Improving Your Account Safety with Two Factor Authentication by Generating One Time Password with PassXYZ

With the respective releases of PassXYZ (1.5.4) and PassXYZ Cloud (1.6.4), you can now use PassXYZ or PassXYZ Cloud to manage your one time password. One time password (or OTP) is used by many internet service providers as the security method to improve the safety of user information.

In the past, I used to use both Google Authenticator and Microsoft Authenticator to generate OTP for respective accounts. Recently, I changed my mobile from iPhone to an Android phone since I need two SIM cards’ support. Thereafter, I found problems with both Google Authenticator and Microsoft Authenticator on the new Android phone. As there is no built-in Google Service on the Android phone in China, I cannot install Microsoft Authenticator on my new phone. I have tried to install Google Authenticator on the new phone. Even though I managed to install it, it seems that the Google Authenticator cannot work well without Google Service.

Therefore, when I was working on the PassXYZ development, I considered to add this function in PassXYZ. If PassXYZ supported OTP, I could also resolve another issue which is the backup of OTP setup. As you know, with either Google authenticator or Microsoft authenticator, if you change to a new phone, you have to setup all accounts again on the new device. However, with PassXYZ, the only thing that we need to do is to re-synchronize the database. That’s the reason why I have brought this feature to the new releases of PassXYZ/PassXYZ Cloud.

Two Factor Authentication and One Time Password

Two factor authentication, or 2FA, is the most frequently used multi-factor authentication method. In 2FA, besides the username and password, one more authentication factor will be used. The most popular additional authentication method used nowadays is One Time Password (or OTP).

There are two ways for the end users to get one time password during an authentication session.

• Send an OTP through SMS
• Generate an OTP using a hardware or software token generator

Hardware-based token generators are popular in the past, but they are gradually replaced by software token generators due to the costs. The hardware tokens are still used today in some applications. For example, the popular hardware tokens used nowadays are for banking applications, like the one as shown below.

As we can see, these hardware tokens used by the banks are more complicated comparing to the common used time-based OTP. The common OTP solution for most internet service providers are time-based OTP based on rfc4226 and rfc6238, such as Google Authenticator. In this article, we will discuss time-based OTP based on rfc4226 and rfc6238.

Standard of Time-based OTP

For the time-based OTP, the default standards are rfc4226 and rfc6238. They are used by major service providers, such as Google, Facebook, GitHub, Dropbox, Microsoft or Aliyuan etc.

Most people may not know what are rfc4226 and rfc6238. RFC means “Request for Comments”. It is used to propose a standard for the standards organization. Both rfc4226 and rfc6238 are the proposed standards for OTP implementation. Rfc4226 is a RFC for event-based OTP whilst rfc6238 is for time-based OTP.

Why to use 2FA

Why we use 2FA? This is because the authentication based on username and password is vulnerable to the attack. As you might be aware, there were about 50 millions Facebook user profiles affected by the recent data breach in 2018. You might have seen the below message when you login to your Facebook account.

Hackers gain the access to the system utilizing the flaw of Facebook so that they can obtain user database as they wish. One way to improve the safety of our account is to turn on the multi-factor authentication. Same as other service providers, Facebook supports both software-based OTP token and SMS-based OTP token.

Let’s take the Facebook as an example to demonstrate how to enable 2FA to improve the account safety.

Store Account Information in PassXYZ

Before talking about two factor authentication for Facebook, you need to register a Facebook account first. Once the account is created, the best practice is to record down the relevant information using a password management app such as PassXYZ. To save the Facebook account information, you can choose Facebook from the PassXYZ template as shown below.

After selecting Facebook from the above figure, you can see the screen as shown below which can be used to enter the account information for Facebook.

The information that can be recorded includes name used for Facebook, email address, password and mobile number, etc. For any additional information, it can be taken down in the “Notes” section. After filling in all the information, the record can be saved by clicking the “Save” button at the top right corner. There are four buttons at the top right corner which are:

• Scan - scanning QR code to setup OTP
• Attach - attaching pictures or documents to the record
• Cancel - cancelling the editing
• Save - Saving the record

We will discuss on the “Scan” button shortly.

