As a user, I want the ability to add entries which have TOTP keys such as GitHub / Amazon (2FA/MFA)

Hi @garrett
As many have stated before, generating OTP codes from a password manager is a deal breaker nowadays when most web service are using them for authentication.

From a developer and team leader myself:

• consider that developers often don’t understand the business value & impact of features
• you don’t need to implement everything straight away (QR code scan etc.), simply save the seed key and generate a OTP string to copy when needed, would be more than enough as an MVP

I really hope this feature will be implemented soon, because not having it after 5 years when this thread has been opened means for sure a huge loss of users, companies and income.

My company loves open source and would be happy to pay and contribute to an awesome Open Source project like Passbolt, but being this feature a must have, we will have to invest money in 1Password now and once users get used to a tool, it probably won’t change in the future, in particular if the company grows exponentially. So this kind of strategic losses, should be taken in account when evaluating the customer’s value. It’s really too bad to not support an Open Source in this case.

FYI: Given a key, generating a OTP is a pretty straight forward operation in PHP with use of some library GitHub - Spomky-Labs/otphp: A PHP library for generating one time passwords according to RFC 4226 (HOTP) and the RFC 6238 (TOTP)
We might even look into a PR if we have enough time to study the project.

Hope this words will help the team re-evaluate this feature.
Best!

@Duffman @cassvailwr Thanks I know the dev team is reading these posts and the feedback is much appreciated.

You can enable encryption for the Description in Passbolt. Store your token string there and you have the MVP you’re asking for. I wish 2FA storing gets implemented soon in Passbolt, but raging about it’s unavailability probably won’t push the progress to completion eider…

Hi @rkk,
I’m sorry if the message passed with the wrong tone of voice, there is absolutely no rage or complaint at all. As I said I find passbolt a great project, with high quality standards.
Paying Passbolt or 1Password for me is exactly the same, I just suggested that it would have been nice paying to support an open source project, instead of funding private software; and not considering the business impact of a feature might cause loss of users and investments, like I saw from other comments. That’s it. The hope was just to give a different perspective on evaluating and prioritizing the feature.
–
Sadly what you suggested is not a solution, saving the seed is not the problem. I could save it also in the password field of a different login entry.
The point is having the OTP generated automatically for the users, otherwise you need to have a third party app like Google Authenticator to get the actual login code, which makes Passbolt useless for this need.

Thanks for replying

It’s incredibly interesting how this feature is not implemented yet.

As I do not own a lot of accounts without 2fa.
I wanted to migrate already and while doing the export of bitwarden I saw that around 400 of my 800 accounts have that.

So is there a timeline when this will finally come?

Other than that, really awesome software

Hello,

We’ve started working on the design for the OTP features, we’re currently working on the wireframes and will soon move to the user stories / technical specs.

Screenshot 2023-02-02 at 10.10.411614×748 132 KB

You have have a look here:

• Mobile App Wireframe
• Web extension

We still need to work on the quick access integration. We don’t generally give deadlines, because as explained elsewhere, we’re a small team and therefore we have comparatively to other projects a quite design-heavy approach in order to reduce security risks. So bear with us, we’re not twiddling our thumbs .

Hey Remy,

thank you so much for clarifying that.

I didn’t see it in the roadmap, thats why i asked.

Oh no! I’m in the same boat, after a simple trial I was going to recommend passbolt to my startup instead of 1password or Bitwarden… but I arrived to this page after looking for a way to enable something I thought was a given in any password manager so this is not implented in your PRO version either?.. I understand you are OpenSource and stretched thin but please, this is a complete deal breaker to any company, several security policies in my company and others will not let you have access to accounts if you haven’t set up MFA!! I really wonder what happen in the last couple of years with your priorItization, but saving secrets without MFA is A HUGE SECURITY RISK, so this should have been implemented ages ago IMHO. Like some people here before mentioned, please please set the string generator without the fancy QR screen scrapping code as first step, but deliver that ASAP if you can please!

@mninoruiz You might be combining two issues. Passbolt has always been MFA because it uses a key, and a passphrase. It has also added an additional feature of MFA which acts as a third factor, but aides in organizations using their own MFA on passbolt.

It seems you are saying secrets are saved without MFA access to them, but that’s not the case. No one is saying to do this or being made to do this.

Secrets have had encrypted descriptions which can handle qr strings, and this thread is about adding a feature for TOTP handling, instead of it being accomplished through another app. The access of focus is access to non-passbolt apps which have MFA.

The feature is one of convenience. In some cases, maybe yours, it’s a reason to not use passbolt yet. But that’s not the same as suggesting passbolt decisions have resulted in a “HUGE SECURITY RISK”. Maybe clarify what you mean?

