> I'm sure phones are just as stimulating for some.
This is one of my big objections do 2FA. My work has been pushing it hard, and from a security perspective, I get it. However, it’s all via an Authenticator app on the phone. We can no longer set down our phones and simply work. To start working, and periodically throughout the day, we are now forced to pickup our phones to authenticate. This invites the chance to see other notifications, check and app quickly, or more generally, break flow as we have to switch to another device and back again.
You should try a CLI-based workflow for 2FA. As long as you can exfiltrate the secret (and you often can by pretending you can't scan QR codes), then you can use oathtool to generate passcodes.
1. use 'pass' to save the secret: 'pass edit work.secret' <enter it and quit>
2. use oathtool to generate 2fa given a secret:
'
#!/bin/bash
oathtool -b --totp "`pass show $1.secret`" >&1
'
use it like '2fa work'
If you have 'xsel' you can even do
'oathtool -b --totp "`pass show $1.secret`" | xsel -ib'
Even if you only have the QR code, you can download the image or screenshot it and then extract the secret without ever having to use a smartphone by using zbarimg and then manually extracting the secret from the URI:
If you have some 2FA that you need to enter 10 times per day, then you can also add a global shortcut to automatically paste it. Of course, this undermines the "second device" security. Some PC password managers also support 2FA, e.g. https://github.com/paolostivanin/OTPClient ( sudo apt install otpclient )
Works great if you have xfce4-screenshooter, gxmessage, and zbarimg installed. It allows you to draw a box around a screen region, screenshots it, decodes it via zbarimg, and pipes the output into a dialog box with copyable text.
Heh, I use pass like this; but it's on my (Pine)Phone, so it doesn't solve the parent's original problem ;-)
Although the nice thing about CLI workflows is that I can easily run it by SSHing into my phone (just make sure you set up GPG so the passphrase prompt will appear in your terminal, and not as a popup on the phone!)
My company also uses MS auth + 2fa for everything. Even signing into corporate G-suite :-). But I do not like the Microsoft Authenticator - I previously had issues where it would not show the number - and I was able to switch to a different TOTP provider. It’s a bit buried in the menus but possible
In my union contract we have language that requires the employer to provide us with a hardware 2FA token for just this reason. I and some of my coworkers don't use smartphones, and we didn't want to be obligated to use one for work.
"So long as [employer's] access management vendor... supports the use of physical two-factor authentication devices (for example, a YubiKey), [employer] shall make such devices available to Employees upon their submission of a request for the device."
I've worked in places that wanted to push cell phone apps on the team for auth and we also pushed for hardware tokens. It worked extremely well. The concerns we had were mainly centered on privacy since the app wanted location/camera access and apps can (or at least at the time could) get a ton of data from your device without requesting any permission at all like getting a list of every app you have installed, or data from sensors like the accelerometer, gyroscope, compass, barometer, thermometer, etc.
I'm old enough to have lived through the era of standalone authenticators. The downsides of that approach are also numerous.
I understand where you're coming from though, and I think this is where OS features like Focus Modes come into play.
When I'm in a "Work" mode, I literally don't see notifications from most of my apps. They don't show up in the notification center, or on app icon badges, or anywhere.
This takes a few minutes to set up, but once it's in place, it's fantastic. I also do this for other aspects of my life: Photography, Research, etc. When I'm in those modes, I don't want to see anything except for the apps that are specific to what I'm doing. It's worth the effort of setting this up IMO, and extends far beyond just work.
Hmm. I wonder if there would be a market for a super simple TOTP authentication device with an e-paper display. Kind of like those RSA tokens with the LCDs, but more modern and able to hold any number of TOTP credentials.
Getting the credentials loaded could be a bit of a pain without a camera for QR code scanning. Easiest solution would be via Bluetooth to a companion app, which you would probably want anyway for periodic time sync (likely wouldn't be worth it to embed a GNSS receiver just to update the time).
Probably be a pretty small market, but as a niche Kickstarter device? I could see a small but loyal customer base.
Sounds like a job for a second phone, one which you'd just be extra careful to only use for one purpose. It can be cheap as balls, but it will have a QR-compatible camera and whatever else we may have come to expect from such a device. :)
Make sure your GNSS receiver supports OSNMA, and be _extremely_ trusting of your battery-backed RTC and profoundly skeptical of time jumps over a certain magnitude.
GNSS spoofing is trivial now and it's an extremely useful way to manipulate a target device's idea of time, which breaks all sorts of things. (SSL certificate validity periods...)
I would love this, but only if it also successfully implemented a few disparate authentication protocols that essentially do the same things (prove identity) but are regrettably proprietary - like the de facto standard electronic ID in Sweden, BankID.
Yubikey does TOTP on-board, but you need to connect it to a phone or computer (no display or on-board power). It solves a different problem, where you want to have your TOTP credentials on a tamper resistant hardware security module. It doesn't solve the "don't want to carry around a phone for TOTP" problem.
This doesnt make sense. If you need a 2FA code then you are obviously using some device like a laptop already. Yubikey totally solves the "need a second personal device" problem.
they exist, in my country they are available as alternative to smartphone apps for identity auth. (ie you can choose between android, iphone, and TOTP LCD device.)
Have you tried a smart watch? The Duo 2FA app lets you add an arbitrary TFA code based authenticator with same QR code Google Authenticator supports and generate those from their Apple WatchOS [0] or Android WearOS apps. I have used it successfully for years, it's a huge reason I got an Apple Watch in fact. Now you'll have to configure your watch with a "work" focus mode that turns off all notifications and not install any fancy apps on the watch (do those still exist?), but it can free you from your phone.
