TOTP available on mobile - Call for alpha testers!

:warning: This feature is currently available in Alpha for testing only :warning:

This feature is available for testing purpose only. Please try this feature on a testing and disposable environment. Since this feature is not stable yet, you could otherwise break your production environment.

Hi there,

The team is pleased to announce that since the 6th of June 2023, we have pushed version 1.14.x to both mobile stores, which allows you to store and use TOTP codes. Here are the steps you need to follow to try out this feature:

  1. Obtain version 1.14.x or later of the mobile app from your preferred mobile store (iOS or Android)

  2. Obtain version 4.0.0 or later of the API

  3. Install the API and set up SSL (the mobile app won’t work without HTTPS)

  4. Ensure that the mobile app and the API can communicate with each other (if you have a self-signed certificate, import it on your device)

  5. Set up an account on your phone

  6. To enable the TOTP feature, you need to perform the following steps based on your setup:
    6.1 If you are using Docker or Kubernetes, set the following environment variable to true: PASSBOLT_PLUGINS_TOTP_RESOURCE_TYPES_ENABLED
    6.2 If you are using a linux package, open the following file: /etc/passbolt/passbolt.php
    6.3 If you are using the installation from source (side note: consider migrating to a package, it’s easier than you think) open the following file: /var/www/passbolt/config/passbolt.php

For steps 6.2 and 6.3, here’s what you need to add:

return [
 // ... 
 // identify the passbolt array block
 'passbolt' => [
  // identify or add the plugins array block
  'plugins' => [
   // add the totp content type feature flag
    'totpResourceTypes' => [
     'enabled' => true 
    ],
  ],
 ],
]
  1. Restart the mobile app.
  2. Log in again

After following these steps, you should see a new bottom link for TOTP.

That being said, here is some additional information:

  • This is an ALPHA feature, and the purpose is to gather feedback for the product team.
  • We cannot yet guarantee that the web version and the CLI version will work in all cases.
  • On the web, TOTP is not available yet; the TOTP will appear as incorrect passwords.

Please use this thread to share feedback or if you need any assistance. I am here to help.

Cheers, and thanks in advance!

2 Likes

At the moment it’s not yet available in the U.S. play store. Latest is showing 1.14.0.

If someone else sees it is ready can you post back, thanks.

EDIT: Actually, the feature is showing on 1.14.0 so NM.

1 Like

Tested on Android MotoG7, LineageOS 20 (Android 13)

Feedback:

  • After scanning I don’t see why the blue button needs to be pressed if it’s the only option. The blue button was not intuitive to me, and I pressed back because it seemed to be done. I thought maybe with the button I could create a TOTP QR code to give to someone else…
    • Instead of the scanned message, maybe it could confirm with the data which one I scanned. I have a list of saved QR codes.
    • The blue button could be to confirm it.
  • Confirmed working
  • Countdown is nice feature
  • Clicking starts countdown and copies on each new cycle
  • Clicking it again seems to disable it momentarily, but then it starts again - any way to stop it from continuing to run?
    • Found: Showing the menu of the active TOTP and then closing will stop it.
    • I am realizing now that I’m typing with my laptop from the mobile device display but the copying will be handy on mobile sites
  • I’ve added a second entry
    • confirming only one shows at a time
    • clicking the other one make it enabled and the first becomes disabled

No errors found in error.log

:clap: Very nice!

5 Likes

I updated the version number to avoid the confusion thx for this and also to all the feedbacks @garrett much appreciated!

2 Likes

Good morning! I’m glad to test this feature.
Tested on Android Motorola One Vision, Android 11.

I was testing the TOTP feature and I have some comments.

  • When I try to scan QR codes, sometimes the app closes without any error message. I will paste the app log to try to help with the failure.
  • I tried how TOTP is working on the web and I can see the entries as passwords, but when I try to edit it goes to a waiting loop that doesn’t finishes. I suppose this is not the final behaviour, but maybe is possible to ensure that you can’t edit with a message or disabling button?
  • Maybe there is on the way because I remember to have read about it. As a suggestion, would be nice having the logos of the apps instead of the generated image with the first letter, in order to improve the time you are looking for a password or TOTP tokens. Here is a repo with a lot of logos in SVG that you can use: GitHub - raivo-otp/issuer-icons: Vector graphics of one-time password issuer logo's, used in Raivo OTP for iOS.

