Closed WhyNotHugo closed 6 years ago
I haven't seen any services that provide an otpauth:// either, but all do provide the raw key
That's interesting. I've typically enrolled OTP secrets by decoding QR codes using zbarimg
(see the README for an example), and QR images encoding otpauth://
key URIs seems to be the de facto standard for transmitting these secrets.
In addition, this tool supports many additional options, such as hotp
mode, that services typically only specify via key URI parameters. I'm not sure asking the user to understand and input all the different parameter values (totp/hotp, period, algorithm, etc) is simpler than copying a URI for this use case.
What services have you found that provide a secret value but not a key URI?
Most services provide a key or an image (I haven't seen any provide a key URI itself, but an image-encoded key URI): Google, Facebook, GitHub, GitLab are a few examples.
TBH, I don't see humans using the QR good UX, the steps for usage are something like:
While basically, the alternative is to just copy the key that's on-screen.
Would I be correct in assuming these standard OTP parameters for human-readable keys?
Also, is there a standard for the key format? I seem to come across 16-character keys with optional whitespace (collapsed on import, of course).
Fixed by #31
Looks like it's #43. Thanks! 👍
Hi there! First off, I'd like to mention that I've been maintaining totp-cli for quite a while now, but I'd really like to just join efforts and avoid having too tools with such a large overlap. Plus,
pass-otp
is a lot more feature complete and is better integrated (eg: as an extension).There's only one feature that I'm finding critical, and it's the input/file format. It looks like entries expect a
otpauth://
URL, butpass-otp
doesn't provide the tools to generate convert a key to this format. While this is quite machine friendly, it leaves user crafting URI manually, just to have a tool parse it (and that really doesn't make sense). I haven't seen any services that provide anotpauth://
either, but all do provide the raw key (I think battle.net is the strong exception here, but they provide neither).Following on this, the file layout is really counter-intuitively formatted (and importantly, doesn't really follow pass's layout). I'm pretty sure that the old format is closer to more
pass
-like. totp-cli's format is also a bit close (though this one has a lot less features). It's basically "key in the first line, extra args in the following ones).Would you have any objections in PRs to clean all this up? How do you feel about these details in general?