Are there any good ways of sharing 2 factor authentication credentials?
Scenario: I have probably 20 accounts secured by 2FA using (currently) Authy to manage them. A colleague similarly has their own 2FA setup (not sure what they use).
However there are some accounts we both need access to, and therefore at present we haven't enabled 2FA on. I want to set up 2FA in such a way that either of us can generate a code without sharing anything else to do it.
I believe this is using TOTP protocol? I don't know enough about how it works but I can't see any technical reason why the shared secret can't be shared between multiple people (Authy already lets me share between multiple devices, but in an "all or nothing" way.)
Obviously sharing 2FA credentials weakens security. But at present the alternative is not using it at all, and surely shared 2FA is better than that.
On Tue, May 31, 2022 at 10:15:51AM +0100, Mark Rogers wrote:
Are there any good ways of sharing 2 factor authentication credentials?
If you save the QR code and share it to your colleague then you can both have the same credential in authy, you probably want to delete it after though.
Adam --
Hi Mark,
If you use an app like FreeOTP+ (open source Android app on the Play Store), then once you've scanned the QR code, it will allow you to view the secret as a long string which can be shared.
If you use KeePass or KeePassXC as a password manager, you can then use that database to hold the credentials securely and generate OTPs on multiple desktop and smartphone platforms (it is recommended to store any TOTP codes in a separate database to your passwords). If there are a number of shared logins between you, then perhaps maintaining a shared KeePass database file to store them in that you can both access is one option.
https://play.google.com/store/apps/details?id=org.liberty.android.freeotpplu... https://keepass.info/help/base/placeholders.html#otp https://keepassxc.org/docs/#faq-security-totp
HTH,
Peter.
On Tue, 31 May 2022 at 10:32, Adam Bower adam@thebowery.co.uk wrote:
On Tue, May 31, 2022 at 10:15:51AM +0100, Mark Rogers wrote:
Are there any good ways of sharing 2 factor authentication credentials?
If you save the QR code and share it to your colleague then you can both have the same credential in authy, you probably want to delete it after though.
Adam
To unsubscribe send an email to main-leave@lists.alug.org.uk http://www.alug.org.uk/ Unsubscribe? See message headers or the web site above!
On Tue, 31 May 2022 at 10:32, Adam Bower adam@thebowery.co.uk wrote:
If you save the QR code and share it to your colleague then you can both have the same credential in authy, you probably want to delete it after though.
Oh OK, I assumed that 2FA used some kind of unique key at both ends so this wouldn't work, although I should have thought to try it.
So does this mean that all authenticator software packages would generate the same codes for any given QR code?
On Tue, May 31, 2022 at 03:06:21PM +0100, Mark Rogers wrote:
Oh OK, I assumed that 2FA used some kind of unique key at both ends so this wouldn't work, although I should have thought to try it.
So does this mean that all authenticator software packages would generate the same codes for any given QR code?
Yes, they just create the same tokens. One other option would be to look at some kind of shared password manager but if you do that then storing the 2FA in the same place as the password could be a bit of a problem although it would be better than no 2FA at all.
Adam --
On Tue, 31 May 2022 at 15:25, Adam Bower adam@thebowery.co.uk wrote:
Yes, they just create the same tokens.
Thanks (also to Sam), tested and working.
One other option would be to look at some kind of shared password manager but if you do that then storing the 2FA in the same place as the password could be a bit of a problem although it would be better than no 2FA at all.
I think that's the key. There are some accounts that there is no feasible way for us to create two separate manager logins, so either it all falls to one person or it's left with an easily shared password which, whilst it can be a decent password, is still not as good as a decent password plus one time password. All the other options (2FA via email or SMS) fail the same way (well we could set up an email address that forwards to both of us, but some of these accounts *are* email accounts so you'd need access to it on one device to get access to it on another which isn't workable if one of us is unavailable.
(Also to Sam: I'll take a look at FreeOTP+, thanks.)
Mark
-
Adam Bower -
Mark Rogers -
samwise