Howto use FreeOTP for Two-Factor-Authentication (2FA) on LinkedIn
Photo by Pixabay: https://www.pexels.com/photo/black-android-smartphone-on-top-of-white-book-39584/
Too Long;Didn't Read (TL;DR):
You can omit the steps listed below. If your 2FA/OTP App allows to specify the secret key, type, algorithm and interval use the following settings for LinkedIn:
Type: TOTP
Number of digits: 6
Algorithm: SHA1
Interval: 30 seconds
Original article
I try to enable Two-Factor-Authentication, or 2FA in short, on any of my accounts that supports it. But: I dislike it, when the 2FA-Codes are sent via Mail or SMS. This is just too insecure as both can be intercepted. And personally I would go so far to say "SMS & Mail isn't a valid & secure second factor." As there are too many reports how scammers and phishers intercept SMS or mails. Yet many companies still default to this. LinkedIn too.
Therefore I wanted to switch to my Authenticator App of choice: FreeOTP - https://freeotp.github.io/
The source code is on GitHub: https://github.com/freeotp
It is completely OpenSource (sponsored by RedHat) and even available in the alternative Android App-Store F-Droid, which only offers Apps which can be build completely from source.
As naive as I am sometimes I thought it's just the following steps:
- Enable 2FA in my LinkedIn profile
- Provide password to authenticate
- Scan the QR-Code in FreeOTP
- Enter the generated code to verify it works
- Generate & Save the backup keys in my password manager
But not so on LinkedIn. They don't display a QR-Code. Well.. To be precise. They did. Before Microsoft bought LinkedIn. After that this changed. Nowadays they only display you the so-called secret key (encoded in Base32) and that's it.
Then LinkedIn tells you to install the Microsoft Authenticator App, while mentioning, that you can, of course, use any other Authenticator App.
The problem? The described workflow on what to do with that key only works in the Microsoft Authenticator App.
Side-Note: Someone told me Google Authenticator should be able to use that code too. But I can't verify this.
LinkedIn gives you absolutely no additional technical information.
- No otpauth:// URL
- No information if TOTP or HOTP must be used
- Well, to be fair, we can safely assume it's TOTP.
- Which algorithm must be used?
- What is the lifetime (interval) of the generated codes?
Nothing. But this is what I need with FreeOTP. I tried a few combinations, but had no luck.
So I resorted to the Linux command-line.
- Enable 2FA in your account until the secret key is displayed
- Install qrencode (or use one of the available Web-Generators for QR-Codes at your own risk)
- Source Code is here: https://github.com/fukuchi/libqrencode but every major Linux distribution should have a package available
- Build the following string:
otpauth://totp/LinkedIn:MyAccount?secret=KEY-YOU-GOT-FROM-LINKEDIN
- All in one line, no spaces at the end, no enter.
- You can change "MyAccount" to something more meaningful like your mail address
- Example:
otpauth://totp/LinkedIn:JohnDoe@company.tld?secret=U4NGHXFW6C3CLHWLQEVCBDLM5FQMAQ7E
- Paste that string into a textfile.
- Again, no enter or spaces at the end
- Execute:
qrencode -r /path/to/file.txt -t png -o /path/to/image.png
- This will generate a PNG-Image at the location specified by the -o parameter
- -r is the input file containing the string
- Display the QR-Code and scan it with FreeOTP
- Verify the code works
- Generate your backup keys and save them in your password manager
- Profit!
Some documentation regarding the otpauth:// URL, it's syntax and the parameters you can use is available in the old Google Authenticator repository on GitHub: https://github.com/google/google-authenticator/wiki/Key-Uri-Format
(Google Authenticator once was OpenSource too, but sadly isn't any more.)
And while at it, I created the corresponding GitHub Issue for the FreeOTP project #360 [Feature-Request] Allow adding of entries by just specifying label & secret to properly take care of this nuisance. ;-)
Lessons learned
FreeOTP assumes the algorithm of SHA1 and an interval of 30 when these parameters are not part of the otpauth-URL. Choosing these works out of the box and I can omit the QR-Code step this way.