All articles

Passbolt Adds Collaborative Management of Third-Party TOTPs

6 min. read

Vivien Muller

Vivien Muller

24 November, 2023

The latest update to Passbolt now enables teams to share Time-based One-Time Passwords (TOTP) across both mobile and web platforms.

What is TOTP and why does it matter?

TOTP, or Time-based One-Time Passwords, plays a critical role in authentication security. It functions as a dynamic second layer of authentication beyond static passwords. TOTP generates a time-sensitive code on a user's device, requiring this code in addition to the regular password for access. 

The significance lies in its ability to combat the vulnerabilities associated with fixed passwords. By introducing this constantly changing element, TOTP mitigates risks like password theft and phishing attacks.

Passbolt has been supporting TOTP as a secondary authentication factor for years. Now you can store TOTP codes from other systems in Passbolt. Just a friendly reminder: storing Passbolt's own TOTP inside itself is a no-go, much like typing "Google" into the Google search bar. It's a recipe for breaking the internet!

Why use passbolt to manage TOTP?

In a nutshell when it comes to TOTP, passbolt provides:

Easy Integration: Adding a TOTP to your resources is straightforward. You can scan a QR code or enter the secret key manually.

Real-Time Updates: The TOTP values update in real-time, ensuring that you always have the latest code at your fingertips.

Flexibility: You can choose between attaching a TOTP to an existing password or creating a standalone TOTP resource.

Collaboration: And of course you can share TOTP, view who accessed it, place them in folders, tag them, etc. 

Fig. Resource with TOTP on web & mobile (Source: iOS & Chrome screenshots)

A Dual Approach

The TOTP feature is designed to cater to diverse needs and scenarios:

Standalone TOTP: This new resource type is independent of password resources. It's ideal for instances where you need to store a TOTP separately, for example if you want to share the password with someone but not the TOTP.

TOTP with Password Resource: This option allows you to link a TOTP to a password resource, either during its creation or later. This setup is handy for users who prefer the convenience of having their password and TOTP in one place.

Mobile Experience with TOTP

Let’s dive on what the experience looks like on different devices, starting with mobile.

Fig. Create a TOTP on mobile wireframes (source: Figma)

On mobile, the Passbolt app includes a dedicated "TOTP" item in the main menu. Tapping on this item opens a new page where TOTPs are listed alphabetically. This page displays both standalone TOTP resources and password resources with TOTP​​. Users have various options for each TOTP resource, such as copy, show, edit, and delete, accessible via a contextual menu​​.

Users can create a TOTP in two ways:

  • Scanning a QR Code: This opens a camera feed for scanning the TOTP QR code.
  • Providing the key manually: For situations where QR code scanning isn't feasible​​.

After scanning the QR code, users choose between creating a standalone TOTP or linking the TOTP to an existing password resource​​. If linked to a password, the TOTP appears on both the TOTP page and the password details page, providing easy access and management​​.

Note: In the mobile app, you can link TOTPs with passwords if you have at least editing rights and the passwords include an encrypted description. A lock icon next to a password indicates when TOTP association isn't available for that resource.

Web Experience with TOTP

Fig. Create a TOTP linked to a resource on web wireframe (source: Figma)

Linking the TOTP to a password resource​​

On the web platform, users can similarly add TOTPs to their password resources. 

The process of adding a TOTP to a password resource directly from the password details page is straightforward. 

Users invoke the new or edit password dialog and select the "Add TOTP" option, which allows them to either upload a QR code or create a TOTP manually​​. 

Once added, the TOTP secret appears in the grid, the info panel and the edit password dialog with the value being initially obfuscated for security​​.

Creating Standalone TOTP

By clicking the "Create" button in the action bar, users can now select a new "Create TOTP" option​​.

This option opens the "Create standalone TOTP" dialog. It is designed to be user-friendly and is similar to the "Add TOTP" dialog, with additional fields for 'Name (Label)' and 'URL (Issuer)'​​.