Oh apologies @garrett I didn’t make myself clear… I wasn’t implying that Passbolt is not safe, on the contrary, this concept of passphrase and security letters that you have I’ve not seen them before and it is awesome!
Also, yes, as stated at the beginning of this thread, this is the functionality of being able to use Passbolt as MFA all in one place, not about Passbolt not having MFA… What I meant to say is that, since MFA is mandatory for most places, not providing that feature IN THE SAME Secret entry (as your competition does from long time ago) results in incomplete Password Manager solution at the same level than 1Password or Bitwarden. That is different from not having MFA to access your product! But your product is about secret management, and nowadays that MUST include MFA for it to be complete, otherwise you wouldn’t have to complete functionality with another device/tool.
Among other reasons, not having MFA results in:

• Not being able to share secrets where MFA is mandatory (so I can’t use it in a team for places where license restrictions make it impossible to give a user to everybody, so we have to share)
• The other side of the coin, when you want all the company e.g. sales / advertising to use MFA, passbolt does not not encourage enabling MFA in the first place, since the double friction of using another device like your phone makes it hard, specially when you have hundreds of sites, try scrolling that on a Phone in Authy or GAuth, impossible! I use those precisely for very sensitive MFA like the password manager itself

I guess you consider that as an extra, matter of convenience, but for me and most people, for a secret management solution, it is incomplete and find it strange you didn’t prioritise it before… but by all means I understand it’s open source, Im very impressed with your product and finger crossed it will come soon!

@mninoruiz I very much appreciate the clarifications.

I want to share some things from my point of view - but it’s not a response to what you were saying. Just some things that are related that I would like to mention.

When I first started using passbolt, I was implementing it at a counseling center where office staff shared passwords on a spreadsheet. All passwords were the same so I’m not sure why they bothered noting them. When I looked at all the password manager options at the time, I needed something with no subscription costs because the counseling center was financially strained. Passbolt met the minimum requirements for my need, because I need real security. I knew it could only get better. It was super bare bones.

All of the features that people today want backported to the CE didn’t even exist then in the Pro edition! I was never on the app development team but did help with updating web documentation at one point, specifically the API documentation. So, I’ve worked with the people at passbolt.

When I was new to passbolt I misunderstood that open source equated to community-built. I thought, look how active the forum is! That should bode well for quick improvements. But actually, it pulled from development in some ways. So I started making contributions by helping other users. There are many community contributions - and not just fixes but also like this thread itself with the questions and the challenges and pressure. It’s important to know that the organization of passbolt is a growing startup that in my view is less like break things and move fast game and more like NASA.

“The probe must travel for decades to the outer edge of the solar system and be able to send back data years after no one has been able to fix anything.” Maybe it’s not that extreme, but you get the point. No one gets impressed by how it took five years to build a probe. They get impressed by how far out it was able to go.

It is hard to put into words the level of concern and review that goes into passbolt with regard to security. They care. The team will seem slow. At the same time they aren’t on the front page for security issues. Their work is their signature.

Consider the following:

• they develop across numerous operating systems
• those who develop also will provide support and not just to those on Pro - they help in the community too, with “stupid stuff” like installation issues. They actually care about the people using the product.
• when they add a feature they get it reviewed for security
• a couple years ago there was a major overhaul of the app that took resources away from progress but provided something better to build on going forward
• there wasn’t even a mobile app but now we have one

I’ve started businesses and get it: if they break their budget and run out of runway we are left with a cool app that has a lot of backlog requests. They have accomplished some major things in the last two years that weren’t features but actually app capabilities. But they’ve also added a ton of features! I mean, we didn’t even use to have a way to change our passphrase.

I volunteer to help in the forum because I still believe it’s worth it. Trust me, I develop outside of passbolt and have my own views on how I would do it, but the fact is I carry no business risk in this venture. My personal choice to help is because I want to support the team to operate in the vision they have set for themselves. They don’t try to do everything at once and I like that because it’s real life and it works.

In my businesses, the one thing my clients definitely are not asking for me to do is make decisions that result in my not being around. One of passbolt’s strengths is ignoring the complaints they don’t want to ignore but must. The last thing we need is something that looks safe and works great but is inherently broken. So much of the app environment out there is sloppy with corner cutting on security. Passbolt won’t cut corners.

The members of this community are awesome. It’s one of the good ones. It’s all of you in this thread, and the support you express. I thank you for that.

We just did a migration of a working v2.11 (from august 2019) this week, so it very much feels like this sometime.

So better than NASA.

Agree! Thanks for the time to respond and everything, keep up the good work!

I just recently installed this app on my server thinking it had this feature, Anyways I think this is a Must for this app to success.
How long for this to be release on the CE?
Anyways, is there any way of supporting this project with donations? i mean i rather pay a donation than a monthly fee for the PRO version that has TOTP enable for websites.
thanks

I was bamboozled by the Passbolt MFA mention on their price’s page.
It clearly makes the app “useless” for us since every account we have has MFA.
kinda sad, Passbolt looks so cool, I guess i’ll keep my installation aside for when it’ll be ready

MFA is available in all versions since v3.10. The pricing page maybe has not been updated yet when you checked.
TOTP support will be available on all versions, implementation has started on mobile.

My bad, when speaking of MFA, I was referring to TOTP.
It’s good to hear that it’s on the way, it’s so vital.

i am also waiting on this big time.

I too am waiting for this moment, but it didn’t seem to me that there is one in the announcement of the news, I know it won’t come very soon