https://kotlinlang.org logo
#random
Title
# random
e

elect

03/21/2024, 8:23 AM
our vpn now requires 2-step authentication, I'm using the Google Authentication app, but it's frustrating having to get the phone everytime.. would it be possible to automatize my login by querying some API about the 2step code via Rest or similar? I found this, but it's not what I'm looking for
it seems to be open source and there are some implementations around
r

Robert Williams

03/21/2024, 10:46 AM
https://www.nongnu.org/oath-toolkit/oathtool.1.html is probably what you want (offline, open source, cross platform)
But be aware if you're already saving the password locally, storing the OTP secret key on the same device is a bad idea (ruins the point of 2FA) and may be forbidden by your employer
e

elect

03/21/2024, 10:49 AM
I retrieve the pwd from Firefox and the 2FA from the phone, I want to avoid both
🤡 1
r

Robert Williams

03/21/2024, 12:01 PM
This is the classic security/ convenience tradeoff. Ultimately it's between you and your company to find a solution that's acceptable for both. Make sure you understand the security policies and reasons and don't try to be too clever.
l

Leonardo Silveira

03/21/2024, 12:54 PM
s

Shawn

03/22/2024, 3:43 AM
keeping the password and authenticator secret in the same place doesn't defeat the point of 2FA at all
2FA doesn't protect against your device getting stolen or owned, it mitigates the effect of password theft or accidental disclosure
if one of your account passwords gets stolen by a bad actor, that doesn't mean they got it by taking or otherwise getting into your laptop or phone or whatever else you might use for the second factor, it probably means that someone you trusted a password with didn't store it properly or didn't correctly set up access control and leaked it through a contractor or something
if that happens, 2FA protects you by being a factor that that bad actor could not have gotten through those same means
if a password I used with 2FA at FooCorp gets leaked and Bob in Turkmenistan buys the account dump with my email and password in it, he still can't log into my FooCorp account whether I stored my TOTP shared secret in 1Password or in Google Authenticator on my phone because neither of those were the factor that was compromised
if someone steals my laptop and breaks the full disk encryption to get into my password manager, then 2FA wasn't going to protect me no matter how I set it up lol