Re: TOTP apps, and WebAuthn recommended devices?

[Dave B <spam%netbsd.dberg.net@localhost>]

On Thu, Mar 23, 2023 at 03:23:40PM +0000, Stephen Borrill wrote:
> On Thu, 23 Mar 2023, Greg Troxel wrote:
> > 2FA is increasingly required, which is fine, but I wonder about
> > strategies for coping as a NetBSD user.
> > 
> > One thing is TOTP.  There are Android apps from f-droid (which suits me
> > but not everyone), and there is vaultwarden which should allow bitwarden
> > to do TOTP.  I wonder if there are good TOTP programs in pkgsrc and what
> > people recommend.
> 
> security/oath-toolkit work well for me
...

For TOTP (and HOTP <- is this commonly/ever used, btw?), I
found oath-toolkit/oathtool very helpful as well.  I've been
using it for a couple years.

Recently, I also discovered "susam/mintotp" on github; and
it's been very useful too, in a situation helping others
where the laptop in use was running the mainstream,
proprietary OS (rather than NetBSD).  Slightly "off
question", maybe, but I mention it because the mintotp.py
implementation seems minimal & elegant (less than 1KB of
python code--and depends on, IIRC, only stock python libs:
so it simply worked with the proprietary OS's Python version
from its online app store).

The mintotp repo also has almost 2 orders of magnitude more
documentation than code--and yet even that was a manageable
quantity.  Something about this made me happy...

I was able to look over mintotp.py and be fairly confident
that it wasn't revealing the OTP shared secret (or other
information) to a third party.[*]  The simplicity of the
implementation may mean that it will run easily on a smart-
phone's Python too, although I haven't tried.  And of course
it runs on stock pkgsrc Python under NetBSD; although
mintotp itself isn't packaged.

Best, -D

[*] I'm not a code auditing expert by any means, however; so
take that with a grain of salt.  And obviously, it isn't of
as much value if one is already running in a proprietary OS.