Feuerfest

Just the private blog of a Linux sysadmin

Switching Two-Factor Authentication Apps

Photo by Pixabay: https://www.pexels.com/photo/qr-code-on-screengrab-278430/

As I'm preparing to update the firmware on my mobile, updating the ROM and rooting it I'm currently in the "Backup, document and save everything" phase. This means I'm checking that I can backup and restore all my Two-Factor authentication codes (2FA) properly.

Partly because I didn't backup the enrolment QR-Codes for every service I signed up over the years. Documenting the otpauth:// URL and/or the initial QR-Code is still the best way. Then it doesn't even matter if all your devices get lost. You can just enter the information in your 2FA app use the code to sign in and then disable 2FA and re-enable it to invalidate the old secret. Locking out anyone else possibly using your devices/accounts.

As I played around a little bit with 2FA apps over the time I got three apps installed:

And here my problems are starting.

Google Authenticator: Only allows you to export your entries in a QR-Code. (Beside the Cloud sync, but whoever uses this hasn't properly understood 2FA in my personal opinion..)

Aegis Authenticator: Allows the export in un-/encrypted clear text. Even with proper otpauth:// URLs. Nice!

FreeOTP: Offers exporting your entries in an externalBackup.xml called file which contains JSON structured data!? Okay.. The secrets are encrypted with the password you chose when you installed the app. It cannot be changed or retrieved otherwise afterwards so I hope you remember it. 😉

There is a discussion on GitHub about how to decrypt that file, extract the secrets and build proper otpauth:// URLs, but that solution didn't work for me.

I only got the following error message:

user@host:~$ python3 freeotp.py
Traceback (most recent call last):
  File "/home/user/freeotp.py", line 26, in <module>
    tree = ET.parse("externalBackup.xml")
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/xml/etree/ElementTree.py", line 1218, in parse
    tree.parse(source, parser)
  File "/usr/lib/python3.11/xml/etree/ElementTree.py", line 580, in parse
    self._root = parser._parse_whole(source)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
xml.etree.ElementTree.ParseError: not well-formed (invalid token): line 1, column 0

Anyway, after deleting myself from several services in the last years only two entries were still needed and it was easier and faster to just disable 2FA on these accounts. So that is what I did.

Using Aegis Authenticator to migrate to any 2FA app of choice

Regarding my entries in the Google Authenticator I generated the QR-Code and scanned that with Aegis Authenticator. Aegis properly imported all entries and the generated 2FA tokens were correct when I checked them against Google Authenticator.

As Aegis allows me to export everything in clear text I can use that to migrate to any 2FA app of my choice. But most likely I will stick to Aegis.

Yes, this clear text export is a potential security risk. I get it. But if it means I have a way to easily migrate 30+ 2FA accounts I'm willing to make that compromise. Yes, I mean.. Now that I have all my secrets and otpauth:// URLs that shouldn't be a concern anymore, right? Well, now I have everything. I'm pretty sure in the future I'm forgetting to properly document some 2FA codes again, hence this being the better choice.

Or are there other solutions I'm missing?

And what about the Microsoft Authenticator?

Honestly? I'm forced to use this by my employer as we don't allow any other form of 2FA for authentication in our company. As it also implements some sort of custom 2FA no other app supports I couldn't be bothered to search for a solution.

Hence there is only one account tied to it. So I did what was reasonable: I removed the app, deleted all settings and cached files, reinstalled the app and just enrolled my account again.

Yes, this required a ticket for our IT Helpdesk to remove the old Authenticator from my account, but I had no problem with that.

Comments

Howto use FreeOTP for Two-Factor-Authentication (2FA) on LinkedIn

Photo by Pixabay: https://www.pexels.com/photo/black-android-smartphone-on-top-of-white-book-39584/

Too Long;Didn't Read (TL;DR):

You can omit the steps listed below. If your 2FA/OTP App allows to specify the secret key, type, algorithm and interval use the following settings for LinkedIn:

Type: TOTP
Number of digits: 6
Algorithm: SHA1
Interval: 30 seconds

Original article

I try to enable Two-Factor-Authentication, or 2FA in short, on any of my accounts that supports it. But: I dislike it, when the 2FA-Codes are sent via Mail or SMS. This is just too insecure as both can be intercepted. And personally I would go so far to say "SMS & Mail isn't a valid & secure second factor." As there are too many reports how scammers and phishers intercept SMS or mails. Yet many companies still default to this. LinkedIn too.

Therefore I wanted to switch to my Authenticator App of choice: FreeOTP - https://freeotp.github.io/
The source code is on GitHub: https://github.com/freeotp

It is completely OpenSource (sponsored by RedHat) and even available in the alternative Android App-Store F-Droid, which only offers Apps which can be build completely from source.

As naive as I am sometimes I thought it's just the following steps:

  1. Enable 2FA in my LinkedIn profile
  2. Provide password to authenticate
  3. Scan the QR-Code in FreeOTP
  4. Enter the generated code to verify it works
  5. Generate & Save the backup keys in my password manager

But not so on LinkedIn. They don't display a QR-Code. Well.. To be precise. They did. Before Microsoft bought LinkedIn. After that this changed. Nowadays they only display you the so-called secret key (encoded in Base32) and that's it.
Then LinkedIn tells you to install the Microsoft Authenticator App, while mentioning, that you can, of course, use any other Authenticator App.

The problem? The described workflow on what to do with that key only works in the Microsoft Authenticator App.
Side-Note: Someone told me Google Authenticator should be able to use that code too. But I can't verify this.

LinkedIn gives you absolutely no additional technical information.

  • No otpauth:// URL
  • No information if TOTP or HOTP must be used
    • Well, to be fair, we can safely assume it's TOTP.
  • Which algorithm must be used?
  • What is the lifetime (interval) of the generated codes?

Nothing. But this is what I need with FreeOTP. I tried a few combinations, but had no luck.

So I resorted to the Linux command-line.

  1. Enable 2FA in your account until the secret key is displayed
  2. Install qrencode (or use one of the available Web-Generators for QR-Codes at your own risk)
  3. Build the following string: otpauth://totp/LinkedIn:MyAccount?secret=KEY-YOU-GOT-FROM-LINKEDIN
    • All in one line, no spaces at the end, no enter.
    • You can change "MyAccount" to something more meaningful like your mail address
    • Example: otpauth://totp/LinkedIn:JohnDoe@company.tld?secret=U4NGHXFW6C3CLHWLQEVCBDLM5FQMAQ7E
  4. Paste that string into a textfile.
    • Again, no enter or spaces at the end
  5. Execute: qrencode -r /path/to/file.txt -t png -o /path/to/image.png
    • This will generate a PNG-Image at the location specified by the -o parameter
    • -r is the input file containing the string
  6. Display the QR-Code and scan it with FreeOTP
  7. Verify the code works
  8. Generate your backup keys and save them in your password manager
  9. Profit!

Some documentation regarding the otpauth:// URL, it's syntax and the parameters you can use is available in the old Google Authenticator repository on GitHub: https://github.com/google/google-authenticator/wiki/Key-Uri-Format
(Google Authenticator once was OpenSource too, but sadly isn't any more.)

And while at it, I created the corresponding GitHub Issue for the FreeOTP project #360 [Feature-Request] Allow adding of entries by just specifying label & secret to properly take care of this nuisance. ;-)

Lessons learned

FreeOTP assumes the algorithm of SHA1 and an interval of 30 when these parameters are not part of the otpauth-URL. Choosing these works out of the box and I can omit the QR-Code step this way.

Comments