All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Backup your 2FA
2FA on Google and most other services follow the Time-based One-time Password (TOTP) standard that combines a shared key and the current time to generate an OTP. So once you have the shared key, use it to seed multiple token generators, not just Google Authenticator
(Option 1): Recover shared key from existing Google Authenticator
If Google Authenticator is on a rooted phone, use adb
(pacman -S android-tools
) to recover the key : https://gist.github.com/jbinto/8876658
More likely, you would need to delete your current device and re-register it in Google.
(Option 2): Extract shared key from the QR code (New device registration)
Install ZXing
Dependencies : opencv (pacman -S opencv
on ArchLinux)
$ git clone https://github.com/glassechidna/zxing-cpp $ cd zxing-cpp $ mkdir build $ cd build $ cmake -G "Unix Makefiles" \ -DCMAKE_INSTALL_PREFIX:PATH=/usr \ -DCMAKE_BUILD_TYPE=Release \ .. $ make $ sudo make install
installs /usr/bin/zxing
.
Save QR code and extract key
When Google displays a QR code for Google-Authenticator, use a screenshot tool to capture the QR code alone in an image file. Pass it as input to zxing to read the QR.
$ zxing image.png otpauth://totp/Google%3AYOUREMAILID%40gmail.com?secret=YOURSECRETCODE&issuer=Google
The secret-code is all that is needed to initialize your OTP token generator.
Install and initialize your OTP token generator
Came across the following combos:
- pass + totp-cli
- Keepass TOTP plugins (KeeOTP or TrayOTP )
- LinOTP Supports hardware keys like Yubi, RADIUS tokens, and TOTP. Runs as a webserver. Very enterprise.
- Authy Cloud OTP. Seemed like a bad idea.
I found the first option the most appealing.
Install pass
Dependencies: gnupg
for encryption, tree
for displaying ASCII trees.
While pass
is part of most repos (apt install pass
or pacman -S pass
), the latest version 1.7.0 has still not made it in. So, install from source
$ wget https://git.zx2c4.com/password-store/snapshot/password-store-1.7.tar.xz $ tar Jxvf password-store-1.7.tar.xz $ cd password-store-1.7 $ sudo make install
Initialize your password store
Create a GPG key with id, say password-store
. Use the id to initialize pass
:
$ pass init password-store
Optionally push to a git repo
$ pass git init $ pass git remote add origin http://your_git_repo/user/repo
To push to repo: pass git push -u --all
More details here : [Extended example](https://git.zx2c4.com/password-store/about/#EXTENDED GIT EXAMPLE)
Setup OTP generator
Dependencies: xclip
, python >= 3.3
$ pip install totp
The shared-key needs to be stored in pass
in the format 2fa/Service/code
. Eg- 2fa/Google/code
or 2fa/Github/code
. Take the secret code extracted from the QR and store it in pass
$ pass insert 2fa/Google/code
The passwords/codes in pass
are encrypted by your GPG key the store was initialized with.
Now, anytime you need a 2FA code, run
$ totp Google
Comments
Or, you could use Authy. It can backup your otp token that is GOTP compatible. Plus, it has an app for most of the devices worldwide (including chrome app)
I did mention Authy among options for token generators. I just didnt like the idea of storing authentication tokens in the cloud. Instead, self-hosting LinOTP would be an option for complex needs.
Sorry! Just skimmed through your thread and didn't see tha Authy part. Authy 'claims' to encrypt the tokens with 'our' backup key, so doesn't seem to be that big of a risk to me though.