Multi-factor Authentication Primer with PUBLIC SSO

Objectives

• Single Sign On (SSO) using PUBLIC SSO
• Multi-Factor Authentication (MFA)
• One-Time Password (OTP)
• Backup MFA on multiple devices (phone and laptop)

Requirements

On your phone

Install FreeOTP from the F-Droid repositories.

On your laptop

We’ll be using pass with the OTP extension.

E.g., on Debian:

sudo apt install pass pass-extension-otp zbarimg

Setup SSO and OTP

This section covers the SSO account registration and MFA setup for your phone.

• Register an account at https://public.cat/auth/realms/public/account
• Setup a device for MFA at https://public.cat/auth/realms/public/account/#/security/signingin under “Set up Authenticator Application”
• Scan QR-code from FreeOTP
• Complete device registration

Register a backup OTP device

Note that the interest of MFA is to require multiple devices as an additional security mechanism in case one device is stolen. But if your only MFA device is stolen, then you’re locked out of your account, which is in itself a denial-of-service attack. Therefore it’s important when using MFA to anticipate this situation and create a backup device. In this example we’ll use a laptop running pass. Note that this password store should not be kept with your laptop – as it would defeat the multi-factor – and probably stored somewhere safe, e.g., in a remote git repository that you can access when needed from any machine you happen to use. You could even save that git repository inside a tomb for extra security.

Also note that the following sequence should be done quite fast since the session might time out: so read it first and get prepared to perform it under a minute or two.

• Login to https://public.cat/auth/realms/public/account
• Proceed to MFA with your primary device
• Go to “Set up Authentication Application”
• Save QR-code image to ~/otp.png
• Save OTP credentials to pass:
  zbarimg -q --raw ~/otp.png | pass otp insert public.cat/public-sso/"$USER"-otp
• Get a new OTP to paste in the form to complete device register
• Logout and test your new MFA device
• Remove the QR-code that contains your secret! rm -r ~/otp.png

Now you can use pass otp public.cat/public-sso/"$USER"-otp to retrieve an OTP from the command line in case you lost your phone.