Two factor authentication/passwordless logins

nezu · July 10, 2025, 9:16am

We live in 2025. 2FA is pretty much the norm, and passwords are slowly dying in favor of passkeys. Since we’re re-inventing the wheel for the millionth time instead of using established SSO solutions like Keycloak, we don’t get any of that for “free”.

I would love to see:

Classic 6-digit TOTP codes for maximum compatibility
WebAuthn/fido2 keys for hardware based 2fa
Passkeys (optional) for future proofing and removing the need for passwords entirely.

vaxry · July 24, 2025, 4:14pm

I’ve implemented 2FA via TOTP. You can find it in the settings tab of your Hyprland account.

nezu · July 24, 2025, 4:28pm

Doesn’t seem to work. I’m getting invalid totp. I’ve checked that the codes generated are the same by multiple authenticator apps (they have to be, it’s the same algorithm), and I’ve tried at multiple points in the refresh cycle (though most implementations I’ve seen can tolerate slight clock desync by accepting the previous and next code as well). Something is broken, and if I had to guess, it’s probably time.

vaxry · July 24, 2025, 4:32pm

that’s odd because I set up the totp just fine on my phone. Are you scanning the qr or inputting the secret?

nezu · July 24, 2025, 4:34pm

I’ve scanned the code with a generic reader, and the secret is the same as the one shown. The settings in the qr code are sha256, 6 digit, 30 seconds and that’s what I’m using. My time is in sync and I’m even in the same timezone as you (but that shouldn’t matter since TOTP uses UTC)

vaxry · July 24, 2025, 4:41pm

That should be correct… I can see things are looking alright in the database, I don’t know why it would break for you and work for me.

nezu · July 24, 2025, 4:49pm

Ok, apparently support for SHA256 is really bad, SHA1 is pretty much the only one supported everywhere. Authy can’t handle it, for example, and a lot of other utilities also assume SHA1. In my 30 or so accounts, every single one is SHA1. So if you don’t want to change it, expect people to complain because of broken apps.

edit: Yes, I know SHA1 it’s weak, but if the biggest corporations still default to it, then I guess it’s fine.

vaxry · July 24, 2025, 4:50pm

Name 1 thing Authy is good at. Other than making a horrible and anti-consumer app.

SHA256 Supported:

Ente Auth
Google Authenticator
Aegis
Authenticator Pro
Bitwarden
FreeOTP
LastPass
PrivacyIDEA
Tofu

Not Supported:

Microsoft Authenticator
Authy
Duo
1Password

TL;DR: Don’t use garbage

nezu · July 24, 2025, 4:54pm

Good point. Used to be good in the past (especially for the PC app, rip), now I use hardware keys for the most part with authy as the backup when I don’t have one on me, but generally set them up in the reverse order. (I pass strong integrity while rooted, so there is that, but yeah, it sucks and I should probably move to something offline)

vaxry · July 24, 2025, 4:57pm

I might implement hw keys in the future, but they are a bit more complicated.

nezu · July 24, 2025, 4:59pm

It’s fine, the better ones can do TOTP as well and even PGP or smart cards

vaxry · July 24, 2025, 5:01pm

20250724_19h00m50s

I’ve added this note for people to not get confused when they get 17 “wrong totp” responses.