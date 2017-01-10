It's now obvious that no system is completely immune to unauthorized access. The lowly password keeps failing and failing, yet we still haven't agreed on an alternative. Biometric authentication is promising, but so far has only bloomed in certain walled gardens. The best you can do right now is add layers of complexity to your login routines making your accounts harder to get to.
The problem with adding complexity is that it gets too complex and nobody wants to bother. The best solution for this is 2FA ( Two Factor Authentication
). You've seen 2FA at work when receiving a text from Google with a code that enables a login or gets you through an account setup. Securing logins with text messages no doubt increases security, but there are problems with relying on SMS for authentication. SMS fails to qualify as true two-factor, which is described as using a combination of something you know (a password) with something you have (supposedly your phone) to prove you are you. Since your phone number can be hijacked from the cellular company and your texts re-routed (or worse, cc'd) to another device, the phone doesn't fully qualify as something you "have".
The answer to this is to dismiss SMS and rely instead on an app or desktop program that employs the Time-based One-time Password Algorithm (TOTP)
to generate a code that will get you logged in and keep others out. This code is entered along with your regular password, exponentially increasing the odds that you're the only one logging into your account. It's interesting to note that the software generating the code need not run on a system or phone that's connected to the Internet to output a good code - the system must only have the correct time (within 30 seconds or so) for it to work.
I'm going to describe the typical 2FA setup routine using an authenticator app, then I'll explain how to start generating codes in your Linux terminal using oathtool. Finally, I'll describe how to get nice menu shortcuts on your Linux machine that will open a terminal, display your auth code for you, then disappear after 30 seconds.
First let's get the app working. Since the software to generate these one-time passwords is open source and freely available, there are tons of apps that will do the job. I only recommend one: FreeOTP. It's open source, written by the Red Hat folks, and has a real no BS interface - and I like that a lot. Get it for iOS here
and Android here
.
After you get the app running, head over to the great Two Factor Auth
website and find a service you use that has implemented 2FA. They even break it down by what type of 2FA is offered by each site - to meet our goals in this tutorial, we're looking for a service that offers the Software Token method. Go login to that service and look around in the account settings till you find their 2FA setup. Every one is different, so there's no point in describing any details. Just get to the point where it shows you a QR code and tells you to scan it - but before you do anything, right-click the QR code image in your browser and save it for later in case you need to decode your key from it. Most services will also display the key under the QR code as a string of letters and numbers (like JBSWY3DPS3YK3PXP). If your service does display the key, copy it and save it for later. Just remember to treat the QR code and plaintext key like passwords and store them safely.
Back to where we had the QR code displayed on the screen... just tap the
QR code icon in the FreeOTP app and your camera will come up. Show your
phone the QR code and the moment the app sees it, you'll get a new
entry in the list named accordingly. Most services I've set up required
me to generate a code and enter it to prove it was working before they
accepted the setup - a good idea to prevent lockout. Most services will
also give you one or more backup codes that will get you logged in if
you lose your phone - keep them safe. Now tap the new entry in FreeOTP
and you'll see a six-digit code appear. That's it. They only last 30
seconds, so if your timing's bad you might have to try twice to get a
code that's the same as what the server's thinking.
Log out of the service you just set up and test that you can get back in using the app. If it works, great! If not........
Now
on to the Linux desktop setup. For this, you'll need the oathtool
command line program to generate codes. In apt-based environs, just
enter: sudo apt-get install oathtool
or hunt it down in your package manager. A slackbuild lives here
, for source code go here
. For others, you probably know where to go.
If you have your key as a plaintext string, simply open a terminal and enter: oathtool -b --totp JBSWY3DPS3YK3PXP
replacing
my example key with your own, and it should output a code. The -b
option tells oathtool that our key is base32 encoded. Every one I've
setup so far has been base32. Try it a few times side-by-side with the
app and if the numbers keep matching, you've done it right.
If you don't
have your key and you only have the QR code, there's a simple command line program called ZBar
that reads them for you. On Debian-based distros, open a terminal in the directory where your QR code image sits and enter: sudo apt-get install zbar-tools
then once it's installed, enter: zbarimg example.png
replacing
my example.png with your image filename. Within the output of that
command, make note of the "secret" value. That is your key. Go back and
try the oathtool command with your newly discovered key and test it.
Now
to make a menu entry for your Linux desktop. I will use Amazon for my
example - you'll have to sort out your filenames. First, we have to
create a script that will execute oathtool while passing it our key, so
open a terminal (replacing leafpad with your text editor of choice) and
type: leafpad amazoncode.sh
and enter the following into the new file (replacing my key with yours): #!/bin/sh
oathtool -b --totp JBSWY3DPS3YK3PXP
sleep 30
By
telling the script to sleep 30 (the average lifespan of a one-time
password), the terminal window will stay open for 30 seconds displaying
the code, then disappear for good. Now save the file and make it
executable with this command: chmod +x amazoncode.sh
To make the menu entry, go to the terminal and enter: sudo leafpad /usr/share/applications/amazoncode.desktop
and enter the following into the file (replacing "/home/user/" with the directory your script is in): [Desktop Entry]
Version=1.0
Name=Amazon 2FA Code
Exec=/home/user/amazoncode.sh
Icon=utilities-terminal
Terminal=true
Type=Application
MimeType=text/plain
Categories=Application;Network;
Save
the file and you should have a new menu entry that will popup a quick
code when you need it. This is a handy desktop alternative when you
don't feel like reaching for your phone - just remember to store your
scripts with your other sensitive files.
One note about most apps
regarding 2FA. I've seen it handled a couple of ways, but usually any
app that connects to a service gets around 2FA by requiring you to do it
only once, then using a token on subsequent logins. This is helpful if
you want to avoid the 2FA hassle for the apps you use constantly.
dmt