Log in

No account? Create an account
Pete Zaitcev's Journal -- Day [entries|friends|calendar]
Pete Zaitcev

[ userinfo | livejournal userinfo ]
[ calendar | livejournal calendar ]

Seeking Google Authenticator for Linux [27 Aug 2012|09:29am]

I have enabled a 2-step authentication for Google, but I do not have a smartphone. What to do?

The official answer #0 is to buy the goddamn smartphone. But that means paying a cellular carrier for the rest of your life.

The official answer #1 is to have Google call you. This is good, but what if I travel, say, to Ireland?

The official answer #2 is to print a set of challenge-response pairs, sort of like we did in OPIE days. The only small problem is that I do not see them offering to switch from voice verification to challenge-response. Also, it's a hassle even if it works.

In any case, it would be ideal if an open source program existed that substituted for Google Authenticator. Surprisingly, I am unable to find such a thing, and I don't know why. There should be nothing too secret about the workings of the code generator, even the parameters of the PRNG (the seed is the secret).

The article at LWN says:

Traditionally, hardware authentication tokens must be physically connected to the computer to authenticate a user, though some one-time password (OTP) generators are standalone. Unlike the Android app, however, those devices are meant to make it difficult to extract the key without destroying them. Accessing the key from a phone, then running the app elsewhere (e.g. an Android emulator) would circumvent the "things you have" requirement.

OK, fine, a computing device is less secure than the RSA token [generator] that I have on my keychain. But phone and laptop are no diffrent. In fact, my laptop is far more secure than average malware-infested smartphone. Anyway, I don't want to hear the excuses, I just want this to work.

The same article suggests:

You can perform a passcode-generation hash by running:
oathtool --totp --now="the_current_time" your_secret_key
The passcodes matched, once I figured out how to correctly convert the Base32 encoding produced by Google Authenticator into the hexadecimal required by oathtool — namely, that the Base32 encoding scheme defined by RFC 4648 is not the same as base-32 mathematical notation (because the encoding avoids easy-to-confuse characters like I and O).

Ouch. Is there no better way? Maybe I should write a wrapper.

1 comment|post comment

[ viewing | August 27th, 2012 ]
[ go | previous day|next day ]