Multi-factor Authentication Primer with PUBLIC SSO


  • Single Sign On (SSO) using PUBLIC SSO
  • Multi-Factor Authentication (MFA)
  • One-Time Password (OTP)
  • Backup MFA on multiple devices (phone and laptop)


On your phone

Install FreeOTP from the F-Droid repositories.

On your laptop

We’ll be using pass with the OTP extension.

E.g., on Debian:

sudo apt install pass pass-extension-otp zbarimg

Setup SSO and OTP

This section covers the SSO account registration and MFA setup for your phone.

Register a backup OTP device

Note that the interest of MFA is to require multiple devices as an additional security mechanism in case one device is stolen. But if your only MFA device is stolen, then you’re locked out of your account, which is in itself a denial-of-service attack. Therefore it’s important when using MFA to anticipate this situation and create a backup device. In this example we’ll use a laptop running pass. Note that this password store should not be kept with your laptop – as it would defeat the multi-factor – and probably stored somewhere safe, e.g., in a remote git repository that you can access when needed from any machine you happen to use. You could even save that git repository inside a tomb for extra security.

Also note that the following sequence should be done quite fast since the session might time out: so read it first and get prepared to perform it under a minute or two.

  • Login to
  • Proceed to MFA with your primary device
  • Go to “Set up Authentication Application
  • Save QR-code image to ~/otp.png
  • Save OTP credentials to pass:
    zbarimg -q --raw ~/otp.png | pass otp insert"$USER"-otp
  • Get a new OTP to paste in the form to complete device register
  • Logout and test your new MFA device
  • Remove the QR-code that contains your secret! rm -r ~/otp.png

Now you can use pass otp"$USER"-otp to retrieve an OTP from the command line in case you lost your phone.

Hybrid & Fragile Aesthetics  |  ParticipateEngageCooperate