Once added, the standalone TOTP secret also appears in the grid and resource info panel.

Real-Time Synchronization and Access

One of the key features of the TOTP implementation is its real-time synchronization between mobile and web platforms, just like password resources. This means that a TOTP created or modified on one platform is immediately updated and accessible on the other. For instance, a password created on the web can have a TOTP enabled and then scanned with a mobile device. This TOTP then becomes available in real time on the web platform.

Collaborative Aspects of TOTP in Passbolt

Passbolt's ethos revolves around secure and efficient collaboration, especially in managing sensitive information like passwords and TOTPs. 

Here's how TOTP can enhance collaborative efforts:

Shared Access to TOTPs: In a team setting, access to certain services or applications often requires not only a password but also a TOTP for an extra layer of security. Passbolt allows teams to securely store and share TOTPs, ensuring that team members who require access to these services can obtain the necessary TOTPs in real-time.

This means that if one team member updates a TOTP, other team members will see this update in real-time, ensuring everyone has the most current information.

Audit Trails for TOTPs: For heightened security and compliance, Passbolt maintains audit trails. This means any activity involving TOTPs, such as creation, modification, or access, is logged. Teams can review these logs to monitor usage and ensure compliance with internal policies and external regulations.

Secure Sharing Mechanism: When TOTPs are shared among team members in Passbolt, they are encrypted, just like passwords. This ensures that sensitive information remains secure, and only the intended recipients can access it.

Easy Integration and Management: Teams can easily add TOTPs to their Passbolt account, either linked to an existing password or as a standalone resource. This flexibility allows teams to choose how they wish to manage and share these resources, based on their specific workflows and security protocols.

Notifications and Alerts: If a TOTP resource is updated or shared, team members can receive notifications, ensuring they are always aware of changes and can act accordingly.

Security considerations

Is it a good practice to store TOTP and passwords in the same place?

In the realm of password management, the debate over storing Time-based One-Time Passwords (TOTP) alongside passwords ignites discussions on security and convenience. The debate here revolves around finding the right equilibrium.

If ONLY the Sith deal in absolutes, then can only a Sith tell me that?

On the one hand, proponents argue that consolidating passwords and TOTP in a password manager offers a streamlined user experience. This approach aligns well with certain regulatory requirements, making it easier to enforce and audit security measures. Moreover, in environments with shared resources or specific workflows, this unified approach can be advantageous.

However, the counterargument emphasises the potential single point of failure. Storing both the password and TOTP in a centralised location, like a password manager, introduces a vulnerability. If this stronghold is compromised, it's akin to exposing both elements of authentication simultaneously.

The decision becomes a nuanced balance between usability and security philosophies. Users appreciate the convenience of having everything in one secure vault, especially when it complies with specific policies. On the flip side, security specialists raise concerns about concentrating security measures in one place. They may question the necessity of TOTP if the password is already robustly protected with strong entropy and additional multi-factor authentication layers.

Ultimately, the choice rests on individual or organisational risk tolerance, usability preferences, and the necessity to adhere to regulatory or workflow requirements. It's a dynamic decision, illustrating the ongoing dialogue within the cybersecurity community about finding the optimal trade-off between security and usability. The challenge lies in maintaining a delicate balance to ensure robust protection without sacrificing user experience.

Conclusion

In conclusion, the TOTP  implementation not only adds an extra layer of security but also enhances team collaboration by allowing secure and efficient sharing of time-sensitive access codes. With real-time synchronisation and robust access controls, teams can maintain high security standards while facilitating smooth operational workflows.

What do you think? Does the current TOTP functionality align with your requirements? Whether you have suggestions for enhancing usability or bolstering security, we encourage you to reach out. If you decide to explore the TOTP capabilities, share your insights and feedback with the passbolt community – your input is invaluable!

h
b
c
e
i
a