I know some people think it defeats the purpose, but I consider the threat level of “someone can access arbitrary content in my password manager” higher than “someone can access any account I use TOTP on”.
What it does prevent is someone on the network and/or on the other end from sniffing all of the credentials (it would also be the case if the system used a digest-based authentication method).
Also, my phone is much easier to steal or hack into than any device I have a copy of my (encrypted) password store on.
I just use pass + oathtool.
For instance, in “2fa/github”, I store:
In my .bashrc I have:
and then when I need a code I use:
I should write a blog article to explain that. :)
EDIT: I just did.
How is this different from using the pass-otp extension to pass? I don’t have experience with either, but I use pass to store my regular passwords.
I just didn’t know pass-otp. It also uses oathtool and zbar, and it is packaged for Arch. I will add it to my post.
Using pass-otp, it’s just a matter of:
pass otp 2fa/github
And storing the otpauth string in he pass file:
otpauth://totp/GitHub:USERNAME?secret=SECRETSECRET&issuer=GitHub
worth noting that the pass iOS app can scan QR codes to add the otpauth to your entries, quite neat
Perhaps I’m missing something, but I don’t like doing TOTP on the same device that my passwords are stored on.
You can also do this on another device, e.g. a RPi whose only job is to generate TOTP tokens.
I know some people think it defeats the purpose, but I consider the threat level of “someone can access arbitrary content in my password manager” higher than “someone can access any account I use TOTP on”.
What it does prevent is someone on the network and/or on the other end from sniffing all of the credentials (it would also be the case if the system used a digest-based authentication method).
Also, my phone is much easier to steal or hack into than any device I have a copy of my (encrypted) password store on.