ef50d06550
* Fixing typo in mount docs RELEASE_NOTES[DOCUMENTATION]=mounts cmd was misspelled in docs Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com> * Patching related link Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com> --------- Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
3.8 KiB
Use case: Secure otp
Summary
OTP is typically used to increase security of login process by using an additional factor. Depending on the threat-level, you can store OTP tokens separately from login and password.
Normal secure setup
Most threats are mitigated by storing otp tokens in your "Git-Passwordstore" next to your login & password. An entry may look like:
gopass show git-passwordstore/website/yourLogin
Will result in
yourPassword
---
login: yourLogin
url: https://website.com
totp: YourOtpTokenBase32Encoded
You can generate your otp code with
gopass otp git-passwordstore/website
897402 lasts 17s |-------------=================|
Advanced Secure Setup
For protection against exposed "Git-Passwordstores" you can use a "Local-Passwordstore" to store your otp-tokens. Entries may look like:
gopass show git-passwordstore/website/yourLogin
will result in
yourPassword
---
login: yourLogin
url: https://website.com
gopass show local-passwordstore/website/yourOtp
will result in
otpauth://totp/Website:yourLogin?secret=YourOtpTokenBase32Encoded&issuer=Website
You can generate your otp code with
gopass otp local-passwordstore/website/yourOtp
897402 lasts 17s |-------------=================|
Rely on a hardware token
Notice that ideally, the secret key that's able to decrypt your OTP secrets should be stored on a hardware token that is requiring some kind of user interaction to decrypt them.
This is done with Gopass by setting up a second store and not using the same public keys as for your main password store. Refer to our mount doc for setting one up.
The public keys used for your OTP store should ideally be stored only on hardware tokens, or maybe generated on an airgaped machined and then backuped offline, before being transferred on a hardware token. (There are multiple guides online about how to do this.)
It is highly recommended to set your "touch policy" to always when using a hardware token for OTP.
This avoids storing 2FA codes in the same place as your passwords, which would kind of nullify the security advantage of relying on a 2FA code in the first place.
Threat analysis
Assets & Dataflow
Actors
- Shop-Hacker-Kid: Buys pawned credentials.
- Organised-Crime-Hacker: Uses phishing, may hack your git server.
- Customs-Officer-Hacker: Copies your hard drive, may ask for your facebook password.
- Intelligence-Hacker: Break in to your flat physically or hack your computer remote, may place a key logger.
Threats
- Shop-Hacker-Kid tests bought credentials for your account on "Website".
- Mitigated by using otp (both password store locations are secure enough).
- Organised-Crime-Hacker phishes your "Website" login and password.
- Mitigated by using otp (both password store locations are secure enough).
- Organised-Crime-Hacker hacks your git server and gets a clone of your Git-Passwordstore.
- Mitigated by using otp in your Git-Passwordstore as long as your gpg-key and passphrase is unexposed.
- Mitigated by using otp in your Local-Passwordstore.
- Customs-Officer-Hacker copies your hard drive.
- Mitigated as long as your hard drive is encrypted
- Mitigated if your passphrase remains unexposed.
- Intelligence-Hacker copies your hard drive, places a key logger and after some weeks reads all your keyboard inputs.
- Only a not exposed hardware otp token will mitigate this threat.