Comment by al_borland

Comment by al_borland 6 days ago

81 replies

View on Hacker News

> I'm sure phones are just as stimulating for some.

This is one of my big objections do 2FA. My work has been pushing it hard, and from a security perspective, I get it. However, it’s all via an Authenticator app on the phone. We can no longer set down our phones and simply work. To start working, and periodically throughout the day, we are now forced to pickup our phones to authenticate. This invites the chance to see other notifications, check and app quickly, or more generally, break flow as we have to switch to another device and back again.

All of this seems like a suboptimal solution.

jvanderbot 6 days ago

You should try a CLI-based workflow for 2FA. As long as you can exfiltrate the secret (and you often can by pretending you can't scan QR codes), then you can use oathtool to generate passcodes.

1. use 'pass' to save the secret: 'pass edit work.secret' <enter it and quit>

2. use oathtool to generate 2fa given a secret:

' #!/bin/bash

oathtool -b --totp "`pass show $1.secret`" >&1 '

use it like '2fa work'

If you have 'xsel' you can even do

'oathtool -b --totp "`pass show $1.secret`" | xsel -ib'

to copy it to clipboard automatically.

Reply View 8 replies
  • mxmlnkn 6 days ago

    Even if you only have the QR code, you can download the image or screenshot it and then extract the secret without ever having to use a smartphone by using zbarimg and then manually extracting the secret from the URI:

        sudo apt-get install zbar-tools oathtool
    zbarimg qr-2fa-code.png
    Output:

        QR-Code:otpauth://totp/username?secret=ABCDEFSECRET012349BASE32&period=30&digits=6
    If you have some 2FA that you need to enter 10 times per day, then you can also add a global shortcut to automatically paste it. Of course, this undermines the "second device" security. Some PC password managers also support 2FA, e.g. https://github.com/paolostivanin/OTPClient ( sudo apt install otpclient )
    Reply View 1 reply
    • Gormo 6 days ago

      I have this little one-liner mapped to a hotkey combo:

      `bash -c 'xfce4-screenshooter -r -o zbarimg | gxmessage -title "Decoded Data" -fn "Consolas 12" -wrap -geometry 640x480 -file -'`

      Works great if you have xfce4-screenshooter, gxmessage, and zbarimg installed. It allows you to draw a box around a screen region, screenshots it, decodes it via zbarimg, and pipes the output into a dialog box with copyable text.

      Reply View 0 replies
  • pmahoney 6 days ago

    Just to add, 'pass' has an otp extension to simplify this a bit [1]

    With that, you can do

        $ zbarimg -q --raw qrcode.png | pass otp insert <some-name>
    $ pass otp <some-name>  # or pipe to xsel
    [1] https://github.com/tadfisher/pass-otp
    Reply View 1 reply
    • chriswarbo 6 days ago

      Heh, I use pass like this; but it's on my (Pine)Phone, so it doesn't solve the parent's original problem ;-)

      Although the nice thing about CLI workflows is that I can easily run it by SSHing into my phone (just make sure you set up GPG so the passphrase prompt will appear in your terminal, and not as a popup on the phone!)

      Reply View 0 replies
  • [removed] 6 days ago
    [deleted]
    Reply View 0 replies
  • reddit_clone 6 days ago

    We also have Microsoft authentication that displays a number on the browser and asks you to enter in on the device! :-(

    Reply View 2 replies
    • roywashere 6 days ago

      My company also uses MS auth + 2fa for everything. Even signing into corporate G-suite :-). But I do not like the Microsoft Authenticator - I previously had issues where it would not show the number - and I was able to switch to a different TOTP provider. It’s a bit buried in the menus but possible

      Reply View 0 replies
    • svelle 6 days ago

      Unless they have explicitly disabled it even m365 has the option to add a totp 2fa method. Might be worth double checking.

      Reply View 0 replies
bwestergard 6 days ago

In my union contract we have language that requires the employer to provide us with a hardware 2FA token for just this reason. I and some of my coworkers don't use smartphones, and we didn't want to be obligated to use one for work.

"So long as [employer's] access management vendor... supports the use of physical two-factor authentication devices (for example, a YubiKey), [employer] shall make such devices available to Employees upon their submission of a request for the device."

