HOTP extension

[gh-ix]

Hello,

while SailOTP does a good job, I'd like to offer a donation resp. funding share for adding HOTP. Anybody else willing to support this extension, with code or money? Existing tokens should be importable from SailOTP.

Thanks

[monich]

You mean the counter-based OTP? I was considering it but wasn't sure if anyone actually needs it. Your request does prove that it's indeed being used somewhere.

I have no way of testing it, but I could provide an implementation which would produce the same output as SailOTP.

[gh-ix]

Am 02.10.2021 um 02:16 schrieb Slava Monich:

You mean the counter-based OTP? I was considering it but wasn't sure if anyone actually needs it. Your request does prove that it's indeed being used somewhere.

I have no way of testing it, but I could provide an implementation which would produce the same output as SailOTP.

Hi Slava,

counter based OTP is a prerequisite for me to change from SailOTP to foilauth. It's not for a public service, and I can't grant you a test user unfortunately.

I'm using SailfishX on XperiaX.  And I'm using different phones, so I need to share the OTP tokens. Like mentioned, due to a security policy of one of my customers, I'm forced to use counter/HOTP. I never read through the RFCs, but the HOTP implementation of SailOTP works, including sharing the token (by simple filesystem based coping some files I don't remember right now).

Actually HOTP was chosen over TOTP by that guys to prevent sharing/leaking the token. With your symmetric encoded key based encrytion, it should still be possible for me to duplicate the token for another device/backup, but not to leak, so I'm not violating customers policy that much any more.

Would send 100€ for your efforts.  Just a small share of what it's worth, but maybe it covers the conversation time with me :-) By paypal?

Thanks, -harry

[monich]

You've got me interested. I've coded a prototype of HOTP support over weekend. If you're willing to give it a try, you can pull rpms out of my test project on Sailfish OS public OBS (armv7hl, aarch64). Further development is probably going to be on hold until next weekend, you have some time to provide a feedback.

I appreciate your willingness to make a donation. I will pass for now, please send this 100€ to your favorite open source project))

[gh-ix]

Thank you very much, highly appreciated! Yet I have to find how to reply to sender-only via GH...

For the donation: Very generous, will send to a sailfish contributor (although I'm the BSD guy and the FreeBSD foundation funds great people/projects, which easily eliminates the burdon to select something specific, especially for such small ammounts). rinigus, unmaintained or openrepos come to my mind. Don't know anything about OBS. First contact was a thread in the forum, which I haven't understood what they were talkign about... And now for downloading your version; I guess it's a service maintained by Jolla - those skilled opensource developers make SailfishOS usable besides/despite the Aurora duty book, so Jolla already gets more than aedequate return for providing/maintaining OBS... my first opinion... Suggestions welcome, as mentioned, should be sailfish related. Will try to find out more about OBS meanwhile and test foilauth with importing HOTP and accidentially, I need a new TOTP token, which SailOTP faield to scan yesterday. Will report asap, thank! -harry

[monich]

Regarding the donation, I'd vote for openrepos. Supporting a platform, which allows developers to cooperate, is more important than supporting individual people, IMO. As long as people have a paid daily job))

And yes, OBS is a service provided by Jolla to the community. I use it to make clean reproducible builds. It can be shut down at any time, though.

If you have a token as a QR code which doesn't get scanned, try scanning it with Code Reader and see what's in there. Don't blindly copy/paste its contents though, because it contains your secret key in one form or another.

[gh-ix]

Will send 100 bucks to openrepos, early next week, mentioning slava as donator if not forbidden to do so. Had the chance to do a few tests: Import from SailOTP worked for the TOTP tokens, the HOTP was simply skipped - no error, just not offered to import. I could add it manually without problems (SailOTP shows counter value along with the secret). FoilAuth now shows the same counter-based OTPs -haven't had the opportunity to applay one, but since they first few increments gave same OTPs, this will work. General feedback: I very much like the stepping buttons enclosing the (H-)OTP! I very much like the (scrolling) cover peek view for tagged tokens! Amazing well designed! I'd prefer a distinct edit-mode switch, I unintentionally move tokens in a list not needed/possible to scroll but tried to scroll. So moving mode needs to be activated/deactivated by the user. Like mentioned, impressive work, even UI is better than SailOTP!

One general suggestion/question, regarding foil key's passphrase: Due to the nature of this crucial part in the chain, my phrase is not short and not easy to enter. Is it possible to save the phrase in any fingerprint-locked user's mmap/store/container? Idea is, in order to unlock any foilDB, you need the key and need to enter the corresponding phrase once - like now, but as long as the user's session isn't terminated (by power cycle or changing to another user - which has been the most important missing feature in SailfishOS for me, but finally available), you can unlock any re-locked foilDB with the fingerprint instead of the phrase. I guess currently the foilDB gets locked each time the device lock triggers. Other apps do it likewise, but this security realm/measure doesn't suffer from weak fingerprint entropy too much imho - as long as it's not used directly for key encoding, just for crypting the phrase-container. No idea if ther are API's available which allows one to create any fingerprint-locker....

