2FA(OTP+Steam) without a phone + Rusty's recommended password manager

[rusty_shackleford]

I consider using phones for 2FA to be complete bullshit, and the insistence upon using 2FA(good) is completely hampered by the method of delivery. From the annoyance of having to grab your phone, open the app, and type in the code to the possibility of you losing your phone(phones are the #1 lost item) to it dying, it's just a shit idea. And it can be fixed.

KeepassXC is a cross-platform password manager, I've been using it since it was originally just called KeePass with passwords in my database nearing ~15 years old. Very handy utility, has browser extensions, and so forth. The database itself is password encrypted so you can even just throw it on a cloud storage site to keep it backed up without worry for privacy.

KeepassXC also has a feature that allows you to generate 2FA codes directly from the application. After creating an entry, you can right click TOTP -> Setup TOTP to see this:


Sometimes 2FA gives you the secret key, sometimes they just give you a QR code. You can use any QR code decoder to get the secret key you need, there's even online ones like https://zxing.org/w/decode.jspx
It will spit out something like this:

Code: Select all

otpauth://totp/SecretKey?secret=JFBVG4R7ORKHEZCFHZFW26L5F55SSP2Y

You want the code after the "secret=" part, this one would be "JFBVG4R7ORKHEZCFHZFW26L5F55SSP2Y". I have no idea what this QR code was even for, I just searched for one.

If you want to port codes from something like Google Authenticator, it can also be done but it's a bit tricky. You need to extract the SQLite database from your phone for the application, and then use something like SQLitebrowser to find the secret keys.

You can also attach arbitrary data to an entry, notes, and so forth. I keep my backup codes here too in notes on the entry. You can also attach files too, but I'm unsure what kind of impact this has on the database size, so I haven't done it.

Yes, this works for the HQ's 2FA. It's what I use for logging in. You can enable HQ 2FA in your User Control Panel.

Also works for Steam, as seen in the screenshot above.

[WhiteShark]

I started using KeePass and then KeePassXC a while ago, very handy. I did not know about the 2FA features built into it nor that there were browser extensions, so thanks for posting this.

[rusty_shackleford]

Also, even more ridiculous, if you have a Google account you cannot simply setup a TOTP 2FA. You must use another form of 2FA first(including extremely insecure ones like texting you a code!) before setting one up, but then can remove the first 2FA method and retain the TOTP...

[rusty_shackleford]

I started using KeePass and then KeePassXC a while ago, very handy. I did not know about the 2FA features built into it nor that there were browser extensions, so thanks for posting this.

The browser integration for KeepassXC is very good, I prefer it over the browser-native solution.

[Nemesis]

This motivated me to look into how 1password handles OTOP. Very cool.

[POOPERSCOOPER]

I use Lastpass, it doesn't work great with every site in terms of ease of use and iphone same thing but it's not terrible. They did have a security breach awhile ago which is fun though.

[Nemesis]

They did have a security breach awhile ago which is fun though.

They've had multiple security breaches. No one recommends them anymore. Consider jumping to Bitwarden (free hosting) or hosting your own passwords with Keypass.

[Lutte]

I used to use keepass, but migrated to Gopass. The cmdline is more efficient and allows easy combination with other pieces of software to automate password unlocking.

For eg I have a script that calls upon rclone to sync multiple folders, the cmds looks like this :
rclone --bwlimit 70K:off -P sync "$HOME"/Documents/ gdrive1:/Documents/ --password-command="gopass rclone/config"
I get prompted once for the master password then it gets cached in GPG agent and rclone can continue to request the password on the next folders to sync.

It too supports OTP, the browser integration is decent enough and there's an android port. Syncing works with git, each password and its TOTP, notes etc are stored as an individual GPG encrypted file. Hardcore unix stuff, it's basically just a thin layer over other tools. Edit your files with your favored $EDITOR (vim uber alles), encrypted with GPG, versioned and synced with git.

[rusty_shackleford]

Made this a global announcement to help those who use Codex and don't want to bother with their phone. I consider phone-based 2FA to be complete bullshit.

[Priest]

I use Lastpass, it doesn't work great with every site in terms of ease of use and iphone same thing but it's not terrible. They did have a security breach awhile ago which is fun though.

Switched away from Lastpass after the data leaks. I like bitwarden personally but I've heard good things about KeepassXc.

[Emphyrio]

thanks, its about time for a pwmanager

[Dead]

Can't I just use a long and hard password? What is this shit

[rusty_shackleford]

Can't I just use a long and hard password? What is this shit

sure, HQ doesn't enforce 2FA
make sure it's not used anywhere else though

[jcd]

Bitwarden has all the benefits of Keepass and more. If you use Keepass and don't automatically backup your vault on every change you are going to lose your passwords sooner or later.

Don't use Keepass the way described in the OP as "2FA". You end up with 1FA with a slightly longer password. The point of 2FA is to need two different factors to authenticate. If you keep them both in the same place you might as well forgo it completely. This only makes sense if you're ignorant of the attack vectors that 2FA makes ineffective.

