If a service wants you to download #GoogleAuthenticator for #Android or #iOS to activate mandatory 2nd authentication factor:
- It's the same as using
<space> nitropy nk3 secrets add-otp --protect-with-pin --touch-button --digits-str 6 --kind totp paloalto <seed>with your #Nitrokey 3 - don't forget to check the command history to delete the key from there in case the leading space of thenitropy-command didn't stop your shell from saving the command to history. - If they then show you a QR you're supposed to scan with your always online, known to be unsecure, sending everything to the cloud device there's ususally a button for
can't scanthat'll show you the seed - If #javascript on the page then makes it impossible to copy that seed at least in firefox there's
right click/inspect (q)which you can use to have a quick look at the source of the element to copy the seed from the source (think about how secure your clipboard is and whether you need to delete the seed afterwards from it. Big mess: clipboard history writing to disk possibly without full disk encryption). - Otherwise - if there's no way to get a text view of the seed - take a screenshot of the qr, save it, and use
zbarimg <screenshot-file>to get the text reading from the qr
How do I prevent commands from showing up in Bash history?
Stack Overflow
Likes
