Recently I got an email from GitHub that everyone is shortly forced to use two factor authentication (2FA). Everyone obvious includes me. As the second factor, apart from the normal password, they provide what is called time-base one-time password (TOTP). As can be expected these days, they suggest having an app on the phone that can do it. And indeed, checking the app stores, a whole armada of apps advertise to provide it. Hmmpf, yet another app. What does it actually do?
As I understand it, the whole process in actually quite trivial:
Let me comment and explain some of the steps above:
I didn't try any specific app, but it is likely not much different from banking apps which require their own password on top of the mobile phones password or authentication. The weirdest thing is the strong suggestion to use a cloud based app which stores the secret, of course secured by yet another password of yours, on someone else's computer (aka cloud). Well, maybe these days it does not really matter any more. The storage on your phone is as open to your phone's app store owner as the cloud itself, I guess. So whether the app encrypts the secret on the phone's storage or into a cloud storage is very much the same when it come to who can extract the encrypted data when they want to try to decrypt it. Cloud storage owner, app store owner — what is the difference?
Insofar the statement that cloud storage is still available if you lose your phone may be a half valid point.
This is probably the most interesting part, if anything. Read more details on the Internet, but this is the rough procedure: Use the secret together with the current time with, say, minute resolution in a fixed time zone, UTC, to create a hash value of 6 or more digits. That's the one time password. Provide it to the server which does the same with the secret assigned to you and the current time and compare the outcome. For more convenience and allow slighty deviating clocks, the previous and the next minute may be valid as well.
Yes, apps accrue by the dozens on mobile phones these days. Ehem, not on mine, really. And for the extra trivial shit described above, why another app? And when I am in front of the desktop, there is enough computer availabe right in front of me. And the phone may actually be in another room. Yes, believe it or not, sometimes I don't have it in arm's length reach. Must be old age, born in the previous millenium :-) So:
% apt-cache search totp
Turns out there is otpclient. And it stores the secret in an encrypted database. And it asks me where I want to have this database stored (think external USB drive). And it can read the presented QR code in several ways, like screenshot or clipboard. And it just works.