tadfisher/pass-otp

Make it easier to enter TOTP secrets.

kevincox opened this issue · 3 comments

Currently pass-otp requires using an otpauth:// URI which is fantastic for flexibility however in practice this isn't the OTP format that is generally shared by websites. This makes entering secrets unnecessarily difficult. As entering new OTP secrets is something I do rarely I can never remember the full format of the URI. otpauth://totp/totp-secret?secret= is by far the most common format required and it is a lot to remember. otpauth:// is shown in the prompt so that is "free" but totp/totp-secret?secret is not much off from line-noise. I can remember that totp should be in there somewhere but the exact format is too much for my brain. I end up dumping another secret that I know I already have, constructing the URL (and copying it as I need to insert it twice) then inserting it.

I think it would be a great benefit to users if the tool could provide some assistance. Here is a first idea:

  1. If entering a secret interactively.
  2. After the secret is entered twice identically.
  3. If the secret is not a valid otpauth:// URI.
  4. If the secret is a valid TOTP token.
  5. Prompt the user if this is a TOTP token.
  6. If they indicate that it is, generate the full URL (otpauth://totp/totp-secret?secret=$user_input) and insert that.

I think the risk here is very low because most sites will require the user to insert a test code before enabling 2fa anyways and the UX improvement is dramatic.

Given that the pass otp insert command right now seems to just mirror the functionality of pass insert, I think it would make sense to just change it to automatically prepend the string.

People who don't want it automatically prepended can just use pass insert

I highly recommend to add this!
I have never saw a website that displays me the otpauth:// URI ...
It always only the secret token.

I'm create my self extension because this extension is not easy. See here: https://github.com/betabrandao/simple-totp