If a service wants you to download #GoogleAuthenticator for #Android or #iOS to activate mandatory 2nd authentication factor:
- It's the same as using
<space> nitropy nk3 secrets add-otp --protect-with-pin --touch-button --digits-str 6 --kind totp paloalto <seed>with your #Nitrokey 3 - don't forget to check the command history to delete the key from there in case the leading space of thenitropy-command didn't stop your shell from saving the command to history. - If they then show you a QR you're supposed to scan with your always online, known to be unsecure, sending everything to the cloud device there's ususally a button for
can't scanthat'll show you the seed - If #javascript on the page then makes it impossible to copy that seed at least in firefox there's
right click/inspect (q)which you can use to have a quick look at the source of the element to copy the seed from the source (think about how secure your clipboard is and whether you need to delete the seed afterwards from it. Big mess: clipboard history writing to disk possibly without full disk encryption). - Otherwise - if there's no way to get a text view of the seed - take a screenshot of the qr, save it, and use
zbarimg <screenshot-file>to get the text reading from the qr
I'm migrating from a #LibremKey to a #Nitrokey 3c. One OTP made it to my new Nitrokey and the rest still sits on the LibremKey. I updated my OS and installed the new #nitropy utility which can't handle the LibremKey.
#NitrokeyAuthenticator is still installed on my #Librem5 and while it is easy to use that way it is even easier from my desktop. Waypipe didn't work, but ssh librem5 NitrokeyAuthenticator -platform vnc opens an unprotected vnc port…
purism@pureos:~$ netstat -pnlt | grep Nitro (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp6 0 0 :::5900 :::* LISTEN 2019/NitrokeyAuthen
…which I can connect to to get an otp before migrating it to the new token.
And after disconnecting the ssh session the application keeps running and still can be connected to.
…after writing this I had to leave home, took my #Librem5 and the #Nitrokey 3 on my keychain not expecting that it would work using pass-manager-compact just like this, but it did.
No adapter needed anymore, direct connect to the Librem5s usb-c :).
For the moment being I decided to disable the use of the #OpenPGPcard inside my #Librem5 to force the use of my #LibremKey when gpg is needed on the phone.
Support for multiple smartcards is improved in gpg 2.3.x I read which is not available for my distribution, yet.
This way pass works with the externally connected LibremKey/#Nitrokey as expected.