[Feature] Storing OTP

[Trinnik]

I would like to request a feature to be integrated into the passwords app that stores OTP information for use in the browser extension. Passman has this feature but development on that app has obviously slowed dramatically and I am looking for a new password app to use. I have attached a screenshot of what I’m talking about with the passman web extension. It is super nice to be able to copy my Authy/Google Authenticator codes to my clipboard instead of opening my phone every time I need a code.

[Trinnik]

In respone to tflidd on the forum,

Wouldn’t you bypass 2FA like this? It’s the purpose to have a second, independent device. If everything is stored at the same place (your password manager), your security breaks when someone has access to it, he can access your 2FA-codes as well. So you can just use a normal password.

Yes that does break it if someone gains access to my server that stores it. But it is still an extra layer of security because in the much more likely event that someone gets my password from cracking another site they still don't have my 2FA without then going and cracking my server.

[mactrent]

One might say the point of having a password manager is to make password re-use across different sites a thing of the past, but one large benefit of OTP (regardless of how many other factors are used) is that a single "password" cannot be used in a replay attack, even on the same site.

[marius-wieschollek]

I already had OTP support planned as a feature after the basic features are implemented.

I would argue that as soon as you can use client side encryption and with it the improved server side encryption, the barrier for stealing the tokens is quite high since you need access to the Nextcloud server, the account password (or any app token) and the master password for the app to access the password database.

Aside from that the main difficulty for this feature is finding a good OTP javascript library.

[tflidd]

the barrier for stealing the tokens is quite high since you need access to the Nextcloud server, the account password (or any app token) and the master password for the app to access the password database.

the barrier for the unique very complex password is already high. What does OTP provide on top of that? Do you have a scenario where someone gains access to your password but not your OTP? And there could be legal issues in case your need to use 2FA/OTP for additional security since you bypass this feature. It's like writing your pin of your credit card in the same wallet which is secure because you have a very good body guard!

[mactrent]

What does OTP provide on top of that? Do you have a scenario where someone gains access to your password but not your OTP?

Phishing, or some other man-in-the-middle attack (as [not] perceived by the user) is a really common way of getting a user's password. In-transit encryption, trusted web hosts with verifiable certs, and user training should work together to prevent this, but alas, we need to plan for when it happens, rather than if. If you're using OTP instead of a password, the most an attacker gets is a single login session, instead of all future login sessions. This is why it's best-practice to have a user re-authenticate before making changes that might transfer ownership of an account.

Even if there was such a thing as a per-vendor PIN on your credit card (which there isn't, for the same reasons we need password managers), a changing PIN would be better because the observation of no single transaction could allow an attacker to make arbitrary transactions as the user in future. Bribing cashiers or planting skimmers+cameras is less useful when the info thus stolen can only impersonate the user once, to one vendor, at one given point in time. The vendor then has the ability to make things more secure by re-verifying - most don't, but that wasn't even an option before. Having a per-vendor PIN and a changing PIN, even if they're in the same wallet, is still far better than expecting every single transaction to be secure from observation. You can at least do something meaningful to guard your wallet, while all you can do is look/shake to detect card skimmers/cameras, and you're not likely to discover them even if they're there. To stretch the analogy more than I already have: if you really need 2FA that legally must be separated, put OTP in your wallet and remember your password, rather than remembering a short and static PIN.

Sorry to derail. In general, though, password managers have begun to implement OTP as a matter of course - see KeePass (via plugins), LastPass, etc. Let the user sort out any trade-offs or legal gotchas, having it is better than not in any case.

[marius-wieschollek]

And there could be legal issues in case your need to use 2FA/OTP for additional security since you bypass this feature.

Passwords does not provide any tools to enforce password rules. It's up to the individual user to comply with any given rules. Using the passwords app does not replace the individual responsibility to keep ones passwords safe.

