tadfisher
commented
7 years ago I haven't seen any services that provide an otpauth:// either, but all do provide the raw key
That's interesting. I've typically enrolled OTP secrets by decoding QR codes using zbarimg (see the README for an example), and QR images encoding otpauth:// key URIs seems to be the de facto standard for transmitting these secrets.
In addition, this tool supports many additional options, such as hotp mode, that services typically only specify via key URI parameters. I'm not sure asking the user to understand and input all the different parameter values (totp/hotp, period, algorithm, etc) is simpler than copying a URI for this use case.
What services have you found that provide a secret value but not a key URI?
WhyNotHugo
Hi there! First off, I'd like to mention that I've been maintaining totp-cli for quite a while now, but I'd really like to just join efforts and avoid having too tools with such a large overlap. Plus,
pass-otpis a lot more feature complete and is better integrated (eg: as an extension).There's only one feature that I'm finding critical, and it's the input/file format. It looks like entries expect a
otpauth://URL, butpass-otpdoesn't provide the tools to generate convert a key to this format. While this is quite machine friendly, it leaves user crafting URI manually, just to have a tool parse it (and that really doesn't make sense). I haven't seen any services that provide anotpauth://either, but all do provide the raw key (I think battle.net is the strong exception here, but they provide neither).Following on this, the file layout is really counter-intuitively formatted (and importantly, doesn't really follow pass's layout). I'm pretty sure that the old format is closer to more
pass-like. totp-cli's format is also a bit close (though this one has a lot less features). It's basically "key in the first line, extra args in the following ones).Would you have any objections in PRs to clean all this up? How do you feel about these details in general?