[rusty_shackleford]

Bitwarden has all the benefits of Keepass and more. If you use Keepass and don't automatically backup your vault on every change you are going to lose your passwords sooner or later.

Don't use Keepass the way described in the OP as "2FA". You end up with 1FA with a slightly longer password. The point of 2FA is to need two different factors to authenticate. If you keep them both in the same place you might as well forgo it completely. This only makes sense if you're ignorant of the attack vectors that 2FA makes ineffective.

It being a separate device has nothing to do with it being 2FA or not. Simply using email verification is a kind of 2FA.
Requiring the one object people are most likely to lose to access your account is retarded.

And do you think it's more or less likely someone would get access to your phone than your desktop?

[jcd]

The point is that if a single device is compromised it shoud still be impossible to authenticate. Using a phone is not the only alternative. If you keep both the password and the TOTP secret on the same device you effectively have `${password}${TOTP}` as your password, and both are available to the adversary who controls your device, whatever it may be. If you're logged into your email on the same device, same principle applies.

[rusty_shackleford]

The point is that if a single device is compromised it shoud still be impossible to authenticate. Using a phone is not the only alternative. If you keep both the password and the TOTP secret on the same device you effectively have `${password}${TOTP}` as your password, and both are available to the adversary who controls your device, whatever it may be. If you're logged into your email on the same device, same principle applies.

Except that's clearly not the point. What issue do you think the codex is solving by forcing 2FA? Is it in any way related to third parties gaining access to their computers?

[jcd]

You tell me buddy. What is codex trying to solve?

Whatever it is, the threat model 2FA was designed to guard against is pretty wide. Brute forcing passwords is just one of the threats it works for.

[rusty_shackleford]

You tell me buddy. What is codex trying to solve?

Whatever it is, the threat model 2FA was designed to guard against is pretty wide. Brute forcing passwords is just one of the threats it works for.

Codex is solving the issue of boomers/zoomers using the same password on multiple sites. This can also be solved just by using a password manager for unique passwords. But the time for that is past, and now they're being required to use 2FA to login.
Many services now require 2FA to login despite not needing it for this very same reason. What I presented in the OP works to reduce the annoyance caused by this.

The only valid argument you made was backing up the database, which I actually did comment on already:

The database itself is password encrypted so you can even just throw it on a cloud storage site to keep it backed up without worry for privacy.

[jcd]

This is just bad security though. You're misinforming your users here and doing them a disservice. It costs nothing to do it properly. The way you're doing it you might as well not use 2FA at all. Do it wrong all you want but don't put together a "guide" if it's going to cause more harm than good.

[rusty_shackleford]

This is just bad security though. You're misinforming your users here and doing them a disservice. It costs nothing to do it properly. The way you're doing it you might as well not use 2FA at all. Do it wrong all you want but don't put together a "guide" if it's going to cause more harm than good.

Again, I disagree it's causing harm and I haven't seen you actually prove why it's harmful.
I consider the risk of someone having their desktop accessed + KPXC database master password known to be near zero, much less than someone being able to steal their phone.

[jcd]

If you're running Windows that database is getting stolen sooner or later. This is a solved problem, no need to make things harder than they need to be.

[rusty_shackleford]

If you're running Windows that database is getting stolen sooner or later. This is a solved problem, no need to make things harder than they need to be.

The database is an AES256 encrypted file.

I will admit that if you are autistic and want to further improve your security, you should use two separate databases with two separate passwords for username/password and TOTP.

What I presented will stop someone from being able to access an account protected by TOTP because they managed to get access to your password in some form. This is the main security issue facing the massive majority of users. The main use for the massive majority of people is to protect accounts with cracked, leaked, or phished passwords.

[rusty_shackleford]

@jcd Just to be clear, I'm not being hostile and welcome these sorts of discussions wrt security issues.

[Nemesis]

Using a password manager to generate and store unique passwords and double locking them with 2FA is a good security practice. The Codex butthurt probably stems from staff making an executive decision and users not liking to be forced into a change. The staff could erase the entire RPG avatar database except for three images from the hit television show Yu-Gi-Oh!, and the reaction would be the same.

[General Reign]

All I know is they made it harder to log on by adding new dumb shit that I don't care about. Let some faggot hack my NMA account. Maybe someone will post there.

[Norfleet]

The point is that if a single device is compromised it shoud still be impossible to authenticate.

Yes, well, if you can't authenticate if a single device breaks down, what the hell good is this system? Things break all the time. Requiring more things to work in order for a system to function exponentially decreases its reliability.

[jcd]

exponentially

This word doesn't mean what you think it means.

[Norfleet]

exponentially

This word doesn't mean what you think it means.

No, it means exactly what I think it means: If a given device has a probability p of being operational, the probability of the system remaining operational, if all n devices must remain operational for it to function, is p^n.

[jcd]

2FA was not created with the goal of increasing availability (but you can still share a secret between multiple devices). You're missing the point.