Q1. What is the problem that you are trying to solve?
I’m trying to share the AWS root account of my company. The strong password is already in my own Passbolt instance but isn’t enough. My Root account is secure by a MFA process, and I cannot share it securely. I am looking for a way to add TOTP tokens to entries/sites that support it (GitHub, Amazon, etc).
Q2 - Who is impacted?
System and network administrators
Q3 - Why is it important and/or urgent?
Ease of use for system administrators will increase adoption.
Q4 - What is your proposed solution? (optional)
So my idea is to share 2FA generator like we can already do with password.
TOTP should be enough for a first shot but HOTP can be great also.
I thinks, It’s possible to do that with the current GPG process. (For storing the “secret”)
In UI, attached to an existing password entry seems to be a good place.
Example for Github:
As a user I want to store TOTP initialization code in Passbolt
Loginto github, goes to settings, security under two-fractors authentication.
Clicks on “Set up two-factor authentication”, click on “Set up using an app”, click on “enter this text code”
Log into passbolt, on the password workspace, click on “new”, select “TOTP token”
Copy the Github text code into passbolt create TOTP dialog
Save
As a user I want to use passbolt to generate a one time token to login into Github
Login passbolt, right click on the github TOTP entry, click on “copy OTP to clipboard”
Login into github, past the OTP token in the second authentication step input form, press login
Hi,
This could be great to get this function in Passbolt, as some other password management software already have it.
Hope this come to Passbolt too !
Telemak
TOTP would make passbolt alot more usefull when it comes to team collaboration. TOTP is one of the features which are harder to share, and passbolt beeing a team collaboration platform I would say it is quite essential.
I am also upvoting this feature. I am actively looking at alternatives because TOTP feature is missing. All the rest is amazing kudos to everyone involved!
@haupas This is an advanced feature idea. It would be instead of sharing totp tokens (the string, not the qr code) which is possible to do already in the description of a shared resource (the description can also be encrypted). It would not require users to need a separate totp app, if I understand the idea correctly.
Great work on Passbolt and thank you for providing an awarding winning, 2022 audit passed, safe, secure, self-hosted, open source, group password manager.
This thread is a little confusing to me. sorry if I am adding my comment in the wrong place.
I would love the ability to use TOTP to produce a OTP code from the Passbolt ios and android app.
Do any these code repositories help in the development of Passbolt TOTP: OTPClient / 2fast / Aegis / andOTP
I use TOTP OTP codes for my remote server ssh logins, Github, my name host, my server host and a few other websites, it would be great if this feature was added inside Passbolt and Passbolt CE.
Can TOTP just be built into the Passbolt iOS and Android apps?
Threads in the Backlog section are exactly for voting up what is desired, and the devs use these threads to consider the roadmap forward.
In addition to balancing out the expressed interest with other items on the active development list, I suspect with regard to this particular feature that it potentially could be as simple as implementing a TOTP generator based on a stored key. In practice, however, there are other aspects to be considered once the overall app security model is considered, along with its existing structure.
When we rolled out the mobile app feature, it incorporated a QR code process not unlike what is used with establishing TOTP. However, some devices did not play well with the process. (I think the library may have even changed along the way with improvements.) Yes, the idea is pretty straightforward, and while the commitment by the team to proceed with a feature will always include the goal of security, stability and proper support for the customers and the community, some things are support-heavy which is not always anticipated but can start to drag progress on other items.
With this in mind, I think the devs has gained a lot of wisdom along the way and have developed a very judicious approach regarding what to do next. I know they are very knowledgable in how to implement all of these things, but like any project, decisions are made after consideration.
When I think of the age of this feature request, it occurs to me that it was before the Description section of a secret could be encrypted. I have to change passwords pretty regularly, but never change the TOTP. Now that the Description section is able to be encrypted, it would be possible to share the TOTP string key with team members, who could then use their own apps to process. Workarounds in the past probably included creating a separate secret just for the OTP string key…but the string is not always provided or convenient to derive.
One question I have for the thread is how are people currently sharing/saving/backing up QR codes and strings related to TOTPs? If it’s outside of passbolt where are the pain points? I currently keep a file of them saved after taking a screenshot in the process. Not being able to get a 2FA code recovered is a huge headache.
I do not keep copies of the QR, but i really should. i keep a backup of the data that the app(s) allow you to export. I keep the backup data outside of Passbolt on a thumb drive. I guess, I would keep the QR codes on the thumb drive as well.
I would be looking for the Passbolt mobile app to function as a TOTP OTP code generator. So my password management and TOTP management would be in the same mobile app.
Hoping it might be possible to implement Passbolt’s ability to take QR code pictures and process the data. I am noob who cant code but it seems possible to have Passbolt generate the OTP code for 2FA.
I like the extra TOTP protection for SSH and Hosts the best. I had issues (noob) using Key Authentication with my remote servers so i went back to OTP.
I agree 100% 2FA code recovery really sucks and so do script kiddies!
Hi @garrett
As many have stated before, generating OTP codes from a password manager is a deal breaker nowadays when most web service are using them for authentication.
From a developer and team leader myself:
consider that developers often don’t understand the business value & impact of features
you don’t need to implement everything straight away (QR code scan etc.), simply save the seed key and generate a OTP string to copy when needed, would be more than enough as an MVP
I really hope this feature will be implemented soon, because not having it after 5 years when this thread has been opened means for sure a huge loss of users, companies and income.
My company loves open source and would be happy to pay and contribute to an awesome Open Source project like Passbolt, but being this feature a must have, we will have to invest money in 1Password now and once users get used to a tool, it probably won’t change in the future, in particular if the company grows exponentially. So this kind of strategic losses, should be taken in account when evaluating the customer’s value. It’s really too bad to not support an Open Source in this case.
You can enable encryption for the Description in Passbolt. Store your token string there and you have the MVP you’re asking for. I wish 2FA storing gets implemented soon in Passbolt, but raging about it’s unavailability probably won’t push the progress to completion eider…
Hi @rkk, I’m sorry if the message passed with the wrong tone of voice, there is absolutely no rage or complaint at all. As I said I find passbolt a great project, with high quality standards. Paying Passbolt or 1Password for me is exactly the same, I just suggested that it would have been nice paying to support an open source project, instead of funding private software; and not considering the business impact of a feature might cause loss of users and investments, like I saw from other comments. That’s it. The hope was just to give a different perspective on evaluating and prioritizing the feature. –
Sadly what you suggested is not a solution, saving the seed is not the problem. I could save it also in the password field of a different login entry.
The point is having the OTP generated automatically for the users, otherwise you need to have a third party app like Google Authenticator to get the actual login code, which makes Passbolt useless for this need.
It’s incredibly interesting how this feature is not implemented yet.
As I do not own a lot of accounts without 2fa.
I wanted to migrate already and while doing the export of bitwarden I saw that around 400 of my 800 accounts have that.
So is there a timeline when this will finally come?
We’ve started working on the design for the OTP features, we’re currently working on the wireframes and will soon move to the user stories / technical specs.
We still need to work on the quick access integration. We don’t generally give deadlines, because as explained elsewhere, we’re a small team and therefore we have comparatively to other projects a quite design-heavy approach in order to reduce security risks. So bear with us, we’re not twiddling our thumbs .
Must have: this is critical for me to have this
Should have: this is important for me to have this
Could have: this could be nice to have
Won’t have: we should not schedule this (explain why)
.