Quantcast
Channel: Tutorials — LowEndTalk
Viewing all articles
Browse latest Browse all 1028

Backup your 2FA

February 28, 2017, 3:09 am
$
0
0

2FA on Google and most other services follow the Time-based One-time Password (TOTP) standard that combines a shared key and the current time to generate an OTP. So once you have the shared key, use it to seed multiple token generators, not just Google Authenticator

(Option 1): Recover shared key from existing Google Authenticator

If Google Authenticator is on a rooted phone, use adb (pacman -S android-tools) to recover the key : https://gist.github.com/jbinto/8876658

More likely, you would need to delete your current device and re-register it in Google.

(Option 2): Extract shared key from the QR code (New device registration)

Install ZXing

Dependencies : opencv (pacman -S opencv on ArchLinux)

$ git clone https://github.com/glassechidna/zxing-cpp
$ cd zxing-cpp
$ mkdir build
$ cd build
$ cmake -G "Unix Makefiles" \
    -DCMAKE_INSTALL_PREFIX:PATH=/usr \
    -DCMAKE_BUILD_TYPE=Release \
    ..
$ make
$ sudo make install

installs /usr/bin/zxing.

Save QR code and extract key

When Google displays a QR code for Google-Authenticator, use a screenshot tool to capture the QR code alone in an image file. Pass it as input to zxing to read the QR.

$ zxing image.png
otpauth://totp/Google%3AYOUREMAILID%40gmail.com?secret=YOURSECRETCODE&issuer=Google

The secret-code is all that is needed to initialize your OTP token generator.

Install and initialize your OTP token generator

Came across the following combos:

  • pass + totp-cli
  • Keepass TOTP plugins (KeeOTP or TrayOTP )
  • LinOTP Supports hardware keys like Yubi, RADIUS tokens, and TOTP. Runs as a webserver. Very enterprise.
  • Authy Cloud OTP. Seemed like a bad idea.

I found the first option the most appealing.

Install pass

Dependencies: gnupg for encryption, tree for displaying ASCII trees.

While pass is part of most repos (apt install pass or pacman -S pass), the latest version 1.7.0 has still not made it in. So, install from source

$ wget https://git.zx2c4.com/password-store/snapshot/password-store-1.7.tar.xz
$ tar Jxvf password-store-1.7.tar.xz
$ cd password-store-1.7
$ sudo make install
Initialize your password store

Create a GPG key with id, say password-store. Use the id to initialize pass:

$ pass init password-store

Optionally push to a git repo

$ pass git init
$ pass git remote add origin http://your_git_repo/user/repo

To push to repo: pass git push -u --all More details here : [Extended example](https://git.zx2c4.com/password-store/about/#EXTENDED GIT EXAMPLE)

Setup OTP generator

Dependencies: xclip, python >= 3.3

$ pip install totp

The shared-key needs to be stored in pass in the format 2fa/Service/code. Eg- 2fa/Google/code or 2fa/Github/code. Take the secret code extracted from the QR and store it in pass

$ pass insert 2fa/Google/code

The passwords/codes in pass are encrypted by your GPG key the store was initialized with.

Now, anytime you need a 2FA code, run

$ totp Google
Search
Viewing all articles
Browse latest Browse all 1028
Search