-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add possibility to add multiple TOTP devices #158
Comments
Already supported, just scan the QR code with all your apps/devices, just like on GitHub. Ref https://help.github.com/articles/configuring-two-factor-authentication-via-a-totp-mobile-app/ |
Well ... yes :D But this does not give you the option to revoke a single device if lost... and the QR code does only appear once, and it would require you to save the QR code - or to reconfigure every device if you want to add one 😅 |
Sure, but it's not possible security-wise. We'd have to check x OTP secrets on login, because we don't know which of your x devices is used. This trial and error method would break the necessary effort to guess the TOTP key by x. I doubt this is what we want :-) cc @LukasReschke because I'm not 100% sure if the above is true, it's just my assumption of how this would work. |
sounds logical. And an option to show the QR-code again? 😁 |
Dunno if that's a good idea … |
... sorry for hijacking, but: What can I do if I got a new phone in order to register it? There's no QR code displayed and I'd really like not to loose all app-passwords. Can I transfer the TOTP information from my old phone to the new one? |
Depends on whether your TOTP client supports that natively. You may also want to save your QR-code (or the text-based code) before the codes are hidden - then you could register every device you want - everytime 💪 @astriffe |
Thanks a lot for your swift response @MariusBluem. To save the QR code when scanning would probably deserve a prominent place in the docs ;) I'm using https://github.com/0xbb/otp-authenticator as a second factor. Cheers |
Just my two cents: saving the QR code somewhere unsafe is not secured: enybody who has access to it would be able to enter the 2nd auth code (but still need your password before that). I recommend pass and pass-otp for that. Pass-otp can regenerate the QR code from the URI if needed. To get the URI from the QR code you can use zbar. |
I use 2FA for other institutions and they naturally allow multiple devices. This thread makes me think that they are not really secure. As a method, I usually doubt what I think, but in this case I am having great difficulty believing myself ;-). Help? |
heroku allows multiple devices with unique qr codes for each. |
Note that AWS also allows for multiple devices to be registered. |
Something like nextcloud/twofactor_u2f#40 just for TOTP 😜
What do you think? @ChristophWurst
The text was updated successfully, but these errors were encountered: