Skip to content

andrew-t/dubstep

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits

README.md

README.md

 
 

dubstep.js

dubstep.js

 
 

dubstep.sh

dubstep.sh

 
 

package.json

package.json

 
 

qr.js

qr.js

 
 

Repository files navigation

dubstep

Adding good 2-step auth support to pass

I’ve taken to using pass as my main password vault. It uses GPG for encryption and Git for cloud sync. It’s a pain to set up, especially cross-device and on Android (tip: install this app and this GPG keychain using F-Droid) but it can be done and it’s easy thereafter.

I also use 2-factor authentication wherever possible, but I like hacking my phone, so obviously having all my logins tied to it is a problem.

To that end, I have written dubstep.

Installation

git clone https://github.com/andrew-t/dubstep.git
cd dubstep
npm install -g .

If you use gopass add export PASSCLIENT=gopass to your bash profile or whatever.

Storing credentials

Go to the website for which you want to set up two-factor authentication and have it display the credentials as text rather than a QR code. Then run dubstep:

dubstep

You will be prompted for:

  • a short name for the account — let’s say you pick example.
  • a long name for display in your Authenticator app
  • your username
  • your 2-factor authentication secret

Once done, view the QR code using

dubstep qr example

Scan the QR code in your terminal window using your Authenticator app. The website will usually ask that you enter a code to prove it worked correctly. If it did, you should run pass git push to store your new credentials to the cloud.

Generating codes

Now that your computer knows all your 2FA secrets, there’s no real reason you should need to get your phone out if you want a code. So instead, you can use

dubstep code example

and you can add a -c flag to the end to copy the code to the clipboard.

Security

Obviously this removes a level of security from two-factor if you think the following scenarios are plausible:

  • Your GPG key has no password and your computer is unencrypted and someone steals it.
  • Your GPG key and cloud storage are simultaneously compromised.
  • People nearby often scan giant QR codes they see on your screen.

2FA is supposed to be ‘something you know’ (your password) and ‘something you have’ (your phone). This makes it more like ‘two things you know’ when you’re using your own computer. But that’s already true when you’re using your phone, so maybe just exercise proper caution with your computer and everything will be fine?

Bonus

I added the code I create the in-terminal QR codes with to the command line, so you can QR any text or URL by typing

qr http://www.andrewt.net

and this pipes nicely into other apps (usually).

About

Adding good 2-step auth support to `pass`

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages