Non-interactive mode for retrieving OTPs

[michabbb]

hi there,

just an idea: if you would give each service in the vault a unique ID and if you could get an token with one single command like

aegis-rs ~/Documents/aegis-backup-20230512-193110.json --password=xxxxxxxxx --service=1

(1 = twitter)

there would be a chance to make a web-interface for that 😏

[Granddave]

Hi @michabbb, thanks for checking out the project!

Interesting suggestion. Since we're using the exported vault from the app (thoroughly detailed here we only have that information available to us, and I would like it to continue like that. That said, we're free to do whatever we want with this information. I'm all for making it composable. What would be possible is to for example use the issuer (and maybe name if needed to be uniquely identified in the vault) from the entry information to get the generated OTP code directly to stdout if the necessary information is provided via CLI arguments.

Example entry from Aegis to show what we've got available to use as identification for a specific entry:

{
    "type": "totp",
    "uuid": "01234567-89ab-cdef-0123-456789abcdef",
    "name": "Bob",
    "issuer": "Google",
    "icon": null,
    "info": {
        "secret": "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567",
        "algo": "SHA1",
        "digits": 6,
        "period": 30
    }
}

Would adding a non interactive CLI mode like that scratch your itch?

[michabbb]

Yes. The idea came to me because one of my customers is currently using authy desktop, which is dead, as we know 😢 So, I looked for an alternative and found Aegis. But with that, I didn´t see any chance of a company with multiple people accessing the OTP without having a single mobile phone where nobody knows where it is. I saw your project, and my first idea was to create a web interface that everybody could use if I could get the OTP with one single call. It's even better than an authy desktop.... i still don´t know what the customer is planning to do when authy desktop is finally dead... but this project gave me this idea.... 😏

[Granddave]

Ah I see, yeah, an unfortunate move by Authy... I understand your need and I guess it would work to generate OTP codes on the fly like that and publish on a locally hosted website. As mentioned above, I'm not against making aegis-rs more composable to make things like that possible, but I would suggest looking into Bitwarden or other password managers or OTP apps with websites that can generate OTP codes, due to the security implications running a website like that. It's secret management after all :slightly_smiling_face:

That's one of my thoughts on this. The other is that I'm thinking of implementing support for a larger part of the vault and creating a crate out of it so other projects can include it as a library. Only parts used for the CLI are currently implemented. That way it would be easier to create projects generating OTPs from an Aegis vault. :rocket:

[michabbb]

Do you know why OTP tools that can be used via a website? I know this against the concept of security, but some companies with many users are not willing to pay money just to be able to create OTPs 😏 bitwarden is great, I use it myself and already imported all OTPs from authy. But you need a professional account. I am more than happy to pay this tiny fee. But some, as always, want an open source or free alternative to authy.

[michabbb]

Looks exactly what I was looking for: https://docs.2fauth.app/ 😉

[Granddave]

I've heard good things about 2FAS, which seems to have a browser extension :slightly_smiling_face: Not sure about pricing and features though...

[Granddave]

BTW, I've been hacking away on a JSON interface with filtering capabilities.

$ aegis-rs aegis_plain.json --json --issuer airbnb

[
  {
    "issuer": "Airbnb",
    "name": "Elijah",
    "otp": "13756234",
    "remaining_time": 29
  }
]

Was it something like this that you first thought about?

This would also allow for some jq magic

$ aegis-rs aegis_plain.json --json --issuer airbnb | jq '.[] | .otp'
"89020816"

[michabbb]

Looks nice, but if https://docs.2fauth.app/ works I would prefer such a solution, so sorry if I created now work for you. But still, your app would profit from such a feature 😏

[Granddave]

I'm glad you found something that would solve your problem!

But still, your app would profit from such a feature

Yeah, I think I'll implement something like this. Could be quite useful :+1:

[Granddave]

I'm closing this issue for now. Feel free to comment or open a new issue if anything comes up.