<<
WebHome
How to do UMK two-factor authentication
# 0. (LOCAL) Packages
# These are the Debian package names as of Oct 2024:
sudo apt install gpg pass-otp zbar-tools
#### It seems that steps 3a and 5 must be done from the same machine; maybe also step 4. ####
# 1a. (LOCAL) set up a gpg key pair
gpg --generate-key # or gpg --full-generate-key
# * Remember your passphrase!
# * Keep your private key private.
# * 'info gpg' and 'ls -l ~/.gnupg/'
# 1b. (LOCAL) Check your non-private key info, where <gpgID> is something
# identifying your gpg key, e.g. the 'email' you gave; or your name
# if it is unique in your key-ring; or the last 8 hex characters in
# your public key fingerprint. If you're not sure, do 'gpg
# --list-keys', which will list *all* the keys in your default
# key-ring.
gpg --list-key <gpgID>
# 2a. (LOCAL) Initialise your gpg-protected store of objects.
pass init <gpgID>
# 2b. (LOCAL) Check that pass is running normally.
pass ls
# 3a. (ONLINE) Ask your remote service to start on whatever steps of
# verification it wishes. Typically, this involves typing a URL
# into the address bar of a web browser, e.g.
firefox https://usosweb.umk.pl &
# or
firefox https://portal-pracowniczy.umk.pl/security &
# The service must provide you with a QR
# image file. Save this image file locally, e.g. <Untitled.png>.
# 3b. (LOCAL)
# Extract the QR code:
zbarimg <Untitled.png>
# This should give a response such as
QR-Code:otpauth://totp/UMK:mylogin@umk.pl?secret=0123456789ABCDEF0123456789ABCDEF&issuer=https://login.umk.pl
# 4. (ONLINE?) Create a new otp object, to be gpg-encrypted, with some arbitrary name.
# You will need to twice give the QR-code, i.e. the part after 'QR-Code:',
# i.e. in this fictitious case,
#
# otpauth://totp/UMK:mylogin@umk.pl?secret=0123456789ABCDEF0123456789ABCDEF&issuer=https://login.umk.pl
pass otp add umk1 # copy/paste the QR code; hit 'enter'; copy/paste the code again; hit 'enter'
# 5a. (ONLINE?) Find the current digital code:
pass otp umk1
# 5b. (ONLINE?) If you wait too long, or if you are asked to give new
# digital codes, ask again. You can do this many times. If you do it
# fast, the codes will be identical to one another.
pass otp umk1
# 6. (ONLINE) Type or paste the digital code into the online service of step 3a.
# Redo Step 5a/5b if you were too slow and the digital code timed out.
Background reading
--
BoudRoukema - 09 Oct 2024