2-factor authentication without a smartphone

I am mildly annoyed by the not-so-recent trend of every single website and service forcing me into using a phone for 2-factor authentication. I mean, I get it is very important for security reasons, but now every time I try to log into some website I am forced to get up and pick up my phone, which is usually lying on the other side of the room. You can’t just walk into a website nowadays.

Another reason I don’t like this is that a mobile phone can easily be lost, stolen or out of battery. I don’t want to rely on it to get access to imortant services. As a partial workaround I always use SMS 2fa, which is quite insecure, but at least I just need to plug my SIM card into another phone if for some reason I can’t use my device.

And of course there are ways of using an authenticator app and sync your keys via some external cloud service. But I don’t want to be dependent on external cloud services.

But there is nothing special about my smartphone: there is no reason I should not be able to just use my laptop, or any other device, as a 2fa device. In fact, most services use TOTP, which is an open protocol. Yesterday I decided to figure out how this works, so that I would not need to detach my but from my chair ever again!

How TOTP works, as far as I understood

Pairing an authenticator app with a website requiring 2fa is usually done by scanning a QR code. This QR code is not magic, it just contains a string that is going to be your secret key for this website. Then, every time you need to login, you get some code from your authentication app. The code is generated by the app by applying cryptography (which is magic, by the way) to your secret key, and it is only valid for a limited time span, usually 30 seconds. When you give this code to the website, they know it must have been generated from your secret key because of cryptographic magic.

So in principle 2fa is just a way of forcing everyone to use a second properly-stored password, with your authenticator app as a password manager. Actually the password is stored on your device and never shared after the initial setup, so it is even safer than that. But it still falls short from a proper public-key protocol, because the secret key is shared publicly at the time of the initial setup.

Setting up 2fa with oathtool

To generate TOTP codes I use oathtool, a command-line utility available in most linux distros and other operating systems. Keep in mind I have only used it on Void Linux for now, though.

To generate a TOTP code from a SECRET_KEY you can simply use the following command:

$ athtool -b --totp "SECRET_KEY"

And that’s it. However, you should not write you secret key in plain text like this: instead you should keep it encrypted and decrypt it just when you need it to generate a code. I do this by using my simple 2fa script, which is based on my secret tool that encrypts and decrypts stuff using openssl and a master password - which is obviously correcthorsebatterystaple.

Troubleshooting

The command as I wrote it above does not work for my laptop. The reason is that for reasons unknown my laptop’s clock is steadily drifting - it is now 2 minutes and 4 seconds behind - and TOTP codes are only valid for a 30-seconds timespan. Luckily, you can trick oathtool into thinking we are in the future with the --now option:

$ athtool -b --totp "SECRET_KEY" --now=11:23

It’s good to keep this in mind even when using other authentication systems. If it does not work, check the time!

Is this actually safe?

This is a legit question, because by getting rid of your second device kinda defeats the purpose of 2-factor authentication. The principle of multi-factor authentication is that you should use at least two factors among:

  1. Something you know (e.g. a password)
  2. Something you have (e.g. a device)
  3. Something you are (e.g. a fingerprint)

And with the system I explained, I am pretty much only using passwords. However, I would argue that I am still using two factors:

  1. Something I have: my laptop, which sloppily stores some passwords in my browser’s “saved passwords” (this does not count as “something I know”, because anybody who has access to the device can just use my browser’s password auto-fill functionality without knowing what these passwords are).
  2. Something I know: the master password (which is not stored anywhere) that protects the encrypted keys stored on my laptop.

If you are still not convinced and think using a smartphone for security is safer, let me ask you this: do you ever login in one of these services from your smarpthone, using the same smartphone as a second factor? Then it’s the same thing as I do. You are probably just using a PIN code or a fingerprint instead of my master password.