Syspass: Can sysPass generate one time passwords?

Created on 24 Sep 2018  路  11Comments  路  Source: nuxsmin/sysPass

sysPass Version
2.1

Describe the question
Can sysPass generate one time passwords using TOTP as an alternative to having to use an additional app (like Authy or Google Authenticator) for this?

kinfr v3

Most helpful comment

@jmfederico I agree with you, and that use case is a good one to request such feature.

I'll add it to the feature request list.

Thanks for the feedback!

All 11 comments

i could need this too. i have some TOTP which is still use within KeePass Plugin. Now, as is migrated most things to syspass, it argues to have some cool stuff left in KeePass^^

Hello, the key point on such features would be: will it provide an added value?, security matters, but does a TOTP application need to be self hosted to be more secure?. Please, don't misunderstand me, I'm willing to hear if I missed some unknown behavior.

Regards

The idea behind TOTP is to make sure that only the person in posession of the device/app that generates the code can access. So it does add value, since even if your password to an app or service gets stolen (keylogger or the likes) you are still protected because only by accessing sysPass the code can be generated.

@jmfederico I catch your points, but what would be different from Google authenticator?. I've used it for years and it's accepted in many sites like GitHub, Dropbox, banking, etc...

Just to note that sysPass v2 has a plugin that enables Google Authenticator.

Hey,
the difference would be that we won't need to have a seperate application to get passwords from. The scenario for TOTP secured accounts using syspass is currently:

  1. grab the password from syspass
  2. grab the time one time password from Google Authenticator or KeePass TOTP plugin for example
    grafik
    grafik

Imagine you are sitting on your computer and want to login to some 2FA secured application like Plesk. At the moment i am logging in to syspass to get my usual Plesk credentials. After that i need to generate the TOTP with KeePass on my computer or with Google Authenticator on my Smartphone to get the password. So i have to use different apps/devices. I'd like to do so out of the box with sysPass only.

Now you may ask whats the sense to get all passwords from one storage (=syspass). The Answer: every application which is secured by 2FA is still more secure because you need to know the secret and the login/password. So it would make sense to store TOTP secret + have some integrated TOTP generator in syspass, to avoid using other third party software to get a full login data set for the target application.

Google Authenticator does nothing more to convert this secret into the current password.

regards, Mario

@vmario89 It makes sense to have some security mechanisms integrated but IMHO I'd rather separate some of these pieces, since you're relying on one single point of failure, sysPass. Another key point is that Google Authenticator can run on mobile devices so an attacker would need to get access to your device in other to get the TOTP token.

Kind regards.

@nuxsmin The fact that it is available does not mean that everybody has to use it, but it does mean that the ones that need the functionality (like myself) could use it.

Using Google authenticator on your mobile phone works when you and only you want to to have access to the TOTP, but imagine a different workflow where you want to share access to an account that is protected with TOTP, and you want to share the generator.
That is a very common usage for groups and companies.

Many services do not allow the creation of multiple users, so one has to share the credentials for an account with your workmates.

Right now we are not able to enable TOTP on any of the shared accounts because how would we share the codes? It is impossible without sharing it through sysPass or similar.

Having sysPass generate the TOPT would allow us to share the credentials while keeping them safe.

@jmfederico I agree with you, and that use case is a good one to request such feature.

I'll add it to the feature request list.

Thanks for the feedback!

@nuxsmin Thank you! Much appreciated.

@nuxsmin can you change the description accordingly? I'd suggest "Add support for TOTP management". KeepassDX supports this nicely as a desktop application and its code could be used as an example. See https://www.youtube.com/watch?v=hVef2Sb6xBo

@nuxsmin any update on this?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

DCWNZ picture DCWNZ  路  4Comments

matejzero picture matejzero  路  5Comments

PedroMD picture PedroMD  路  7Comments

GGOUSSEAUD picture GGOUSSEAUD  路  6Comments

sdutina picture sdutina  路  6Comments