marius-wieschollek / passwords

A simple, yet feature rich password manager for Nextcloud
GNU Affero General Public License v3.0
215 stars 46 forks source link

[Feature] Storing OTP #69

Open Trinnik opened 6 years ago

Trinnik commented 6 years ago

I would like to request a feature to be integrated into the passwords app that stores OTP information for use in the browser extension. Passman has this feature but development on that app has obviously slowed dramatically and I am looking for a new password app to use. I have attached a screenshot of what I’m talking about with the passman web extension. It is super nice to be able to copy my Authy/Google Authenticator codes to my clipboard instead of opening my phone every time I need a code.

70d8ab71df6c9b85fd12ad7924a2a3280b2904ff

Trinnik commented 6 years ago

In respone to tflidd on the forum,

Wouldn’t you bypass 2FA like this? It’s the purpose to have a second, independent device. If everything is stored at the same place (your password manager), your security breaks when someone has access to it, he can access your 2FA-codes as well. So you can just use a normal password.

Yes that does break it if someone gains access to my server that stores it. But it is still an extra layer of security because in the much more likely event that someone gets my password from cracking another site they still don't have my 2FA without then going and cracking my server.

mactrent commented 6 years ago

One might say the point of having a password manager is to make password re-use across different sites a thing of the past, but one large benefit of OTP (regardless of how many other factors are used) is that a single "password" cannot be used in a replay attack, even on the same site.

marius-wieschollek commented 6 years ago

I already had OTP support planned as a feature after the basic features are implemented.

I would argue that as soon as you can use client side encryption and with it the improved server side encryption, the barrier for stealing the tokens is quite high since you need access to the Nextcloud server, the account password (or any app token) and the master password for the app to access the password database.

Aside from that the main difficulty for this feature is finding a good OTP javascript library.

tflidd commented 6 years ago

the barrier for stealing the tokens is quite high since you need access to the Nextcloud server, the account password (or any app token) and the master password for the app to access the password database.

the barrier for the unique very complex password is already high. What does OTP provide on top of that? Do you have a scenario where someone gains access to your password but not your OTP? And there could be legal issues in case your need to use 2FA/OTP for additional security since you bypass this feature. It's like writing your pin of your credit card in the same wallet which is secure because you have a very good body guard!

mactrent commented 6 years ago

What does OTP provide on top of that? Do you have a scenario where someone gains access to your password but not your OTP?

Phishing, or some other man-in-the-middle attack (as [not] perceived by the user) is a really common way of getting a user's password. In-transit encryption, trusted web hosts with verifiable certs, and user training should work together to prevent this, but alas, we need to plan for when it happens, rather than if. If you're using OTP instead of a password, the most an attacker gets is a single login session, instead of all future login sessions. This is why it's best-practice to have a user re-authenticate before making changes that might transfer ownership of an account.

Even if there was such a thing as a per-vendor PIN on your credit card (which there isn't, for the same reasons we need password managers), a changing PIN would be better because the observation of no single transaction could allow an attacker to make arbitrary transactions as the user in future. Bribing cashiers or planting skimmers+cameras is less useful when the info thus stolen can only impersonate the user once, to one vendor, at one given point in time. The vendor then has the ability to make things more secure by re-verifying - most don't, but that wasn't even an option before. Having a per-vendor PIN and a changing PIN, even if they're in the same wallet, is still far better than expecting every single transaction to be secure from observation. You can at least do something meaningful to guard your wallet, while all you can do is look/shake to detect card skimmers/cameras, and you're not likely to discover them even if they're there. To stretch the analogy more than I already have: if you really need 2FA that legally must be separated, put OTP in your wallet and remember your password, rather than remembering a short and static PIN.

Sorry to derail. In general, though, password managers have begun to implement OTP as a matter of course - see KeePass (via plugins), LastPass, etc. Let the user sort out any trade-offs or legal gotchas, having it is better than not in any case.

marius-wieschollek commented 6 years ago

And there could be legal issues in case your need to use 2FA/OTP for additional security since you bypass this feature.

Passwords does not provide any tools to enforce password rules. It's up to the individual user to comply with any given rules. Using the passwords app does not replace the individual responsibility to keep ones passwords safe.