Also in my opinion it would be naive to believe that people will store their OTP tokens in a secure way if the app does not support OTP. Services like GitHub give you some backup tokens when you set up 2FA. People will just paste those codes into the notes field or create a file and link it to the password.

The security of OTP tokens would also be compromised if your smartphone gets stolen and you are still logged into Nextcloud.

Having OTP in the password app is helpful if you're the kind of person who will drop his phone into a pond or just resetting it. If you have your tokens in the passwords app, they will still be there in those cases.

Also if you loose access to a device, you can just delete it in the security settings.

[marius-wieschollek]

I would implement OTP support as a special password type. That way, you can use the app as your OTP provider without necessarily having to store a corresponding password with it.

I do still have passwords that only exist in my head and think it would be great if i could have an always accessible source for the OTP that belongs to these passwords.

[tflidd]

I try to use a hardware device for 2FA, so one time passwords are only a backup if one or all of these devices won't work. In that case, I just print them and store them in a secure place (at home, in my wallet, whatever). For me the worst place to store them is anywhere close where the password itself is stored.

[marius-wieschollek]

I think it would be good to add a warning in the interface which makes it clear to the user that storing OTP and password in the same app is insecure.

[szaimen]

I agree, that this is one of the last missing important features.

[circlenaut]

I second @szaimen

[olpo24]

I like your APP and corresponding Browser Extensions/Android apps much more then other password management solutions for nextcloud. But this issiue is the only thing why I'm not using your app in Nexcloud :-(

[jficz]

I think it would be good to add a warning in the interface which makes it clear to the user that storing OTP and password in the same app is insecure.

I'm all for OTP implementation (it's one of those little things that prevents me from switching completely) but I would argue whether the Passwords app is the right place to educate users about authentication principles.

[EricThi]

Hello,

Do you have any information for add this mandatory feature ?

Passman is end of life now (My nextcloud is on 20.0.2 and waiting to start upgrade to 20.0.4 because passman can be fail...need time to test it on preprod)

I have more 200 credentials on my account and it's used by another people on my server. First prerequis after share between user : OTP

Good work for this app; and a verry good new year :)

[paulcalabro]

Yeah, same here. Once there's support for OTP, I'll migrate over to Passwords as well. That's the only thing keeping me on Passman atm.

[adocampo]

I've just stumbled upon Password after a while, I've been following the project but I didn't feel it was better than Passman, which I was a happy user of, but Passwords now seems quite mature.

I did see the changes on the interface and the new cool features (since last time I saw Passman) and quickly searched for 2FA/OTP feature. I got disappointed when I couldn't find it.

I can understand people who cares about leaving all the eggs on the same basket, but they can simply don't use that feature and let other people use whatever they want. A warning message on configuration setting letting clear that's is more insecure than having the OTP mechanism aside of the password manager would be enough, IMO.

A password to unlock the wallet on the browser extension (and the possibility to member the password or leave it unlocked or lock after a few minutes) will be necessary to harden a little bit and leave your computer unlogged for a while for example at work.

Anyway, I'm impressed how Passwords has improved since last time I saw it. Very good job @marius-wieschollek !!

[AxelTheGerman]

I am trying to shift more and more of my tools to my personal, hosted nextcloud. I'm currently using Bitwarden which is very smooth. But I'd use something less polished as long as the basics work.

2FA/OTP is a main feature of a password manager for me. I understand some people's security concerns about storing passwords and OTP secrets in the same place. But it's better than not using 2FA. Bitwarden, LastPass etc all do it too. Not saying it's perfect but the right trade-off between security and convenience for me.

Thank you for all the work you put in @marius-wieschollek - unfortunately this technology stack is not my forte so I won't get myself to contribute

[xplosionmind]

Good morning. Are there any updates concerning this implementation?
In my team I have several different social media managers, and I would love to implement 2FA on our social accounts while still being able to share passwords with them through the app.

