Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support OTP in Browserpass v3

See original GitHub issue

OTP was intentionally not re-implemented in Browserpass v3, but given that some of you might want to implement this functionality as a fork or extension to Browserpass, let’s coordinate this effort to prevent duplication and fragmentation of your work.

Creating a separate browser extension that will also talk to Browserpass native host is always an option, although it has its drawbacks.

However after reading your feedback in #322 and #331, @erayd came up with the following neat idea and convinced me to agree to it:

  • Create a new dedicated extension browserpass-otp in the Browserpass org
  • Browserpass v3, upon receiving a decrypted password entry from the native host, will see if there is an OTP URL or seed, and if so, will automatically hand this value off to browserpass-otp extension (if it is installed).
  • browserpass-otp is then free to do anything it wants with the OTP url, it can generate codes, show them on the page, insert in the form, copy to clipboard, etc. - the limits are only your imagination 😉

This approach has the following benefits:

  • No need to communicate with native host at all.
  • No need to select pass entry twice in the popup (as it would have been the case for two extensions that are unaware of each other).
  • This extension will only have access to OTP url, but not the rest of the pass entry contents.
  • We can always revoke the communication between browserpass and browserpass-otp if the latter does something terrible.

At the same time I’m satisfied by the minimal impact on Browserpass extension:

  • No OTP-related code in Browserpass codebase
  • No mention of OTP in UI, not even hidden in settings
  • Still recommend against storing OTP codes in password store

I’m not planning to contribute much code to browserpass-otp myself, but because this will be a whitelisted extension in Browserpass, I would like to establish the following requirements:

  • browserpass-otp must belong to Browserpass org on Github
  • The entire development must be done via pull requests
  • @erayd or I must approve every PR

Question to community:

Who is interested to write code for browserpass-otp extension? Please speak up.

And as usual, please share any feedback you have, if not for your comments in #322 and #331, we would not be discussing this at all 😉

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:13
  • Comments:18 (3 by maintainers)

github_iconTop GitHub Comments

eraydcommented, Apr 16, 2019

I have now published the OTP extension in the Firefox and Chrome extension webstores.

This is a very, very, extremely, don’t-rely-on-it-for-anything, dev release… but it works, and it’s now available for those who really want OTP functionality right now. Please pay close attention to the following caveats:

  • The OTP extension generates a new code and copies it to the clipboard every time you do something with a Browserpass entry which contains an OTP secret.
  • You must have at least v3.0.12 of the Browserpass extension installed in order for this to work.
  • There is currently no UI at all.
  • The code in the clipboard doesn’t yet refresh - if you need a new code, you must invoke the Browserpass entry again.
  • You don’t need to do anything in order for the OTP extension to function - just having it installed is sufficient.
  • There’s currently a bug where OTP takes priority over the copy username / copy password functions of browserpass. This will be resolved within the next few days once a proper UI is implemented.

Expect to see a number of updates over the next few days as development continues. Feedback is welcome - please contribute your comments, ideas, criticisms, wishlists etc. over at the browserpass-otp project repository.

ghostcommented, Apr 8, 2019

It wasn’t reimplemented into the new extension, therefor the functionality was taken away.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Readme - Openbase
OTP was not implemented in Browserpass v3, but it might be implemented as a separate extension. For more details, see Support OTP in...
Read more >
AUR (en) - Packages - Arch Linux
python-django-otp, 1.1.3-2, 1, 0.00, A pluggable framework for adding two-factor authentication to Django using one-time passwords ; keepass-plugin-favicon, 1.9.
Read more >
browserpass - Bountysource
Created 1 year ago in browserpass/browserpass-extension with 3 comments. ... from a crash the option set to "enable support for OTP tokens" is...
Read more >
pass-import - PyPI
This behavior can be changed using the provided options. Pass import handles duplicates and is compatible with browserpass. It imports OTP secret in...
Read more >
Migrating from LastPass to pass - Zoned Out
There's no support for importing random CSV files in pass itself, ... brew search pass ==> Formulae gopass lastpass-cli pass-otp ✓ ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found