Also in my opinion it would be naive to believe that people will store their OTP tokens in a secure way if the app does not support OTP. Services like GitHub give you some backup tokens when you set up 2FA. People will just paste those codes into the notes field or create a file and link it to the password.

The security of OTP tokens would also be compromised if your smartphone gets stolen and you are still logged into Nextcloud.

Having OTP in the password app is helpful if you're the kind of person who will drop his phone into a pond or just resetting it. If you have your tokens in the passwords app, they will still be there in those cases.

Also if you loose access to a device, you can just delete it in the security settings.

marius-wieschollek commented 6 years ago

I would implement OTP support as a special password type. That way, you can use the app as your OTP provider without necessarily having to store a corresponding password with it.

I do still have passwords that only exist in my head and think it would be great if i could have an always accessible source for the OTP that belongs to these passwords.

tflidd commented 6 years ago

I try to use a hardware device for 2FA, so one time passwords are only a backup if one or all of these devices won't work. In that case, I just print them and store them in a secure place (at home, in my wallet, whatever). For me the worst place to store them is anywhere close where the password itself is stored.

marius-wieschollek commented 6 years ago

I think it would be good to add a warning in the interface which makes it clear to the user that storing OTP and password in the same app is insecure.

szaimen commented 5 years ago

I agree, that this is one of the last missing important features.

circlenaut commented 5 years ago

I second @szaimen

olpo24 commented 4 years ago

I like your APP and corresponding Browser Extensions/Android apps much more then other password management solutions for nextcloud. But this issiue is the only thing why I'm not using your app in Nexcloud :-(

jficz commented 4 years ago

I think it would be good to add a warning in the interface which makes it clear to the user that storing OTP and password in the same app is insecure.

I'm all for OTP implementation (it's one of those little things that prevents me from switching completely) but I would argue whether the Passwords app is the right place to educate users about authentication principles.

EricThi commented 3 years ago

Hello,

Do you have any information for add this mandatory feature ?

Passman is end of life now (My nextcloud is on 20.0.2 and waiting to start upgrade to 20.0.4 because passman can be fail...need time to test it on preprod)

I have more 200 credentials on my account and it's used by another people on my server. First prerequis after share between user : OTP

Good work for this app; and a verry good new year :)

paulcalabro commented 3 years ago

Yeah, same here. Once there's support for OTP, I'll migrate over to Passwords as well. That's the only thing keeping me on Passman atm.

adocampo commented 3 years ago

I've just stumbled upon Password after a while, I've been following the project but I didn't feel it was better than Passman, which I was a happy user of, but Passwords now seems quite mature.

I did see the changes on the interface and the new cool features (since last time I saw Passman) and quickly searched for 2FA/OTP feature. I got disappointed when I couldn't find it.

I can understand people who cares about leaving all the eggs on the same basket, but they can simply don't use that feature and let other people use whatever they want. A warning message on configuration setting letting clear that's is more insecure than having the OTP mechanism aside of the password manager would be enough, IMO.

A password to unlock the wallet on the browser extension (and the possibility to member the password or leave it unlocked or lock after a few minutes) will be necessary to harden a little bit and leave your computer unlogged for a while for example at work.

Anyway, I'm impressed how Passwords has improved since last time I saw it. Very good job @marius-wieschollek !!

AxelTheGerman commented 3 years ago

I am trying to shift more and more of my tools to my personal, hosted nextcloud. I'm currently using Bitwarden which is very smooth. But I'd use something less polished as long as the basics work.

2FA/OTP is a main feature of a password manager for me. I understand some people's security concerns about storing passwords and OTP secrets in the same place. But it's better than not using 2FA. Bitwarden, LastPass etc all do it too. Not saying it's perfect but the right trade-off between security and convenience for me.

Thank you for all the work you put in @marius-wieschollek - unfortunately this technology stack is not my forte so I won't get myself to contribute

xplosionmind commented 3 years ago

Good morning. Are there any updates concerning this implementation?
In my team I have several different social media managers, and I would love to implement 2FA on our social accounts while still being able to share passwords with them through the app.

xplosionmind commented 3 years ago

ping

zhaknafein commented 2 years ago

+1 for this request. As for the JS library, can this be useful? https://otplib.yeojz.dev/

gerbenvandekraats commented 2 years ago

+1

Tealk commented 2 years ago

+1

mjeshurun commented 2 years ago

One more vote for adding 2FA/TOTP support to the Passwords app. Thank you to all the developers.

dimmenhau commented 2 years ago

Hello, I would like to change my management from a paid solution to this app. But for this I would need the OTP function.

