Hi, everyone!
How soon would soon be? Would it be possible to have this feature in place this quarter, i.e. before October?
Best regards,
Tiago Jobling Santos
Hello @tjobling and welcome to the forum!
This feature is in beta, so you can look for the announcement and read how to activate it to test.
It is available just on mobile for the moment, but I think we will have some news on the next release
1 Like
Any chance you could link to the announcement? Thanks.
Hello @rkk and welcome to the forum!
You can see the release notes
Also, yesterday was the 3rd Community Call and they spoke and showed about the TOTP feature
1 Like
is there any ETA on this release?
1 Like
This feature is now in general availability as of version 4.3.0
The caveats being
- You can only create/edit the TOTP on the mobile app, not in a browser
- Once you add TOTP to a credential, you can no longer edit it using the browser, all edits must be done in the mobile app
- Since you can’t edit the description field on the mobile app, once you add a TOTP to a credential, you can no longer edit the description on any client.
And here’s a demo of it : https://www.youtube.com/watch?v=C4Ef10jkHkQ&t=248s
2 Likes
From what I’ve tested, you can easily edit the description when you do it starting from the Home screen. If the resource contains both the TOTP and password/description, the password/description portion is only available from the Home screen.
Could you please provide more information about this issue? Maybe there is some corner case I’m missing?
1 Like
Hello @grzegorz, I tried to edit descriptions from the website and mobile apps with TOTP and without and this is what I have found:
- If you have a TOTP, you can edit the description in the mobile app only.
- If you do not have a TOTP you can edit the description in the website and mobile app as usual.
In addition, the caveats mentioned before are expected to be solved in the coming release
@grzegorz Maybe I’m missing something.
I’m running version 1.16.0 of the Android Passbolt app which appears to be the newest at the moment.
When I click the vertical ellipsis on a credential that has TOTP and a description, from the Home tab, I get this menu
Do you have the same options as I see? On yours, what is the name of the option to edit the description field.
@Termindiego25 Or can you point me to what I’m overlooking (since you also have the ability to edit description in the mobile app)?
Please use Edit password option.
We may rethink using the phrase ‘password’ as both the password itself and the whole resource in different places. Thank you for pointing it out.
Aha! Heh, yes, it never occurred to me that Edit Password meant that. I’ll update my summary above so as to avoid confusing folks. I can’t edit my comment above to add clarification around “Edit Password”
We may rethink using the phrase ‘password’ as both the password itself and the whole resource in different places. Thank you for pointing it out.
@grzegorz Agreed. Let me know if you’d like a PR to change this.
1 Like
@gene This is a broader, cross-team topic. We need some refinement, and we should take some future features into consideration as this section of the app will be growing and will be even more dynamic.
@grzegorz Sounds good. I looked into the code to see if it would be an easy fix and then realized that throughout the code the term used for the entire record for a given site, including username, password, totp, description is password. All the methods and variables refer to the entire credential as password which I suspect is where the language of Edit Password came from.
So to really address this likely requires coming up with a new conceptual name for a single credential set, and replacing all references in the code and in the strings from password to whatever the new term is.
1 Like
Hello,
I’m late to the party but I just saw this was added when looking at release notes. It’s nice that passbolt implemented a feature that looked like it was asked by many people.
I have a question which might be stupid though, but isn’t storing your 2FA details in the same place as the password completely defeating the purpose of 2FA ?
Given the entropy of the password is good enough, what is the point of the TOTP if it’s stored with it ?
1 Like
It’s a very good question!
By default passbolt provides 2FA level security when a user access a given resource. They need a private key (something you own) and the passphrase to decrypt the private key (something you know). They can also add more authentication factor on top, like using TOTP or Yubikey, but it’s basically doubling down on something you own.
So like you said, if your password is strong and unique and protected using 2FA because it is generated and stored in passbolt, adding another TOTP on top doesn’t add much more security. Maybe it can help you marginally in edge-case scenario where the attackers get a hold of the username and the password hash (and not your TOTP secret), via a SQL injection for example.
I think in some cases it’s still desirable or useful. It could be because there is a policy in place, e.g. you’re in a regulated environment with legacy systems in place, so you have to use a totp, even if it doesn’t add more security. It could also because you want to implement some custom workflows in an environment where resources are shared, like if split password and TOTP access to implement four eyes policy (e.g. I have the password, you have the TOTP).
I hope this helps! 
1 Like
From a philosophical stand point I am with you on this. Storing both the passphrase and TOTP does turn it into a single point. This is not taking into account the security of the place you are storing it as if your storage location(passbolt ideally 
) has MFA turned on then you could argue it is equivalent to the original site being protected with MFA. Additionally Remy does point out some circumstances where storing them together still provides additional security against certain threats.
This is very much one of those highly requested features and by no means are you required to use it if it doesn’t fit your security model. Much like one of the optional pro features, Account Recovery, this is a trade off between security and usability.
3 Likes
Bump on this thread, whatever became of this implementation? I’m currently using a pair of Keepass with an TOTP plugin (works well enough) but I’d like to consolidate the password protection with the single solution in Passbolt. I see that I can enable TOTP for my authentication against Passbolt.
We have another use case example. We often store a master user account in Passbolt that is shared amongst admins as a backup account and enabled MFA on that account for the relevant endpoint/application. A perfect example is the master account with AWS which is also protected with an MFA token. This account is accessible by the admins in our organization (as a backup) but keeping the OTP in sync across multiple users can sometimes prove challenging.
Hello @baldpope and welcome to the forum!
TOTP has been available in Passbolt since v4.3.0.
What version do you have?
2 Likes