Along the same lines the Meta Wayfarer[2] smart glasses lets you take slice of life photos and videos without needing to whip out your phone. You lose a ton of quality but stay in the moment more. The AI features are getting better so eventually you'll be able to use it for basic information lookup.
Thanks for sharing a potentially useful tool but I will not use it without a lot more details about how this browser extension secures the 2FA secrets from sketchy websites/ads.
Most trusted desktop password manager apps can manage and autofill OTPs in browsers as well, e.g. KeepassXC and 1password. (If you're making the tradeoff anyway, I think you may as well use a password manager you already trust with other secrets.)
First of all, I'm not a fan of constantly needing to re-authenticate.
But for your specific problem there is a simple solution that isn't particularly expensive. Buy a new phone. Install 2FA on it, and don't install anything else.
I imagine you've considered it already, but maybe your work would be willing to put the 2FA secret into something like 1Password, which you could access on your computer instead of your phone.
Defeats the purpose of 2FA though. I'd argue a cheap 2FA-only phone would be good, if they're struggling to touch their real phone without being consumed by distractions.
Isn't that just remembering two passwords instead of one? And isn't two passwords instead of one basically the same as remembering one very long password?
For that matter, how do they prevent you from using the same password for both?
I posted another comment explaining why 1Password Vault with both a password and a OTP code is still secure, but in short it does not defeat the purpose. Your vault's are protected and in the situation where someone gets access to your vault it's most likely to be full access to your computer at which point they have other viable methods to get access to a specific service you use.
No the two factors are something you have and something you know. Not something you have and another thing you have. In this case decrypting the vault requires two factors.
In my view the factors are attach vectors. If i wrote both my token and my pass down on a single sticky note, it's 1FA. If i have them on two stickies stored in two locations, it's 2FA.
Though i have no idea, that's just how i internalized it over the years. In your 1Pass example, it's a single attack vector (the password of my 1pass) to compromising both the token and the password of the product/server/thing.
In the spirit of the idea, it would be the attack vector imo. So behind locked doors, buildings, safes, etc.
Eg a hacker can access my computer, even have a clipboard/keylogger on my machine, and have a difficult finding my token if it's on my phone. They need to attack my phone and my computer.
Having them both in your unlocked 1Password vault means if someone walks by your computer they can access your account. A single location with both of your "2FA". If they had a keylogger installed on your machine, they only need your single 1Pass password to breach your "2FA".
Granted i imagine that a Phone TOTP would still be a concern with a keylogger on your PC, since you still enter it on your compromised machine. Still more difficult than the having the totp key though, of course.
You're inventing a new definition of the term 2FA. The problem it was created to solve was the ability of attackers to remotely access services using weak or compromised user passwords. This is relatively low cost to do on a mass scale whereas rooting each individual's computer to compromise their password manager is not.
I carried 2 phones for many years. It was more trouble than it’s worth. Especially these days. Working from home, my only work use of the phone is for the Authenticator app.
If it's Authenticator you can use bitwarden from your browser, that's what I do. If you're using a custom app or something different then yeah it's annoying
I see some evidence that yubikeys are used somewhere in the organization, but not sure where or how.
The only information we were sent to get this all setup was specifically for a phone. The portal that exists to add devices only appears to support phones.
I have a co-worker who simply tried to use Authy instead of MS Authenticator and it didn’t work. There is a lot of bureaucracy that typically makes it not worth the fight.
I use MS Authenticator for work too. It doesn't do standard TOTP, at least not for Entra. The QR codes don't contain the secret. IDK that anyone has been able to exfiltrate a secret and generate codes with a third party app.
I personally use an Android emulator on my laptop, which achieves the same goal. It saves and restores state automatically for quick startup.
Ever since I disabled all the notifications on my phone my life has been happier. It won't work for everyone (50% of the time it doesn't even work for me), but I can't help but write this anecdote here.
1Password can be your 2fa and autofill those fields. It has a built in scanner which will look at your screen and read the QR code on the screen (no separate device needed).
Two Factor doesn't mean 2 devices.
Two factor generally has been thought of as "something you know, and something you have."
Let's do a quick threat model on putting both passwords and MFA tokens in a 1password vault.
1Password employees a recovery key + password login by default, and logging into a vault requires you to either have a device with the encrypted vault on it and your password, or have knowledge of your password and knowledge of your recovery key (normally in a file which makes it something you have) essentially traditional 2fa needed to log into a new device.
If someone steals your phone with 1password installed - they need your 1password to be able to access your credentials on the physical device. At that point they already have both your factors - your phone (have) and your password (know) - still protected by 2fa.
If someone manages to fully root your computer, they could wait until you unlock your vault and then extract your credentials. However, if you use traditional 2fa on a separate device - then they can just wait until you log into the target app, and then ride your session and get the same level of access to the target. While there may be a small difference in level of effort or how long it takes, the same access level is possible, and the requirements are that they have very privileged access to your operating system. Someone rooting the device that you login to services is grants them "single factor" access to your services when you access them.
There is some subtle differences between these, but except for situations where you have very high privileged requirements, at which point you should be using yubikeys or standalone MFA devices, using 1Password with OTP and password is very comparable to using a separate device for MFA.
I'm a previous red teamer and currently a blue teamer.
Even doing nothing beyond the authentication, it is still requiring task switching, changes devices, waiting for codes, entering them, switching back. It’s very disruptive to any type of flow state.
This is one of my big objections do 2FA. My work has been pushing it hard, and from a security perspective, I get it. However, it’s all via an Authenticator app on the phone. We can no longer set down our phones and simply work. To start working, and periodically throughout the day, we are now forced to pickup our phones to authenticate. This invites the chance to see other notifications, check and app quickly, or more generally, break flow as we have to switch to another device and back again.
All of this seems like a suboptimal solution.