[xplosionmind]

ping

[zhaknafein]

+1 for this request. As for the JS library, can this be useful? https://otplib.yeojz.dev/

[gerbenvandekraats]

+1

[Tealk]

+1

[mjeshurun]

One more vote for adding 2FA/TOTP support to the Passwords app. Thank you to all the developers.

[dimmenhau]

Hello, I would like to change my management from a paid solution to this app. But for this I would need the OTP function.

When is the current plan to implement this.

[tmkis2]

Thought the app already had this feature. Damn! Would love to change from 1password to passwords from nextcloud but need OTP support. Noticed this while trying to import my passwords.

[Ostantia]

I'm still a KeeWeb user just because of this issue. I would love to use Passwords but the lack of OTP is a deal breaker to me, I use more than 200+ accounts and at least the 1/3 of them use OTP, so not having it is not possible.

[mjeshurun]

Based on the iOS app changelog, support for OTP was added from app version 2.6 (9 months ago).

[tmkis2]

Based on the iOS app changelog, support for OTP was added from app version 2.6 (9 months ago).

Yes as a feature for the iOS app itself. It is not supported by other passwords clients (browser addon etc.)

[NetworkFound]

Would like to ask if this is still being worked on as I am looking into switching over to this if OTP support is added

[djibux]

I do believe that feature would be useful. I don’t use OTP much but some website require using an OTP. I think it’s nice to have an all-in-one solution.

[jficz]

As far as I know the idea was never dismissed so chances are someone has this on their TODO list.

That being said, a timeline/milestone estimate wouldn't hurt.

But that being said, this is still an open-source project so everyone is welcome to submit PRs with the functionality or sponsor the feature.

... but that being said, all relevant competition has OTP store option already available, even the newest kid on the playground.

[stepcellwolf]

+1 will be a nice plus to have it, and I could contribute in development if needed.

[gellenburg]

Please add TOTP support. Bitwarden has it. 1Password has it. LastPass has it. KeePassXC has it. Happy to sponsor the development, let me know.

[luminous706]

I would also like to have TOTP, as all the other big names out there support TOTP. As long as you don;t have that feature, I can't fully switch.

[JoshuaPettus]

While there is now a very nice separate OTP Management App available for nextcloud (complete with phone apps), I would still love to see it integrated into Passwords itself if possible. If only to have one less app to manage, and this one is just a little more mature.

[pxxsxx]

Has there been any progress in implementation now? The lack of OTP support is the one reason that prevents me from using the app.

[jficz]

I hate to say this but I moved to a competing product a while ago (one that, incidentally, has been created from scratch in much less time then this FR has been open) because of this and to everyone who asks in private I suggest the same thing for some time now.

Before you ask, albeit the clients are FOSS, the service is proprietary and therefore I'd prefer to refrain from mentioning which service it is.

[marius-wieschollek]

There is a dedicated OTP management app for Nextcloud: https://apps.nextcloud.com/apps/otpmanager

I recommend using that. I currently don't plan on adding OTP anytime soon.

[AxelTheGerman]

Thank you for weighing in!

[...] currently don't plan [...] anytime soon.

Is that just because it is low on your priority list? Sounds like you're open to it in general. I have no PHP experience but wondering if you'd welcome contributions.

[JoshuaPettus]

I'll be honest, since I last posted, I'm starting to change my mind. There is benefit to not having "all your eggs" in the proverbial basket. Having the OTP being managed in a separate encrypted database i.e. the OTP app might really be for the best.

From a practical standpoint, once the OTP app matures and has browser apps, it won't make that much of a difference. Right now it only has the cell apps, but he does list browser plug-ins in the compatible apps though they are disabled. It is clearly planned.

[marius-wieschollek]

@AxelTheGerman Yes, would be very welcome.

[JoshuaPettus]

In case anyone on this thread is interested, the nextcloud OTP manager app does have a 3rd party browser extension now that does the job. https://github.com/beatles1/simple-otpmanager-browser

[nooblag]

It'd be great if OTP support gets added to this great app!