storing passwords and using a 2nd factor for authentication
Since I started using my #Librem5 the usage of my passwords and one time passwords changed: I'm using the L5 in docked mode, also.
This makes it unusable as a 2nd factor for logging in to e.g. source.puri.sm or sourcehut, because the 2nd factor shouldn't live on the same device that I'm logging into from.
Another problem is that I have to sync my passwords.
I started using pass and migrated passwords from Firefox and Password Safe to it using an extension called pass-import that easily read the exported passwords into the new password store.
In Firefox I installed the add-on PassFF along with the component that needs to be installed in the underlying system.
I already like it more than the build-in Firefox password store.
Pass offers functionality to sync the gpg encrypted content of the password store with a git repository to make the passwords available on different devices.
To use this I set up a #gitea on my #yunohost and with some basic git knowledge it's easy to push and pull the passwords from a private repo.
The problem of my missing 2nd factor I could solve by using the #LibremKey (which is a special version of a #nitrokey) to generate the one time passwords.
There's still some work to do to get that all from my notebook onto the Librem5, but I can already open my password store on the phone and sync it from and to my repo.
Todo:
- write about using pass with the LibremKey/nitrokey
- write about pass-tomb, problems using ext4 and why btrfs proved to be the better choice
- try the nitrokey application on the Librem5
- try PassFF in Firefox on the Librem5
- find a way to make pass and gpg use the LibremKey on the Librem5 (the phone has a built-in smartcard reader loaded with an openpgp smartcard. Having two readers and two openpgp smartcards seems not to be supported very well by gpg 2.2.x)
- write about how the above worked
Any comments, help (especially on using gpg with two readers and two smartcards available) and questions are welcome.
@tdk@fosstodon.org thanks for the hint!
I looked briefly at it.
I moved away from password-store, because of the missing integration to browsers and because I wanted to start using gpg.
I already have to keep an eye on my key I use to sign the boot environment of my notebook and to decrypt the key for my cryptfs.
Furthermore I love the fact that I can read, understand and change #pass and #tomb as they are shell scripts using utilities I know already and that are used on nearly every *nix system.
I furthermore like the idea of syncing via a self-hosted gitea.
For this solution I can always fall back to using the command line if something goes wrong.
I'm of forced to use any gui.
Beside carrying an openpgp card my LibremKey (Nitrokey) does check the boot environment via heads and TPM showing a green led if everything seems o.k. and I use it for totp wherever I configured to use 2fa.
A lot would work with a yubikey also, but not the boot checking of my notebook.
@me My setup is very similar. I use pass, PassFF and sync using git. For 2FA I use Yubikey and https://developers.yubico.com/yubioath-desktop/ , which unfortunately works only with yubikeys.
About using 2 smartcards at once: gnupg 2.3 says it has improved support (https://lists.gnupg.org/pipermail/gnupg-announce/2021q2/000458.html), but yeah, unfortunately it's not the version provided by PureOS.
For the moment being I decided to disable the use of the #OpenPGPcard inside my #Librem5 to force the use of my #LibremKey when gpg is needed on the phone.
Support for multiple smartcards is improved in gpg 2.3.x I read which is not available for my distribution, yet.
This way pass works with the externally connected LibremKey/#Nitrokey as expected.
@me Hi, just read about your solution and wanted to offer another take on this: No FF password store either, passwords are in a keepassfile that I use mainly with keepassxc (with browser integration). To be able to sync only certain passwords to certain devices (i. e. mobile), keepass can export groups to a seperate file and keep them in sync both ways. The files get synced between devices via syncthing. Love it!
BTW: Congrats you your own instance 😃