Question regarding oathtool

Hi all,

I need your opinion on the correct usage of oathtool. In fact it might not be the correct tool for tackling my problem. I have no idea.

Here´s the background to it all:

Recently I needed to create a personal account for accessing the mail correspondence of my building insurance.
They sent me an activation code by snail mail, which I entered and thus activated my account. So far so good. But now the real trouble starts:

They also sent me some additional information regarding 2FA (2 factor authentication).
This is the rough translation (by trans shell) of the original text:

In order to open specially protected documents, you need a second confirmation in addition to registering in the online mailbox.
To do this you need a so-called “Authenticator APP”.

How to open encrypted documents:

To open encrypted documents in your online mailbox, you must register your mailbox in the Authenticator app.
You can use the “Google Authenticator” for your desktop PC.

1. How to connect the online mailbox with an authenticator app:

Open the Authenticator app and add a new account.
To do this, scan your personal QR code. Alternatively, enter the code: “XXXXXX…”. (32 numbers and letters)

A password will then be displayed in your authenticator app. You must enter this password as soon as you log in your online account.
Once you have entered it, your app is permanently connected to the online mailbox.

2. How to open encrypted documents in your online mailbox:

Enter the password from your app when prompted. The document opens."

Well, I cannot make head or tail of it… .

I know I can install the Google Authenticator app in Linux (libpam-google-authenticator), but I want to avoid installing anything Google-related if at all possible.

I installed oathtool though.
But I don´t know whether this is good enough for my purposes.

To try it it out I entered the 32-character-code they provided:

oathtool -b --totp [personal code] and I got a 6-digit password (6 ciphers).

That´s a one-time password, if I understand it correctly, and every time I invoke the command I get a different password, of course.

How is that supposed to work with the 2FA required by my insurance
Do I need the Google Authenticator App after all?

Thanks a lot for your help in advance.

Many greetings from Rosika

Hi Rosika,
The whole thing is ridiculous.
I would opt to receive a paper bill via snail mail and to pay it
manually. That is what we do with most utilities, including
insurance.
Regards
Neville

Hi Neville,

hmm, I see.
Thanks for providing your view on the matter.

O.K. While that may be an option I´d still like to get to the bottom of it.
After all I´ve spent quite some time doing research on oathtool… .

I suppose it´s not until I received any document which requires 2FA that I can reliably try it out…

Thanks a lot and many greetings from Rosika

Sorry, I dont understand 2FA at all. You will be teaching me.

Yes, Neville. This 2-Factor-Authentication business is pretty new to me, too.
On occasions I already used it for my health insurance account.

But that one was easier, as the second factor was sent to me by SMS.

As soon as I know more I´ll post it here.

Thanks a lot and cheers from Rosika

Oh yes, we have experienced that method with our bank and a number of other utilities. Some use SMS, some use an email message, sometimes we can choose which we prefer.

oathtool generates one time passwords… Why would you need to do that… the other end always generates the OTP…
you just enter it.

No idea, Neville. All I can add for any potential solution to the problem is the translated text from the insurance company I provided in my 1st post.

I guess that they intend to deliver documents containing sensitive information that need special protection.

Each time I run oathtool --totp -b [secret key],
it generates a different Time-based One-Time Password (TOTP) based on the current time. The website expects a specific TOTP generated at that particular moment in time.

I guess I´d have to use that to open the documents.

Many greetings from Rosika

Hi Rosika,
I slept on it.
All that came out was…it is the same as normsl 2FA except you are dealing with your email client instead of with a website.
So
you have to somehow con the email client into giving you an OTP ??
I dont see how oathtool can do that? It generates an OTP itself. You must have to get the email client to somehow
launch oathtool and then be ready to receive its OTP from you?

Good luck with that
Neville

The “How” is this:

"Authenticator apps work based on the TOTP verification model. When you set up MFA on your account and choose TOTP, the account server will create a QR code that the authenticator app will scan. The QR code contains a secret algorithm that uses the current time as a factor in generating TOTP codes.

The authenticator app and the account server will be the only parties that possess the secret algorithm. They will independently use the secret to generate the exact same codes at the exact same time."

I personally use Authy for 2FA, and I recommend everyone use some kind of 2FA method. I have never heard of oauthtool before, but it sounds fine.

