AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
![]() Create a virtual hardware security key using Chrome DevTools by following this guide (make sure to select type "u2f").This means you need to give them your phone number or otherwise setup 2FA using one of their apps on your phone. (However, rust-u2f will still work because it emulates a hardware token, not a platform token.)Īs of 2022, it's not possible to do this upon initial enrollment, because setting up Google Authenticator as a 2FA option in Google requires that 2FA already be enabled ("To use Google Authenticator on your iPhone, iPod Touch, or iPad, you need: 2-Step Verification turned on"). Unfortunately, Google does not support 'platform' tokens, only hardware tokens – I'm not sure whether it's deliberate or if it's because they use the older U2F API rather than WebAuthn. Windows 10 implements it under the "Windows Hello" name (supported by all major browsers), and Apple just added a similar "iCloud Passkey" feature in macOS Monterey. Still, it is somewhat more fragile than a real hardware token, and I'm not sure if I would go as far as to recommend using it.įinally, letting the OS provide a software-based "platform token" is actually part of the newer WebAuthn specification. On Linux you also have software such as rust-u2f which emulates a hardware U2F token at OS level – it will work with any website and any web browser because it's seen as an actual connected HID device. (There's also the risk of them suddenly no longer working, so if you use one, make sure to have TOTP as a backup.) Regarding hardware tokens – yes, there are browser extensions which emulate a WebAuthn or U2F token, but many of them seem to be abandoned and they might not necessarily be secure. The QR code's contents use the format otpauth://totp/GitHub:someuser?secret=ABCDEF&issuer=GitHub, with the username and issuer being for display only.) Tokens (In case the "Can't scan it?" option goes missing, the QR code can also be scanned using a generic QR decoder, which will reveal the TOTP seed in plain text. ![]() It does not matter whether you choose "iOS" or "Android" when asked for your phone type – you'll get the same process either way. However, the device's clock needs to be accurate (the official Google app automatically compensates for wrong clocks using an online time server, but in other apps you'll need to take care of it yourself). The app will not need to communicate with Google. You can copy & paste it into your desktop OTP app, and perhaps write it down on paper to store as a backup. You can scan it with just about any OTP app that exists (desktop apps should be able to "scan" a screenshot as well).ĭuring the same step, you can also click the "Can't scan it?" and reveal the same TOTP seed as plain text. ![]() It uses the OATH TOTP standard – exactly the same as what most other OTP apps use, with standard parameters (6 digits, 30 second interval).Īs part of enrollment process, you'll be shown a QR code which directly contains the TOTP shared secret. Google supports OTP-based 2FA under the name of " Authenticator app". There are two choices for "Google specific app on smartphone" – one uses online notifications (Google Prompt), the other uses offline OTP (Google Authenticator). (Edited to clarify that Google Authenticator is NOT offered as an option during enrolment: only the Google (Search) app or the Gmail app are possible.) I'm running Ubuntu 21.04 and Firefox, but could use a Chrome-based browser if absolutely necessary. Is there another alternative? For example, getting the settings and initialisation key to use with an OTP app, or a browser extension that acts in the same way as a hardware token. ![]() ![]() The organisation is not providing a hardware token and I don't have one of my own. I'm not prepared to give Google my phone number, nor am I willing to install a Google app that requires me to be signed in on a phone when there are numerous third party OTP implementations available (apart from anything else I very rarely use a smartphone and would prefer to use a desktop app). Google's 2FA enrolment process requires one of (a) PSTN phone number, (b) Google app on smartphone (NOT Google Authenticator), (c) hardware security token. They have recently taken the decision to require 2FA for all account sign-ins. I have a Google account with one of the organisations I volunteer for. ![]()
0 Comments
Read More
Leave a Reply. |