Hi,
More than a bug this is more a question to know if this was the desired behaviour or is a security issue.
With the kind of two-factor authenticator teleport uses, you can pre-generate a bunch of codes without any problem and give your user, password and 100 codes (for example) to a third user and then they can connect without any problem (always using the sequence). _HOTP_
In the other hand exists a two factor Google authenticator that is based on current time that cannot be pregenerated. _TOTP_
This second method I think will be more secure unless this is a desired feature for example (generate a user and password with root access and give temporary access generating by yourself the two factor code [NOT THE USER] and then only allow this user to login as root once)
Please do this, I use authy to manage most of my 2-factor tokens and I cannot use it to mange teleport tokens for this reason
I can't use any of the Google service ! Fuck the Chinese Greatwall firewall !!
@halcy0n90 TOTP isn't a google service, it's just populary named after Google's authentication scheme which uses TOTP, it's standardized under RFC 6238 and is completely offline(if you don't count NTP).
Not to overlook, this has been pretty popular: https://www.authy.com/
Also, this is related: #665 - the CLI must know which 2FA to use without requiring any flags.
@kontsevoy I've been playing with Teleport and also noticed TOTP support was lacking. TOTP is preferable to HOTP due to the short lived nature of the tokens. It's similar to the short lived credentials that Teleport itself uses: reduces the window that compromised credentials are useful.
I can add support for TOTP unless someone is already working on it.
Will this enhancement also cover other OTP Apps such as Lastpass Authenticator and Intel's Truekey? We have a few developers using a variety of authenticators including Authy
@marchofreason this request is for TOTP which _should_ work with most other TOTP applications as long as it's following RFC6238. AFAIK authy supports this as well, but has a separate protocol that _is not_ compatible, and is more akin to DUO Security.
@marchofreason @thorerik will you guys help us test the next beta with your TOTP tools?
I'll look into it, I haven't even gotten into testing Teleport because this issue has been a firm blocker in my book,
Most helpful comment
Please do this, I use authy to manage most of my 2-factor tokens and I cannot use it to mange teleport tokens for this reason