When is the current plan to implement this.

tmkis2 commented 1 year ago

Thought the app already had this feature. Damn! Would love to change from 1password to passwords from nextcloud but need OTP support. Noticed this while trying to import my passwords.

Ostantia commented 1 year ago

I'm still a KeeWeb user just because of this issue. I would love to use Passwords but the lack of OTP is a deal breaker to me, I use more than 200+ accounts and at least the 1/3 of them use OTP, so not having it is not possible.

mjeshurun commented 1 year ago

Based on the iOS app changelog, support for OTP was added from app version 2.6 (9 months ago).

tmkis2 commented 1 year ago

Based on the iOS app changelog, support for OTP was added from app version 2.6 (9 months ago).

Yes as a feature for the iOS app itself. It is not supported by other passwords clients (browser addon etc.)

NetworkFound commented 1 year ago

Would like to ask if this is still being worked on as I am looking into switching over to this if OTP support is added

djibux commented 1 year ago

I do believe that feature would be useful. I don’t use OTP much but some website require using an OTP. I think it’s nice to have an all-in-one solution.

jficz commented 1 year ago

As far as I know the idea was never dismissed so chances are someone has this on their TODO list.

That being said, a timeline/milestone estimate wouldn't hurt.

But that being said, this is still an open-source project so everyone is welcome to submit PRs with the functionality or sponsor the feature.

... but that being said, all relevant competition has OTP store option already available, even the newest kid on the playground.

stepcellwolf commented 1 year ago

+1 will be a nice plus to have it, and I could contribute in development if needed.

gellenburg commented 1 year ago

Please add TOTP support. Bitwarden has it. 1Password has it. LastPass has it. KeePassXC has it. Happy to sponsor the development, let me know.

luminous706 commented 1 year ago

I would also like to have TOTP, as all the other big names out there support TOTP. As long as you don;t have that feature, I can't fully switch.

JoshuaPettus commented 1 year ago

While there is now a very nice separate OTP Management App available for nextcloud (complete with phone apps), I would still love to see it integrated into Passwords itself if possible. If only to have one less app to manage, and this one is just a little more mature.

pxxsxx commented 12 months ago

Has there been any progress in implementation now? The lack of OTP support is the one reason that prevents me from using the app.

jficz commented 12 months ago

I hate to say this but I moved to a competing product a while ago (one that, incidentally, has been created from scratch in much less time then this FR has been open) because of this and to everyone who asks in private I suggest the same thing for some time now.

Before you ask, albeit the clients are FOSS, the service is proprietary and therefore I'd prefer to refrain from mentioning which service it is.

marius-wieschollek commented 12 months ago

There is a dedicated OTP management app for Nextcloud: https://apps.nextcloud.com/apps/otpmanager

I recommend using that. I currently don't plan on adding OTP anytime soon.

AxelTheGerman commented 12 months ago

Thank you for weighing in!

[...] currently don't plan [...] anytime soon.

Is that just because it is low on your priority list? Sounds like you're open to it in general. I have no PHP experience but wondering if you'd welcome contributions.

JoshuaPettus commented 12 months ago

I'll be honest, since I last posted, I'm starting to change my mind. There is benefit to not having "all your eggs" in the proverbial basket. Having the OTP being managed in a separate encrypted database i.e. the OTP app might really be for the best.

From a practical standpoint, once the OTP app matures and has browser apps, it won't make that much of a difference. Right now it only has the cell apps, but he does list browser plug-ins in the compatible apps though they are disabled. It is clearly planned.

marius-wieschollek commented 11 months ago

@AxelTheGerman Yes, would be very welcome.

JoshuaPettus commented 8 months ago

In case anyone on this thread is interested, the nextcloud OTP manager app does have a 3rd party browser extension now that does the job. https://github.com/beatles1/simple-otpmanager-browser

marius-wieschollek commented 2 weeks ago

If you want this feature, use the :+1: emoji on the initial post, do not comment. I will delete any off topic comment as well as any "me want this" comment