Support OTP in Browserpass v3

[maximbaz]

OTP was intentionally not re-implemented in Browserpass v3, but given that some of you might want to implement this functionality as a fork or extension to Browserpass, let's coordinate this effort to prevent duplication and fragmentation of your work.

Creating a separate browser extension that will also talk to Browserpass native host is always an option, although it has its drawbacks.

However after reading your feedback in #322 and #331, @erayd came up with the following neat idea and convinced me to agree to it:

• Create a new dedicated extension browserpass-otp in the Browserpass org
• Browserpass v3, upon receiving a decrypted password entry from the native host, will see if there is an OTP URL or seed, and if so, will automatically hand this value off to browserpass-otp extension (if it is installed).
• browserpass-otp is then free to do anything it wants with the OTP url, it can generate codes, show them on the page, insert in the form, copy to clipboard, etc. - the limits are only your imagination 😉

This approach has the following benefits:

• No need to communicate with native host at all.
• No need to select pass entry twice in the popup (as it would have been the case for two extensions that are unaware of each other).
• This extension will only have access to OTP url, but not the rest of the pass entry contents.
• We can always revoke the communication between browserpass and browserpass-otp if the latter does something terrible.

At the same time I'm satisfied by the minimal impact on Browserpass extension:

• No OTP-related code in Browserpass codebase
• No mention of OTP in UI, not even hidden in settings
• Still recommend against storing OTP codes in password store

I'm not planning to contribute much code to browserpass-otp myself, but because this will be a whitelisted extension in Browserpass, I would like to establish the following requirements:

• browserpass-otp must belong to Browserpass org on Github
• The entire development must be done via pull requests
• @erayd or I must approve every PR

Question to community:

Who is interested to write code for browserpass-otp extension? Please speak up.

And as usual, please share any feedback you have, if not for your comments in #322 and #331, we would not be discussing this at all 😉

[ashkitten]

while i'd love to see this feature, i don't feel comfortable in my skills and reliability to create and maintain something others will depend on. if someone else is willing to do it and asked for help with a specific thing i'm perfectly willing to do that, though. otherwise i was going to hack it into a personal browserpass fork and probably only update it when i need to

[erayd]

I'm open to doing it if people are willing to wait a bit - the main browserpass extension is a higher priority for me, and there are a number of things on my to-do list for that.

My preference would be for somebody else to do the initial heavy lifting if it's desired to have this functionality quickly.

[ghost]

If OTP isn't going to work in standalone v3 people are just going to downgrade and use older versions or ditch the extension entirely and use another. Taking away functionality because you think it's bad will only make things worse

[maximbaz]

In case it wasn't clear, the functionality was not taken away, it was not reimplemented while the extension was being rewritten from scratch. I do think that it should not be part of the main extension, but this thread exists for us to find a solution that will satisfy everyone.

If you want to help implementing it, say so, if you want to use the unmaintained version or something else entirely, you are free to do this as well 🙂

[ghost]

It wasn't reimplemented into the new extension, therefor the functionality was taken away.

[DamienCassou]

It wasn't reimplemented into the new extension, therefor the functionality was taken away.

I would also like OTP to be supported. Nevertheless, I understand the maintainer's opinion and I can see that he is doing his best to satisfy everyone without sacrificing his view.

[gmOjjFj9Ezm2]

I would like to have a plugin for OTP support, I can help test, not a developer but an advanced user and technologist.

[ashkitten]

now that browserpass 3.0 is out, i've had a chance to see what it's like. my take for implementing otp is that we could have another extension button that is normally grayed out but when we decode a password with an otp uri then that otp button activates and clicking on it copies the otp to clipboard. would this be possible/satisfactory to everyone?

[apiraino]

[the] otp button activates and clicking on it copies the otp to clipboard

sounds fine for me, that's pretty much how it works in 2.x - I'd also add a keyb shortcut, too (if available and not conflicting)

[erayd]

@ashkitten That won't be happening - as per the original post in this thread, we've decided to move the OTP functionality into a different extension. There won't be buttons for it in the main Browserpass popup.

The workflow you describe (as per v2) isn't ideal, because it results in a lot of useless buttons attached to entries which may not even contain OTP at all. The new workflow will simply trigger the new OTP extension when an entry that contains an OTP secret is used. If an entry is used which does not contain an OTP secret, then nothing happens.

I'd also add a keyb shortcut, too (if available and not conflicting)

The OTP extension can certainly implement keyboard shortcuts - in my opinion, doing so is a good idea, and will improve the user experience.

[ashkitten]

@erayd sorry that was unclear, i was suggesting a separate extension which has an icon in the toolbar like browserpass does

[erayd]

@ashkitten Gotcha - in which case yes, we'll likely be implementing something very similar to your suggestion :-).

[maximbaz]

You'd probably also want to have some interface showing the current codes with a count-down until the codes will be changed, right? It often happens to me that I open an authenticator app on the phone and I have like 2 seconds left before codes will change, but I've never heard people complain about Browserpass v2 showing incorrect/outdated codes, is that pure luck or I don't know something? 🙂

[erayd]

@maximbaz Yes.

I'm starting initial work on the OTP extension now, as this seems like a fairly popular request, and nobody else has volunteered to work on it yet. Watch this space...

[ashkitten]

@maximbaz totp implementations usually have some amount of leniency to account for clock differences, so that could be it

[erayd]

I have now published the OTP extension in the Firefox and Chrome extension webstores.

This is a very, very, extremely, don't-rely-on-it-for-anything, dev release... but it works, and it's now available for those who really want OTP functionality right now. Please pay close attention to the following caveats:

• The OTP extension generates a new code and copies it to the clipboard every time you do something with a Browserpass entry which contains an OTP secret.
• You must have at least v3.0.12 of the Browserpass extension installed in order for this to work.
• There is currently no UI at all.
• The code in the clipboard doesn't yet refresh - if you need a new code, you must invoke the Browserpass entry again.
• You don't need to do anything in order for the OTP extension to function - just having it installed is sufficient.
• There's currently a bug where OTP takes priority over the copy username / copy password functions of browserpass. This will be resolved within the next few days once a proper UI is implemented.

Expect to see a number of updates over the next few days as development continues. Feedback is welcome - please contribute your comments, ideas, criticisms, wishlists etc. over at the browserpass-otp project repository.

[ghost]

For users who don't want two extensions for what previously required one, I've developed my own Password Store extension from the ground up that supports copy-to-clipboard and OTP. If you aren't happy with where browserpass is going you can switch over to my extension or checkout tijn's list of interfaces that links to others.

I also added an option to disable OTP in pass companion for those who want that, as clearly there is demand for such a feature

[maximbaz]

Closing, thanks to everyone who participated, with feedback / issues / feature requests / PRs for the OTP extension please head over to the browserpass-otp repo 🙂