Tell me about it… bane of my life…

I have hmmm - FIVE MFA apps on my Android Phone…

MS Authenticator
Symantec VIP
PingID
RSA Authenticator
Google Authenticator

This all for work… it’s utterly ridiculous…

IT would be no surpise to guess what words I replace the MF with in the acronym “MFA” - related to Oedipus and coitus anyway - given my penchant for potty mouth expletives

I also have a FIDO USB key “token” - that I use once to enable connecting to my Google stuff (gmail, google docs, sync etc) from Brave and Google Chrome browsers…

For nearly all of my personal stuff - I’m happy to get a one time MFA “token” via email… Some force me to get it via SMS…

Hi all,

thanks so much for your input .

@nevj :

Thanks Neville. How kind of you.

Well, I was trying hard to interpret your explanation. I always stumbled over “e-mail client”.
Sorry, Neville.

Perhaps my wording was incorrect. Let me put it straight:
In my scenario there´s no e-mail client involved. Just the browser, with which I access the respective site and log in to my account via normal password authentication.

And then there´s oathtool or some (other) authenticator app involved.
I´m not sure whether oathtool may be regarded as some kind of authenticator app at all, because all it does is create the TOTP by using the secret key… .

Yes, that´s it.

@Akatama :

Thanks Jimmy, for the link. I read the article through.
The schematic representation of how creating a TOTP works is great.

I think I understand it now, but this part:

The authenticator app and the account server will be the only parties that possess the secret algorithm. They will independently use the secret to generate the exact same codes at the exact same time.

seems critical to me when using oathtool.
How oathtool is supposed to make sure that the condition “exact same time” is met is beyond me.

I almost fear I´ll have to use an (another) authenticator app after all.

BTW:

I just checked the 30 seconds interval with oathtool:

oathtool -b --totp 'secret_key'

I issued the command a few times in succession and it provided the exact same password.The I waited for 30 seconds and did the same. And indeed: the password has changed now.

That´s exactly how it´s supposed to work, I guess.

@daniel.m.tripp :

Well, that´s quite a collection of MFA apps.

Yes, in actual fact that´s the way my health insurance company provides the second factor to me as well.
It´s been working fine for years and it´s certainly good enough for me.
I wish the building insurance company would do it the same way.

Thanks all of you for your kind help.

Many greetings from Rosika

Sorry, I understood that to mean you were receiving email…
hence I thought email-client was involved.

OK now I understand you are looking at some online mailbox in a browser.
So you somehow have to prompt the online mailbox to send you an OTP… either to your phone or by email.
You can then enter the OTP and it will authenticate.

I dont see how oathtool can help, unless you can tell the online mailbox to use it? Surely they have their own tool to generate an OTP… why would you need to supply one?

No problem, Neville.

Yes, you´re right. The online mailbox is accessed by the browser.

I´m afraid you´re right. Neville. I may have to use a dedicated authenticator app after all.

The thing is: I can´t do any experiments unless they send any document requiring 2FA.

Thanks a lot, Neville

Cheers from Rosika

I think you are too focused on oathtool versus authenticator apps. Because from what I understand oathtool IS an authenticator app, just a command line one.

As for how they make sure the condition is met at the exact some time, I am not sure. All I know is that I haven’t had a problem entering in a code from them with one exception.

Authy displays a time for how long the code is active for. There have been times where when I opened Authy the current code has like 5 seconds to live, which isn’t enough time to enter the code and hit submit. That’s not a problem for me, but does oathtool show this info? If not, you might have some times where you run out of time to enter the code, and it will seem to you like oathtool generated an invalid code, but it just timed out.

In order to understand how everything gets synced, you would need to dive more into how the TOT protocol works in a deep way.

Hi Jimmy,

thanks a lot for your reply.

That would be great.

I like command line tools a lot and they´re certainly good enough for me. That´s why I want to use oathtool if at all possible.

The reason for thinking it might not be an authenticator app per se is that it cannot do what the people at the building insurance suggest:

My assumption may be wrong of course.

Yes, that´s a mystery to me, too. No idea how oathtool would handle this task.

I was already looking for Authy on the web but I only found snap and flatpak packages for it.

Thanks again for your input.

Many greetings from Rosika

When I use Authy the scanning of the QR code (same step as when you entered the 32 digit code to make oathtool work) is what adds the account. Authy allows me to pick a name for the account as part of this process (actually I think it might get it from the code, but I can change it). So I guess the only question is whether or not oathtool can handle multiple codes for multiple accounts at the same time.

I have found a man page for oathtool, if you think it will be helpful to you. Just glancing at it I see part of the code tells the 2FA app when to start counting time steps including time zone info, along with the time step size. If your computer is connected to the internet, then this means there might be an issue for a few seconds per key change, which might be why I never had any problem.

