setting up 2FA without phone
Summary
I cannot use a phone for 2FA and don't understand the other solution
What is the current bug behavior?
https://gitlab.eclipse.org/help/user/profile/account/two_factor_authentication.md propose several software and/or browser plugin to use 2FA, yet the actual behavior of these solutions is unclear:
- do they also requires a phone number?
- do they impose restrictions on browser usage (some authentifications plugins seem to imply that only one machine can be used, in not-private mode and that the cache must never be cleaned)?
What is the expected correct behavior?
2FA using an email address (possibly different from the one used as eclipse account login) instead of a phone number could be a solution.
A third party software or browser plugin/configuration can be used but more information are required (there are also security considerations of my IT department in order to allow this): in this case this solution should be able to be implemented on different machines.
Priority
- Urgent
- High
- Medium
- Low
Severity
- Blocker
- Major
- Normal
- Low
Impact
From 4th of December on, I won't be able to contribute anymore to my eclipse project.
Activity
Time-based One Time Passwords (TOTP) can be set up using a mobile app, though it's not the only option. Plus, the smartphone used for the app doesn't need a SIM card, as TOTP isn't linked to phone numbers.
Here's the gist: TOTP is a temporary code that changes at fixed intervals, usually every 30 or 60 seconds. It's generated by an algorithm that uses the current time and a secret key as an input, ensuring that each code is unique and only valid for a short period. The user usually gets the TOTP through a dedicated app on their mobile device (we will see below alternative solutions). The app and the server share a secret key and use the same algorithm to generate TOTPs. This secret key is shared at setup time, and is usually displayed as a QR code for the mobile app to scan, but it is also available in text format to use it in other contexts. When logging in, the user enters their password (first factor) and the TOTP displayed on their app (second factor). The server then checks if the entered TOTP matches the one it generates. If they match, access is granted.
But, a mobile app is more about convenience. During setup, you can take the secret key (see screenshot below) and use it in any compatible app for generating TOTP codes.
Many password managers today, like Bitwarden, KeePassCX, 1Password, Dashlane, Lastpass, support this. As long as you store the key securely, you can use a command line tool like oathtool to generate TOTP codes as needed:
oathtool --totp -b "wy43 2slz 5fbx jcc6 pncc pw2q hphp z4oz" 505121However, storing the secret key in a non-secure location reduces the added security of this second factor. That's why we recommend using a protected mobile app or a trusted password manager for this purpose.
Hope that clarifies things!
added prioritymedium severitylow team:security labels
Hi, Thanks for the quick answer.
I'm not sure to understand. In the above example, I get a key from my user settings ("wy43 2slz 5fbx jcc6 pncc pw2q hphp z4oz") and generate locally a PIN with a tool like oathtool? Is that right?
Then, on logging, I can give this PIN as second auth factor. Am I right?
Yet I see that storing this key is indeed critical (but I can manage that with appropriate crypto tools).
So it means that I must get this key before the 4th of december. After that I won't be able to retrieve it. Is it correct?
What, also, puzzled me was the "register with two-factor app". What is its purpose?
I'm not sure to understand. In the above example, I get a key from my user settings ("wy43 2slz 5fbx jcc6 pncc pw2q hphp z4oz") and generate locally a PIN with a tool like oathtool? Is that right?
Then, on logging, I can give this PIN as second auth factor. Am I right?
Yet I see that storing this key is indeed critical (but I can manage that with appropriate crypto tools).
This is all correct.
So it means that I must get this key before the 4th of december. After that I won't be able to retrieve it. Is it correct?
No, you will still be able to get this after Dec 4th. My message to the committer mailing list was a bit confusing. I'm about to send an addendum saying:
After December 4th, anyone attempting to log into gitlab.eclipse.org will be required to set up two-factor authentication (2FA) before they can proceed. However, it's important to note that there will be no restrictions on activating 2FA after this deadline.
Hopefully, this clarifies what will happen after the deadline.
What, also, puzzled me was the "register with two-factor app". What is its purpose?
This is a verification step. Once you got the key, you have to generate the TOTP once and type it in the text field in order to activate the TOTP-based 2FA. The "register with two-factor app" button is just about validating that the TOTP you entered is valid regarding the key that is provided above. This is to prevent people from activating TOTP without storing the key first.
Note that after this verification step, you will see a list of "recovery codes". If you ever lose access to your one-time password authenticator (mobile app, location where you stored the key, ...), you can use one of these recovery codes to sign in to your account. Storing those securely is very important as well.
Let us know if you have any additional question.
Actually IMHO, the "help" pages contains many information but are missing a step-by-step procedure.
I had to go through #1251 (comment 1243538) to be able to reach the page with my key (otherwise I couldn't find it from my profile).
And still, I the gui let me think that I must be first connected to reach this page and being able to enter a pin... Which seems contradictory.
A step by step logging example with TOTP would be helpful and reassuring.
Side note: what would be the equivalent of
oathtoolon windows (I don't have always access to a linux machine, I may use WSL but it seems a bit overkill)?A step by step logging example with TOTP would be helpful and reassuring.
Would a video like https://www.youtube.com/watch?v=lT-bPrkT4ds help? The difficulty with such a step by step is the variety of use cases regarding where the TOTP key can be stored and used.
Side note: what would be the equivalent of
oathtoolon windows (I don't have always access to a linux machine, I may use WSL but it seems a bit overkill)?Unfortunately, I don't know. I would probably recommend to use a passwords manager. If you don't want any cloud-based manager, you can give KeypassXC (it's open source) a try https://keepassxc.org.
Edited by Mikaël BarberoI'm testing keepass as a TOTP provider but the generated PIN are not recognized.
Here are my settings:
- shared secret: same case, with spaces, as in my profile (UTF-8 or BASE64 in keypass settings)
- length: 6 digits
- period: 30s
- algorithm: HMAC-SHA-1
What could be wrong?
Edited by laurent soulierYou followed the same steps as in https://keepassxc.org/docs/KeePassXC_GettingStarted#_adding_totp_to_an_entry ?
update: it seems that spaces must be removed and then the registration succeeded. But I lost my shared secret in the process... Keypass didn't save it (I must have missed some step). Yet I've got my recovery codes. How can I get back my shared-secret or generate a new one? NB I'm on keypass (for certification reasons) and the corresponding doc is: https://www.fhtino.it/blog/using-keepass-as-totp-keys-storage-and-otp-generator
In order to have a new secret, I had to disable 2FA then go back to my setting and "manage 2FA".
I then follow again the steps linked above (I first gave a proper name to my keypass entry).
Correct settings are:- shared secret: same case, without spaces, as in my profile, BASE32 in keypass settings
- length: 6 digits
- period: 30s
- algorithm: HMAC-SHA-1
Then PIN is properly recognised and recovery codes are generated.
Thanks for your help.
