If a service wants you to download for or to activate mandatory 2nd authentication factor:

  • It's the same as using <space> nitropy nk3 secrets add-otp --protect-with-pin --touch-button --digits-str 6 --kind totp paloalto <seed> with your 3 - don't forget to check the command history to delete the key from there in case the leading space of the nitropy-command didn't stop your shell from saving the command to history.
  • If they then show you a QR you're supposed to scan with your always online, known to be unsecure, sending everything to the cloud device there's ususally a button for can't scan that'll show you the seed
  • If on the page then makes it impossible to copy that seed at least in firefox there's right click/inspect (q) which you can use to have a quick look at the source of the element to copy the seed from the source (think about how secure your clipboard is and whether you need to delete the seed afterwards from it. Big mess: clipboard history writing to disk possibly without full disk encryption).
  • Otherwise - if there's no way to get a text view of the seed - take a screenshot of the qr, save it, and use zbarimg <screenshot-file> to get the text reading from the qr

I'm migrating from a to a 3c. One OTP made it to my new Nitrokey and the rest still sits on the LibremKey. I updated my OS and installed the new utility which can't handle the LibremKey.

is still installed on my and while it is easy to use that way it is even easier from my desktop. Waypipe didn't work, but ssh librem5 NitrokeyAuthenticator -platform vnc opens an unprotected vnc port…

purism@pureos:~$ netstat -pnlt | grep Nitro (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp6 0 0 :::5900 :::* LISTEN 2019/NitrokeyAuthen

…which I can connect to to get an otp before migrating it to the new token.

And after disconnecting the ssh session the application keeps running and still can be connected to.

in reply to this object

…after writing this I had to leave home, took my and the 3 on my keychain not expecting that it would work using pass-manager-compact just like this, but it did.

No adapter needed anymore, direct connect to the Librem5s usb-c :).

in reply to this object

For the moment being I decided to disable the use of the inside my to force the use of my when gpg is needed on the phone.

Support for multiple smartcards is improved in gpg 2.3.x I read which is not available for my distribution, yet.

This way pass works with the externally connected LibremKey/ as expected.