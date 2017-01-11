It's now obvious that no system is completely immune to unauthorized access. The lowly password keeps failing and failing, yet we still haven't agreed on an alternative. Biometric authentication is promising, but so far has only bloomed in certain walled gardens. The best you can do right now is add layers of complexity to your login routines making your accounts harder to get to.
The problem with adding complexity is that it gets too complex and nobody wants to bother. The best solution for this is 2FA ( Two Factor Authentication
). You've seen 2FA at work when receiving a text from Google with a code that enables a login or gets you through an account setup. Securing logins with text messages no doubt increases security, but there are problems with relying on SMS for authentication. SMS fails to qualify as true two-factor, which is described as using a combination of something you know (a password) with something you have (supposedly your phone) to prove you are you. Since your phone number can be hijacked from the cellular company and your texts re-routed (or worse, cc'd) to another device, the phone doesn't fully qualify as something you (and only you) "have".
The answer to this is to dismiss SMS and rely instead on an app or desktop program that employs the Time-based One-time Password Algorithm (TOTP)
to generate a code that will get you logged in and keep others out. This code is entered along with your regular password, exponentially increasing the odds that you're the only one logging into your account. It's interesting to note that the software generating the code need not run on a system or phone that's connected to the Internet to output a good code - the system must only have the correct time (within 30 seconds or so) for it to work.
I'm going to describe the typical 2FA setup routine using an authenticator app, then I'll explain how to start generating codes in your Linux terminal using oathtool. Finally, I'll describe how to get nice menu shortcuts on your Linux machine that will open a terminal, display your auth code for you, then disappear after 30 seconds.
First let's get the app working. Since the software to generate these one-time passwords is open source and freely available, there are tons of apps that will do the job. I only recommend one: FreeOTP. It's open source, written by the Red Hat folks, and has a real no BS interface - and I like that a lot. Get it for iOS here
and Android here
.
After you get the app running, head over to the great Two Factor Auth
website and find a service you use that has implemented 2FA. They even break it down by what type of 2FA is offered by each site - to meet our goals in this tutorial, we're looking for a service that offers the Software Token method. Go login to that service and look around in the account settings till you find their 2FA setup. Every one is different, so there's no point in describing any details. Just get to the point where it shows you a QR code and tells you to scan it - but before you do anything, right-click the QR code image in your browser and save it for later in case you need to decode your key from it. Most services will also display the key under the QR code as a string of letters and numbers (like JBSWY3DPS3YK3PXP). If your service does display the key, copy it and save it for later. Just remember to treat the QR code and plaintext key like passwords and store them safely.