Reply View 1 reply
  • autoexec 6 days ago

    I've worked in places that wanted to push cell phone apps on the team for auth and we also pushed for hardware tokens. It worked extremely well. The concerns we had were mainly centered on privacy since the app wanted location/camera access and apps can (or at least at the time could) get a ton of data from your device without requesting any permission at all like getting a list of every app you have installed, or data from sensors like the accelerometer, gyroscope, compass, barometer, thermometer, etc.

    Reply View 0 replies
haswell 6 days ago

I'm old enough to have lived through the era of standalone authenticators. The downsides of that approach are also numerous.

I understand where you're coming from though, and I think this is where OS features like Focus Modes come into play.

When I'm in a "Work" mode, I literally don't see notifications from most of my apps. They don't show up in the notification center, or on app icon badges, or anywhere.

This takes a few minutes to set up, but once it's in place, it's fantastic. I also do this for other aspects of my life: Photography, Research, etc. When I'm in those modes, I don't want to see anything except for the apps that are specific to what I'm doing. It's worth the effort of setting this up IMO, and extends far beyond just work.

Reply View 0 replies
Sanzig 6 days ago

Hmm. I wonder if there would be a market for a super simple TOTP authentication device with an e-paper display. Kind of like those RSA tokens with the LCDs, but more modern and able to hold any number of TOTP credentials.

Getting the credentials loaded could be a bit of a pain without a camera for QR code scanning. Easiest solution would be via Bluetooth to a companion app, which you would probably want anyway for periodic time sync (likely wouldn't be worth it to embed a GNSS receiver just to update the time).

Probably be a pretty small market, but as a niche Kickstarter device? I could see a small but loyal customer base.

Reply View 16 replies
  • HappMacDonald 6 days ago

    Sounds like a job for a second phone, one which you'd just be extra careful to only use for one purpose. It can be cheap as balls, but it will have a QR-compatible camera and whatever else we may have come to expect from such a device. :)

    Reply View 1 reply
    • mystifyingpoi 6 days ago

      Yup. Just use a secondary 5-year old phone for dirt cheap. I was actually considering doing it once, but the convenience takes a hit.

      Reply View 0 replies
  • myself248 5 days ago

    Make sure your GNSS receiver supports OSNMA, and be _extremely_ trusting of your battery-backed RTC and profoundly skeptical of time jumps over a certain magnitude.

    GNSS spoofing is trivial now and it's an extremely useful way to manipulate a target device's idea of time, which breaks all sorts of things. (SSL certificate validity periods...)

    Reply View 0 replies
  • worldsayshi 6 days ago

    I would love this, but only if it also successfully implemented a few disparate authentication protocols that essentially do the same things (prove identity) but are regrettably proprietary - like the de facto standard electronic ID in Sweden, BankID.

    Reply View 0 replies
  • hbn 6 days ago

    Yubikey?

    Reply View 4 replies
    • Sanzig 6 days ago

      Yubikey does TOTP on-board, but you need to connect it to a phone or computer (no display or on-board power). It solves a different problem, where you want to have your TOTP credentials on a tamper resistant hardware security module. It doesn't solve the "don't want to carry around a phone for TOTP" problem.

      Reply View 3 replies
      • bawolff 6 days ago

        This doesnt make sense. If you need a 2FA code then you are obviously using some device like a laptop already. Yubikey totally solves the "need a second personal device" problem.

        Reply View 0 replies
      • WhyNotHugo 6 days ago

        > It doesn't solve the "don't want to carry around a phone for TOTP" problem.

        It does—if you carry the Yubikey you don't need a phone.

        Reply View 0 replies
      • tigereyeTO 6 days ago

        If you read a six-digit pin from an e-ink display, you have to type it into your computer.

        If you grab it from a plugged-in yubikey, you can copy and paste it. That seems way easier

        Reply View 0 replies
  • tigereyeTO 6 days ago

    A yubikey works great for this

    Reply View 1 reply
    • lazyeye 6 days ago

      I used to use a yubikey but have now moved onto a fingerprint sensor and passkeys. Doesnt work for all sites but does for most of them.

      Reply View 0 replies
  • fifticon 6 days ago

    they exist, in my country they are available as alternative to smartphone apps for identity auth. (ie you can choose between android, iphone, and TOTP LCD device.)

    Reply View 0 replies
Game_Ender 6 days ago

Have you tried a smart watch? The Duo 2FA app lets you add an arbitrary TFA code based authenticator with same QR code Google Authenticator supports and generate those from their Apple WatchOS [0] or Android WearOS apps. I have used it successfully for years, it's a huge reason I got an Apple Watch in fact. Now you'll have to configure your watch with a "work" focus mode that turns off all notifications and not install any fancy apps on the watch (do those still exist?), but it can free you from your phone.