Android app log

4 Likes

thanks @Termindiego25 !
I shared the logs with the mobile team they will have a look :pray:

As for the web version yeah this is not handle yet. The point was to avoid complete crash.

For icons, we totally agree it is planed but there is some traffic on the roadmap to know what to tackle next.

Thumb fights, rock paper scissor, flip a coin, all the professional techniques are used to chose the next candidates for the roadmap :wink:

1 Like

Maybe with a poll on the forum, you can try to get another point of view :joy:

haha, yeah it is plan to have polls :muscle: (@Phiba FYI)

1 Like

Passbolt TOTP iOS :white_check_mark:

:clap: Bravo @max and Passbolt Developers :clap:

  • Passbolt Health Check ~ [PASS] No error found. Nice one sparky!
  • iPhone iOS ~ version 16.5
  • Passbolt iOS app ~ version 1.14.2
  • Passbolt CE ~ version 4.0.2
  • iOS log = zero errors
  • iPadOS is working as well

:gift: I opened your amazing TOTP gift last night and got it working today :smile:

:heart: Thank you to all the Passbolt Developers who made TOTP a reality :heart:

I might be the only user with this issue; do to my different source install setup:
I also had to change false to true, so TOTP would enable after i added the new code @max posted above

2 Likes

Great!

Yeah told you at the openmic that it was coming :wink:

It is not best practice to change default.php and this file will be reset at the next update but for testing purposes that’s ok.

If you want to have a look together why your passbolt.php is not working letme know.

Cheers :beers:

1 Like

Hello, I noticed that is not possible to change the name of the TOTP entries. I tried from the browser extension but as there is no support too, it goes into an infinite loop when click the save button.
Are there plans to let us edit TOTP entries?
Normally, I have no problem with the automatic name, but I tried to set up Ubisoft and it was saved as my email only, without the name Ubisoft (so if it happens again, I will confuse it)

Hello, editing TOTP entries in the mobile apps will be available in the 1.15.0 release along with some other interesting features. Also in the meantime, we plan to release 1.14.1 next week which should fix the issue you reported (When I try to scan QR codes, sometimes the app closes without any error message. ). Just FYI the TOTP resource name is taken from the TOTP QR code - field label - if you’d like to know more here’s a link.

2 Likes

Maybe they are not sending the label field correctly and Passbolt just catches the email.
I noticed something similar with Facebook, where it shows only the username and not Facebook:username, showing like this screenshot:

2 Likes

Hello @max
Not sure if I’m posting on the correct thread here…
First, thanks for developing the TOTP feature, this is very helpful!
And it works well on the mobile app so far.
However, I hit an issue on the web interface, which I can’t solve…
Whenever I add a TOTP entry to an existing password entry (through the mobile app), it disappears in the web interface, it’s not in the list and I can’t access it directly (resource not found error).
I am self-hosting Passbolt with docker. This issue was the case with version 4.2.0 and still with 4.3.0.
I have added the env variable as described. In the database it looks like it works correctly in terms of data: the resource_type gets changed to password, description and TOTP, but the web interface and browser extensions are not able to display such a resource anymore…
Also, I can’t see standalone TOTP entries anywhere in the web interface, but not sure if that is already supported anyhow.
What am I missing?
Thanks for your help!

Hello @bgartenmann and welcome to the forum!
I was experiencing this behaviour on v4.2.0 because TOTPs were available just on the mobile app and were not supported by the web interface, but after upgrading to v4.3.0 that was solved.

Can you check if you are on v4.3.0 and if there are some errors in the logs?

1 Like

Hi @Termindiego25, thanks for your fast reply!

I have updated to v4.3.0 yesterday. This is what I have in my docker-compose.yml:
image: passbolt/passbolt:4.3.0-1-ce

/healthcheck is saying I am using v4.3.0:
image

However, I noticed when hovering over the heart icon on bottom right, it says 4.3.0/4.2.0
Not sure why?

I can’t see any current errors regarding this. I’m checking with docker logs
Is there another way to see the error log?

Appreciate your help!

Maybe you need to upgrade your browser extension?

3 Likes

As @Termindiego25 mentioned the v4.3.0 extension is required to support TOTP on the web application. As of now the chrome extension is already published while Firefox and Edge are in review.

4 Likes

Thank you both, that was it!
I wasn’t thinking of the connection between the browser extension and the web application…
I’m using Firefox as my main browser, so the extension was still on 4.2.0
Tested quickly with Chrome and it is working as expected.

4 Likes