Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add possibility to add multiple TOTP devices #158

Closed
MariusBluem opened this issue Mar 16, 2017 · 12 comments
Closed

Add possibility to add multiple TOTP devices #158

MariusBluem opened this issue Mar 16, 2017 · 12 comments

Comments

@MariusBluem
Copy link
Member

Something like nextcloud/twofactor_u2f#40 just for TOTP 😜

What do you think? @ChristophWurst

@ChristophWurst
Copy link
Member

Already supported, just scan the QR code with all your apps/devices, just like on GitHub. Ref https://help.github.com/articles/configuring-two-factor-authentication-via-a-totp-mobile-app/

@MariusBluem
Copy link
Member Author

Well ... yes :D But this does not give you the option to revoke a single device if lost... and the QR code does only appear once, and it would require you to save the QR code - or to reconfigure every device if you want to add one 😅

@ChristophWurst
Copy link
Member

Sure, but it's not possible security-wise. We'd have to check x OTP secrets on login, because we don't know which of your x devices is used. This trial and error method would break the necessary effort to guess the TOTP key by x. I doubt this is what we want :-)

cc @LukasReschke because I'm not 100% sure if the above is true, it's just my assumption of how this would work.

@MariusBluem
Copy link
Member Author

sounds logical. And an option to show the QR-code again? 😁

@ChristophWurst
Copy link
Member

Dunno if that's a good idea …

@astriffe
Copy link

... sorry for hijacking, but: What can I do if I got a new phone in order to register it? There's no QR code displayed and I'd really like not to loose all app-passwords. Can I transfer the TOTP information from my old phone to the new one?

@MariusBluem
Copy link
Member Author

Depends on whether your TOTP client supports that natively. You may also want to save your QR-code (or the text-based code) before the codes are hidden - then you could register every device you want - everytime 💪 @astriffe

@astriffe
Copy link

astriffe commented May 23, 2017

Thanks a lot for your swift response @MariusBluem. To save the QR code when scanning would probably deserve a prominent place in the docs ;) I'm using https://github.com/0xbb/otp-authenticator as a second factor. Do you know whether the code is stored in clear text on my server? Or is there no way around re-initializing everything?
Just deactivated 2FA and reactivated it again to get the new code. App-passwords still seem to work :)

Cheers

@Gijom
Copy link

Gijom commented Jul 17, 2019

Just my two cents: saving the QR code somewhere unsafe is not secured: enybody who has access to it would be able to enter the 2nd auth code (but still need your password before that).
You would need to save the QR code in a safe place.

I recommend pass and pass-otp for that. Pass-otp can regenerate the QR code from the URI if needed. To get the URI from the QR code you can use zbar.

@emilioalaca
Copy link

I use 2FA for other institutions and they naturally allow multiple devices. This thread makes me think that they are not really secure. As a method, I usually doubt what I think, but in this case I am having great difficulty believing myself ;-). Help?

@nhed
Copy link

nhed commented Jun 6, 2023

heroku allows multiple devices with unique qr codes for each.

@davidbonnet
Copy link

Note that AWS also allows for multiple devices to be registered.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

7 participants