Along the same lines the Meta Wayfarer[2] smart glasses lets you take slice of life photos and videos without needing to whip out your phone. You lose a ton of quality but stay in the moment more. The AI features are getting better so eventually you'll be able to use it for basic information lookup.

0 - https://guide.duo.com/apple-watch

1 - https://guide.duo.com/duo-wear

2 - https://www.meta.com/ai-glasses/wayfarer

Reply View 0 replies
fossuser 6 days ago

Yubikey nanos are the way out of that specific problem

Reply View 3 replies
  • unshavedyak 6 days ago

    I imagine Yubikey doesn't support all the stupid custom-app-2fa that companies push out.

    I really wish they'd just stick to classic TOTP.

    Reply View 0 replies
  • mjfisher 6 days ago

    Is there a way of getting them to store a dozen or so totp secrets? And if so, how do you select which one you want to use?

    Reply View 1 reply
    • ajolly 3 days ago

      For that use case get an onlykey rather than a yubikey.

      Reply View 0 replies
vitro 6 days ago

Check this out: https://github.com/Authenticator-Extension/Authenticator

Reply View 3 replies
  • password4321 6 days ago

    Taking the 2 out of 2FA since 2017!</sarcasm>

    Thanks for sharing a potentially useful tool but I will not use it without a lot more details about how this browser extension secures the 2FA secrets from sketchy websites/ads.

    Reply View 2 replies
    • BHSPitMonkey 6 days ago

      Most trusted desktop password manager apps can manage and autofill OTPs in browsers as well, e.g. KeepassXC and 1password. (If you're making the tradeoff anyway, I think you may as well use a password manager you already trust with other secrets.)

      Reply View 1 reply
      • dicknuckle 5 days ago

        keepassxc does great with TOTP codes, but the default client isn't the easiest to add them with.

        Reply View 0 replies
mcherm 6 days ago

First of all, I'm not a fan of constantly needing to re-authenticate.

But for your specific problem there is a simple solution that isn't particularly expensive. Buy a new phone. Install 2FA on it, and don't install anything else.

Reply View 1 reply
  • GianFabien 5 days ago

    I just use an old phone that I've wiped clean and removed the SIM. Sits on the desk and I just glance at it when I need a new 2FA code.

    Reply View 0 replies
treetalker 6 days ago

I imagine you've considered it already, but maybe your work would be willing to put the 2FA secret into something like 1Password, which you could access on your computer instead of your phone.

Reply View 12 replies
  • unshavedyak 6 days ago

    Defeats the purpose of 2FA though. I'd argue a cheap 2FA-only phone would be good, if they're struggling to touch their real phone without being consumed by distractions.

    Reply View 11 replies
    • xanthor 6 days ago

      It does not defeat the purpose of 2FA as possession of the decrypted 1Password vault is the second factor.

      Reply View 10 replies
      • BobaFloutist 6 days ago

        Isn't that just remembering two passwords instead of one? And isn't two passwords instead of one basically the same as remembering one very long password?

        For that matter, how do they prevent you from using the same password for both?

        Reply View 4 replies
      • unshavedyak 6 days ago

        Well i'm assuming 1Pass is also storing the password. Ie if it's in the same place for your pass and token, it's 1FA, no?

        Reply View 4 replies
ambicapter 6 days ago

Time to get a “work” phone.

Reply View 2 replies
  • al_borland 6 days ago

    I carried 2 phones for many years. It was more trouble than it’s worth. Especially these days. Working from home, my only work use of the phone is for the Authenticator app.

    Reply View 0 replies
  • krustyburger 6 days ago

    The optics of that can be questionable. Just ask Skyler White or her brother-in-law.

    Reply View 0 replies
dwedge 6 days ago

If it's Authenticator you can use bitwarden from your browser, that's what I do. If you're using a custom app or something different then yeah it's annoying

Reply View 0 replies
umvi 6 days ago

Get a keyboard with a usb port on the side. Insert yubikey nano. Now instead of annoying 2FA you just reach your finger over and touch.

Reply View 0 replies
slumberlust 6 days ago

Why does it have to be an app on your phone? IT should be able to support yubikeys (or similiar) and even printed OTP lists.

