![]() (There's also the risk of them suddenly no longer working, so if you use one, make sure to have TOTP as a backup.) Regarding hardware tokens – yes, there are browser extensions which emulate a WebAuthn or U2F token, but many of them seem to be abandoned and they might not necessarily be secure. The QR code's contents use the format otpauth://totp/GitHub:someuser?secret=ABCDEF&issuer=GitHub, with the username and issuer being for display only.) Tokens (In case the "Can't scan it?" option goes missing, the QR code can also be scanned using a generic QR decoder, which will reveal the TOTP seed in plain text. It does not matter whether you choose "iOS" or "Android" when asked for your phone type – you'll get the same process either way. However, the device's clock needs to be accurate (the official Google app automatically compensates for wrong clocks using an online time server, but in other apps you'll need to take care of it yourself). The app will not need to communicate with Google. You can copy & paste it into your desktop OTP app, and perhaps write it down on paper to store as a backup. You can scan it with just about any OTP app that exists (desktop apps should be able to "scan" a screenshot as well).ĭuring the same step, you can also click the "Can't scan it?" and reveal the same TOTP seed as plain text. It uses the OATH TOTP standard – exactly the same as what most other OTP apps use, with standard parameters (6 digits, 30 second interval).Īs part of enrollment process, you'll be shown a QR code which directly contains the TOTP shared secret. ![]() Google supports OTP-based 2FA under the name of " Authenticator app". There are two choices for "Google specific app on smartphone" – one uses online notifications (Google Prompt), the other uses offline OTP (Google Authenticator). (Edited to clarify that Google Authenticator is NOT offered as an option during enrolment: only the Google (Search) app or the Gmail app are possible.) I'm running Ubuntu 21.04 and Firefox, but could use a Chrome-based browser if absolutely necessary. ![]() Is there another alternative? For example, getting the settings and initialisation key to use with an OTP app, or a browser extension that acts in the same way as a hardware token. The organisation is not providing a hardware token and I don't have one of my own. I'm not prepared to give Google my phone number, nor am I willing to install a Google app that requires me to be signed in on a phone when there are numerous third party OTP implementations available (apart from anything else I very rarely use a smartphone and would prefer to use a desktop app). Google's 2FA enrolment process requires one of (a) PSTN phone number, (b) Google app on smartphone (NOT Google Authenticator), (c) hardware security token. They have recently taken the decision to require 2FA for all account sign-ins. I have a Google account with one of the organisations I volunteer for. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |