Objectives
- Single Sign On (SSO) using PUBLIC SSO
- Multi-Factor Authentication (MFA)
- One-Time Password (OTP)
- Backup MFA on multiple devices (phone and laptop)
Requirements
On your phone
Install FreeOTP from the F-Droid repositories.
On your laptop
We’ll be using pass
with the OTP extension.
E.g., on Debian:
sudo apt install pass pass-extension-otp zbarimg
Setup SSO and OTP
This section covers the SSO account registration and MFA setup for your phone.
- Register an account at https://public.cat/auth/realms/public/account
- Setup a device for MFA at https://public.cat/auth/realms/public/account/#/security/signingin under “Set up Authenticator Application”
- Scan QR-code from FreeOTP
- Complete device registration
Register a backup OTP device
Note that the interest of MFA is to require multiple devices as an additional security mechanism in case one device is stolen. But if your only MFA device is stolen, then you’re locked out of your account, which is in itself a denial-of-service attack. Therefore it’s important when using MFA to anticipate this situation and create a backup device. In this example we’ll use a laptop running pass
. Note that this password store should not be kept with your laptop – as it would defeat the multi-factor – and probably stored somewhere safe, e.g., in a remote git
repository that you can access when needed from any machine you happen to use. You could even save that git repository inside a tomb
for extra security.
Also note that the following sequence should be done quite fast since the session might time out: so read it first and get prepared to perform it under a minute or two.
- Login to https://public.cat/auth/realms/public/account
- Proceed to MFA with your primary device
- Go to “Set up Authentication Application”
- Save QR-code image to
~/otp.png
- Save OTP credentials to pass:
zbarimg -q --raw ~/otp.png | pass otp insert public.cat/public-sso/"$USER"-otp
- Get a new OTP to paste in the form to complete device register
- Logout and test your new MFA device
- Remove the QR-code that contains your secret!
rm -r ~/otp.png
Now you can use pass otp public.cat/public-sso/"$USER"-otp
to retrieve an OTP from the command line in case you lost your phone.