Reply View 1 reply
  • al_borland 6 days ago

    I see some evidence that yubikeys are used somewhere in the organization, but not sure where or how.

    The only information we were sent to get this all setup was specifically for a phone. The portal that exists to add devices only appears to support phones.

    I have a co-worker who simply tried to use Authy instead of MS Authenticator and it didn’t work. There is a lot of bureaucracy that typically makes it not worth the fight.

    Reply View 0 replies
octatrack 5 days ago

Apple Watch with Authy is a great solution for this. I don’t need to have my phone in the same room to use 2FA.

Reply View 0 replies
dckx 6 days ago

> However, it’s all via an Authenticator app on the phone.

Why not save the secret on your laptop and generate the OTP on your laptop?

Reply View 1 reply
  • joombaga 6 days ago

    I use MS Authenticator for work too. It doesn't do standard TOTP, at least not for Entra. The QR codes don't contain the secret. IDK that anyone has been able to exfiltrate a secret and generate codes with a third party app.

    I personally use an Android emulator on my laptop, which achieves the same goal. It saves and restores state automatically for quick startup.

    Reply View 0 replies
chairmansteve 6 days ago

You can use the Freedom app.

url freedom.to

Or just disable notifications. The iphone has a do not disturb mode that can be scheduled.

Reply View 0 replies
lazyeye 6 days ago

Most password managers (Bitwarden, 1Password etc) have a function for generating TOTP codes.

Reply View 0 replies
yard2010 6 days ago

Ever since I disabled all the notifications on my phone my life has been happier. It won't work for everyone (50% of the time it doesn't even work for me), but I can't help but write this anecdote here.

Reply View 0 replies
thenaturalist 6 days ago

Get a Yubikey or similar, have a USB port close, one finger tip, done.

Reply View 0 replies
jaffee 6 days ago

1Password can be your 2fa and autofill those fields. It has a built in scanner which will look at your screen and read the QR code on the screen (no separate device needed).

Reply View 3 replies
  • netsharc 6 days ago

    The comments here have the genre of "2 factor, 1 device"...

    Reply View 2 replies
    • InitialBP 6 days ago

      Two Factor doesn't mean 2 devices. Two factor generally has been thought of as "something you know, and something you have."

      Let's do a quick threat model on putting both passwords and MFA tokens in a 1password vault.

      1Password employees a recovery key + password login by default, and logging into a vault requires you to either have a device with the encrypted vault on it and your password, or have knowledge of your password and knowledge of your recovery key (normally in a file which makes it something you have) essentially traditional 2fa needed to log into a new device.

      If someone steals your phone with 1password installed - they need your 1password to be able to access your credentials on the physical device. At that point they already have both your factors - your phone (have) and your password (know) - still protected by 2fa.

      If someone manages to fully root your computer, they could wait until you unlock your vault and then extract your credentials. However, if you use traditional 2fa on a separate device - then they can just wait until you log into the target app, and then ride your session and get the same level of access to the target. While there may be a small difference in level of effort or how long it takes, the same access level is possible, and the requirements are that they have very privileged access to your operating system. Someone rooting the device that you login to services is grants them "single factor" access to your services when you access them.

      There is some subtle differences between these, but except for situations where you have very high privileged requirements, at which point you should be using yubikeys or standalone MFA devices, using 1Password with OTP and password is very comparable to using a separate device for MFA.

      I'm a previous red teamer and currently a blue teamer.

      Reply View 0 replies
    • dullcrisp 6 days ago

      It was never meant to be two device authentication.

      Reply View 0 replies
icoder 6 days ago

Reminds me of when I was developing an application 'in' Facebook (when it was mostly friends but with adds for addictive games in the sidebar)

Reply View 0 replies
SlightlyLeftPad 5 days ago

Invest in a password manager that stores it all, including the rolling codes

Reply View 0 replies
Tokumei-no-hito 6 days ago

do you use a pw manager? bitwarden (OSS) has it built in if you pay for premium. i think it's an extra 1-3/mo but well worth it to support the team

Reply View 0 replies
jklinger410 6 days ago

It's not your job's responsibility to cater to your lack of self control

Reply View 2 replies
  • al_borland 6 days ago

    Even doing nothing beyond the authentication, it is still requiring task switching, changes devices, waiting for codes, entering them, switching back. It’s very disruptive to any type of flow state.

    Reply View 0 replies