the KeePass world by using "Custom Fields", > basically a feature that allows for a set of Key-Value Pairs. I don't > believe the equivalent exists in the Password Safe world and you might not > want to go that route anyway, but in short a TOTP configuration can be > added to any entry alongside a regular password. > > Hope that's helpful. > > Best, > -Mark > > On Fri, 4 Oct 2019 at 09:07, pwsafe.org <ro...@pw...> wrote: > > > Hi Tom, > > > > I think that Bill meant adding one time password support for > > different sites, not for authenticating PasswordSafe itself using TOTP/HOTP. > > > > Yubikey is currently supported, including the ability to configure a > > backup device as you described. > > > > Rony > > > > On Fri, Oct 4, 2019 at 7:38 AM Tom Mitchell <mi...@ni...> wrote: > > > >> On Thu, Oct 3, 2019 at 8:55 PM Bill Blough via Passwordsafe-linux > >> <pas...@li...> wrote: > >> > > >> > Hi all, > >> > > >> > I've been considering implementing TOTP/HOTP support in PasswordSafe. > >> > >> It seems possible and interesting but I would rather add YubiKey support > >> first. > >> One weakness with password managers is key management for the password > >> manger > >> software itself. Two YubiKey device support please. A pair of > >> YubiKey devices allows a second device to be > >> kept in a sealed tamper evident envelop of the managers or company > >> office safe. The encrypted password-safe file > >> can be replicated as needed for portability. > >> > >> One problem with the Google and Microsoft Authentication is they are > >> tied to devices that > >> are easy to misplace and also have fragile to strong unlock features. > >> They are useful. > >> > >> > >> > >> -- > >> T o m M i t c h e l l ( o n N i f t y E g g ) > >> > >> > >> _______________________________________________ > >> Passwordsafe-linux mailing list > >> Pas...@li... > >> https://lists.sourceforge.net/lists/listinfo/passwordsafe-linux > >> > > > > > > -- > > Ubi dubium, ibi libertas (where there is doubt, there is freedom) > > _______________________________________________ > > Passwordsafe-devel mailing list > > Pas...@li... > > https://lists.sourceforge.net/lists/listinfo/passwordsafe-devel > > > _______________________________________________ > Passwordsafe-devel mailing list > Pas...@li... > https://lists.sourceforge.net/lists/listinfo/passwordsafe-devel -- GPG: 5CDD 0C9C F446 BC1B 2509 8791 1762 E022 7034 CF84 |