Turn on 2FA

To turn on 2FA for Facebook, you can use a browser from your PC or laptop. Once you login to Facebook from a browser, the setting for 2FA can be found in “Security and Login” section as shown below.

As shown above, you can find an option “Use two-factor authentication”. By clicking the “Edit” button at its right hand side, you will see another page as shown below.

As you can see from the above screenshot, the preferred method is “Authentication App” as shown at the top. Other backup methods are available as well, such as “Text Message”, “Security Key” or “Recovery Codes” etc.

After choosing “Authentication App”, a popup window will be show as below.

Now you can see that there is a QR code at the left hand side which can be used to setup the OTP in a software OTP generator. You can scan it using the “Scan” button as mentioned above when we edit the account information for Facebook. Once you scan the QR code, you can start to use PassXYZ as a software OTP generator.

In the menu of PassXYZ, there is an option “OTP” which will show all the OTP tokens within one page. Please refer to the below screenshot of the OTP page in PassXYZ.

In this page, you can see multiple OTP tokens which are shown in the same page. Each row is for one service account. You can find “Facebook” at the bottom of the screen. Most of the OTP settings generate a new code every half or one minute. The timeline below the code shows the remaining time for the current code.

Recovery Codes

In the 2FA setup of Facebook, there are some additional backup methods available as we introduced above. One of them is “Recovery Codes”. This is a mechanism used by most of the service providers to prevent the issues during the login. For an example, assuming in an emergency case during the login, you could not get the OTP through SMS due to the network issue. At this time, you would be able to use “Recovery Codes” to login. “Recovery Codes” are one time password as well. They can usually be generated in a group of ten at a time. You may keep them in the “Notes” section of PassXYZ. But please make sure to remove any of the used codes from the “Notes” once you finished using, for, they are one time use only.

Beta testing of PassXYZ and PassXYZ Cloud

In order to get feedback for the new functionalities as much as possible, the beta test versions for both PassXYZ and PassXYZ Cloud are available at the app stores. The beta versions can be installed from the app stores as below:

iOS:

• PassXYZ Cloud:
  https://testflight.apple.com/join/UDDw3AJf
• PassXYZ:
  https://testflight.apple.com/join/hAiiGJRJ

Android:

• PassXYZ Cloud:
  https://play.google.com/apps/testing/com.passxyz.cloud
• PassXYZ:
  https://play.google.com/apps/testing/com.passxyz.PassXYZ

Windows 10:
The beta version for Windows 10 is available as well, but there is no test link as Android or iOS. To join the beta test group, you can send the email address of your Microsoft account to our email address passxyz@foxmail.com.

Summary

We have introduced what two factor authentication is and the most frequently used two factor authentication method One Time Password. Based on the introduction, we explained how to use PassXYZ as a tool to record account information and to generate OTP. PassXYZ uses the same open source implementation of rfc4226 and rfc6238 as Google Authenticator. Thus, it can be used as the OTP generator for all the cases which Google Authenticator can be used. PassXYZ is a cross platform application which supports Android, iOS and Windows 10.

---

Further reading:

• What is multi-factor authentication/MFA? Why MFA can improve the safety of password management database?
• How to use Markdown in Secure Notes of PassXYZ, Markdown and Password Management
• A balance between security and convenience, PassXYZ and PassXYZ Cloud
• A story of password management software, from KeePass to PassXYZ
• Can the passwords be replaced by biometrics like fingerprint or face recognition?

---

PassXYZ is a cross platform password management software developed using KeePass. PassXYZ can run on Android, iOS and Windows 10.
If you are interested in the personal information management, please add PassXYZ Wechat public account by searching the keyword PassXYZ or link it using Wechat name passxyz_kpclib. The source code of KPCLib can be found at GitHub at https://github.com/passxyz/KPCLib.

You can also find more information about PassXYZ on its website and install it from Google Play, Apple Store and Microsoft Store.