I don’t know if I would bother. Authy recently announced they are getting rid of their desktop app (or maybe just Linux desktop app? Don’t recall). Which means it would be smart phone only. I am not happy about this decision, but I haven’t decided yet if it is enough to make me leave. However, if a desktop app is what you need, Authy isn’t for you.

Hi Jimmy,

thank you so much for your new reply.

Hmm, for the time being this building insurance account is the only account oathtool would have to deal with. I guess that´s not much of a problem then…

Thanks for the link to the man pages.
I found the entries regarding time-step-size.

Thanks for the assessment. Yes, I won´t bother with Authy then.
If nothing else helps I need to install Google-Authenticator after all.

It may actually be obtained via the ubuntu repositories:

env LANG=en_GB:en apt-cache show libpam-google-authenticator
Package: libpam-google-authenticator
Architecture: amd64
Version: 20191231-2
Priority: optional
Section: universe/admin
Source: google-authenticator
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Janos Lenart <ocsi@debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 134
[...]
Homepage: https://github.com/google/google-authenticator/
Description-en: Two-step verification
 The Google Authenticator project includes implementations of one-time
 passcode generators for several mobile platforms, as well as a
 pluggable authentication module (PAM). One-time passcodes are generated
 using open standards developed by the Initiative for Open
 Authentication (OATH) (which is unrelated to OAuth).
 
 These implementations support the HMAC-Based One-time Password (HOTP)
 algorithm specified in RFC 4226 and the Time-based One-time Password
 (TOTP) algorithm currently in draft.
[...]

Taking all of the information I already have into consideration there´s still one thing I don´t quite get:

What is this about then: ?

QR-Code1003×132 6.64 KB

That´s part of my profile of the account I access via the browser.
So there´s a setting which wants me to setup 2FA

Why on earth would I need to do that if I follow their instructions and actually use Google-Authenticator…?
According to them the new account is added in the app.

Thanks a lot for yor help, Jimmy.

Have a nice day and many greetings from Rosika

P.S.:

Update:

Dammit: the package libpam-google-authenticator doesn´t seem the right one after all.

I installed it and it seems to fulfill another purpose:
Here it says:

Example PAM module demonstrating two-factor authentication for logging into servers via SSH, OpenVPN, etc…

This project is not about logging in to Google, Facebook, or other TOTP/HOTP second factor systems, even if they recommend using the Google Authenticator apps.

(bold by me).

The name google-authenticator is quite misleading.
The programme is used to enable 2FA when looging in to your Linux system.

So, contrary to my former assumption, that´s no solution to my problem.

That leaves Authy then. Or does anybody know of another well-working authenticator app

@Rosika , I did some research. There is a desktop app called Authenticator made by the Gnome team. You can find the repo here: World / Authenticator · GitLab

It is on Flathub: Install Authenticator on Linux | Flathub

It might also be in your distros package manager. I have not used it myself, so I can’t recommend it as such. Still, it might be helpful to you.

Hi Jimmy,

be thanked a lot for doing research on my behalf. That´s very kind of you.

As a matter of fact I stumbled over authenticator as well, but - like you - I found out that it´s available as flatpak.
I actually don´t want to use flatpaks on my main system, but an idea just popped into my mind: I could install it on my Archlinux virtual machine. That would bother me much less.

While on the subject of Arch, I actually did look for authenticator there.

I was surprised to see it is available in the AUR repositories. :

AUR (en) - authenticator .

Well, that´s just great. Taking a detour via Archlinux vm seems doable for the rare cases when I need 2FA for my account.

Thank you so much for your kind help, Jimmy.

Have a nice Sunday and cheers from Rosika

Hi all,

Update:

I just want to inform you that there was at least some partial success when using oathtool.

In my post #17 I posted a screenshot of part of my profile account.
Here the insurance company provides the possibility of requesting new QR-code.
I actually requested a new one and in the meantime it arrived via snail-mail.

Entering oathtool -b --totp '[NEW_SECRET_KEY]' in the terminal got me a new 6-digit password.
Then I signed into my account via the browser and entered it the respective field (see image in my post #17).
After hitting “Ok” I got this feedback:

kgw_success739×156 19.3 KB

… stating that 2FA has been successfully activated.

Great.
This part has finally worked with oathtool.

Unless they send some documents requiring 2FA there´s not much more I can do at the moment.

Many greetings from Rosika