If this is generally impossible, I'd very much like foilauth to get a 'ignore termination-gesture' flag - user switchable maybe. I guess it's even more unlikely that there's a hook for such a feature (on per-app basis).

Thanks a lot, beta is working great for me! -harry

[monich]

Yeah, I need to check how SailOTP stores its HOTP codes and import those too.

All 4 pulley menu items are already used by Foil Auth main view, and that's a usability limit for landscape orientation. Perhaps, I should consider replacing "Lock" with "Organize" (like it's done in Foil Notes). However, I was planning to replace "Lock" with "Import" which would import multiple tokens at once from otpauth-migration: QR codes. Let me think about it. I agree that rearranging is a fairly rare operation and doesn't need to be easily accessible. And so it import ))

BTW, when the device gets locked by inactivity timeout, quickly unlocking it (within 20 sec or so) keeps Foil key unlocked.

I may consider other locking/unlocking options when I add settings UI.

[gh-ix]

Didn't know there's a SDK/hard/vendor limit... although some make sense, e.g. 4 pulley-lines for landscape (which is the orientation I use 99% the time), I actually don't like such limits. I'm not using Sailfish that much, but I think other apps do have a secondary pulley menu at the bottom. Grouping security/foil-key related actions (change phrase, lock) into bottom pulley might be an option. Or vice versa, leaving those two in the top pulley, and the rest either to the bottom or in a separate actions-page, reachable by the rigth-top radio-button. I think right-top buttons are commonly used as context-menu aequvalent. Sorry, I can't name the correct Sailfish terms for these UI elements. Just a view ideas from somebody loving strict conventions and consistency ;-)

[monich]

I have published version 1.0.19 which supports HOTP. Let's start with that, other improvements will come later.

[gh-ix]

Thanks a lot! Not that it's important to me, but the HOTP import doesn't respect counter state - OTPs begin with 1, regardless what SailOTP counter reads. But that really is no issue imho. Audience will do check and know what to compare/how to match... Couldn't send money to openrepos yet, because I don't speak russian: Their payment service has an switch for english but keeps displaying all relevant text in cyrillic. Already asked for PayPal. Offering another 100 bucks for keyphrase-fingerprint solution ;-) Especially because I noticed that the key-unlocking is app dependent, so having unlocked Foil Auth doesn't allow me to read Foil Notes without entering it immediately again. For real world usability, I need to get access to my tokens much more convinient. The TOTPs aren't any critical, and I prefer to extra-launch SailOTP for these because I can't enter phrase each time I need a token. The HOTP is a bit different, it requiers more protection due to policy. In order to comply with policy I deleted that one from SailOTP and it's currently the only one I use Foil Auth for, bause of the much too frequent phrase requests. Another feddback: I recently mentioned scanning problems - I'm aware thet I can manually enter the QR cleartext. What I was referring to is a already known SailOTP glitch with the camera: https://github.com/seiichiro0185/sailotp/issues/49 Just did one test so far, but I guess your implementation wasn't taken from SailOTP - it worked flawlessly. Recognized the code quicker than I could adjust distance, did successfull scan although it was hardly identifyable as QR by my weak human eye sight :-) And another question: How can I change my decision not to import? On one device I intentionally selected "don't import" since I was distracted and didn't remember if I removed the old content before. Deleting Documents/FoilAuth isn't enough to re-trigger import assistant. grepping .conf recursively didn't give an hints where the config is stored, besides confd/user - which I'm not aware to what this belongs to. Thanks, -harry

[gh-ix]

Just for completeness: When adding HOTP token by showing QR from Foil Auth store, the scanned token reads the correct counter state. Another suggestion regarding Foil Auth convinience: Making sophisticated phrase usability helpers might take too much time. Another intermediate workaround might be a unecrypted token store for Foil Auth, likewise Foil Pics and Foil Notes have it already. I only encrypt sensitive notes/photos, while using Foil Pics/Foil Notes for all pics and notes. I can imagine having the majority of tokens unencrypted and thus available as convinient as with SailOTP, but within Foil Auth.

On a 2nd step, a comperhensive re-locking setting would be fantastic - currently I don't know what/how the re-lock is triggered. Most likely by device lock. Selectable timeout was nice, aditionally selctable if counter starts device-lock dependent or indipendently after last Foil-usage. Just a view ideas.

Thanks, -harry