Support OTP in Browserpass v3See original GitHub issue
OTP was intentionally not re-implemented in Browserpass v3, but given that some of you might want to implement this functionality as a fork or extension to Browserpass, let’s coordinate this effort to prevent duplication and fragmentation of your work.
Creating a separate browser extension that will also talk to Browserpass native host is always an option, although it has its drawbacks.
- Create a new dedicated extension
browserpass-otpin the Browserpass org
- Browserpass v3, upon receiving a decrypted password entry from the native host, will see if there is an OTP URL or seed, and if so, will automatically hand this value off to
browserpass-otpextension (if it is installed).
browserpass-otpis then free to do anything it wants with the OTP url, it can generate codes, show them on the page, insert in the form, copy to clipboard, etc. - the limits are only your imagination 😉
This approach has the following benefits:
- No need to communicate with native host at all.
- No need to select pass entry twice in the popup (as it would have been the case for two extensions that are unaware of each other).
- This extension will only have access to OTP url, but not the rest of the pass entry contents.
- We can always revoke the communication between browserpass and browserpass-otp if the latter does something terrible.
At the same time I’m satisfied by the minimal impact on Browserpass extension:
- No OTP-related code in Browserpass codebase
- No mention of OTP in UI, not even hidden in settings
- Still recommend against storing OTP codes in password store
I’m not planning to contribute much code to
browserpass-otp myself, but because this will be a whitelisted extension in Browserpass, I would like to establish the following requirements:
browserpass-otpmust belong to Browserpass org on Github
- The entire development must be done via pull requests
- @erayd or I must approve every PR
Question to community:
Who is interested to write code for
browserpass-otp extension? Please speak up.
- Created 4 years ago
- Comments:18 (3 by maintainers)
Top GitHub Comments
This is a very, very, extremely, don’t-rely-on-it-for-anything, dev release… but it works, and it’s now available for those who really want OTP functionality right now. Please pay close attention to the following caveats:
- The OTP extension generates a new code and copies it to the clipboard every time you do something with a Browserpass entry which contains an OTP secret.
- You must have at least v3.0.12 of the Browserpass extension installed in order for this to work.
- There is currently no UI at all.
- The code in the clipboard doesn’t yet refresh - if you need a new code, you must invoke the Browserpass entry again.
- You don’t need to do anything in order for the OTP extension to function - just having it installed is sufficient.
- There’s currently a bug where OTP takes priority over the copy username / copy password functions of browserpass. This will be resolved within the next few days once a proper UI is implemented.
Expect to see a number of updates over the next few days as development continues. Feedback is welcome - please contribute your comments, ideas, criticisms, wishlists etc. over at the browserpass-otp project repository.
It wasn’t reimplemented into the new extension, therefor the functionality was taken away.