Support OTP in Browserpass v3

[maximbaz]

OTP was intentionally not re-implemented in Browserpass v3, but given that some of you might want to implement this functionality as a fork or extension to Browserpass, let's coordinate this effort to prevent duplication and fragmentation of your work.

Creating a separate browser extension that will also talk to Browserpass native host is always an option, although it has its drawbacks.

However after reading your feedback in #322 and #331, @erayd came up with the following neat idea and convinced me to agree to it:

• Create a new dedicated extension browserpass-otp in the Browserpass org
• Browserpass v3, upon receiving a decrypted password entry from the native host, will see if there is an OTP URL or seed, and if so, will automatically hand this value off to browserpass-otp extension (if it is installed).
• browserpass-otp is then free to do anything it wants with the OTP url, it can generate codes, show them on the page, insert in the form, copy to clipboard, etc. - the limits are only your imagination 😉

This approach has the following benefits:

• No need to communicate with native host at all.
• No need to select pass entry twice in the popup (as it would have been the case for two extensions that are unaware of each other).
• This extension will only have access to OTP url, but not the rest of the pass entry contents.
• We can always revoke the communication between browserpass and browserpass-otp if the latter does something terrible.

At the same time I'm satisfied by the minimal impact on Browserpass extension:

• No OTP-related code in Browserpass codebase
• No mention of OTP in UI, not even hidden in settings
• Still recommend against storing OTP codes in password store

I'm not planning to contribute much code to browserpass-otp myself, but because this will be a whitelisted extension in Browserpass, I would like to establish the following requirements:

• browserpass-otp must belong to Browserpass org on Github
• The entire development must be done via pull requests
• @erayd or I must approve every PR

Question to community:

Who is interested to write code for browserpass-otp extension? Please speak up.

And as usual, please share any feedback you have, if not for your comments in #322 and #331, we would not be discussing this at all 😉

[ashkitten]

while i'd love to see this feature, i don't feel comfortable in my skills and reliability to create and maintain something others will depend on. if someone else is willing to do it and asked for help with a specific thing i'm perfectly willing to do that, though. otherwise i was going to hack it into a personal browserpass fork and probably only update it when i need to

[erayd]

I'm open to doing it if people are willing to wait a bit - the main browserpass extension is a higher priority for me, and there are a number of things on my to-do list for that.

My preference would be for somebody else to do the initial heavy lifting if it's desired to have this functionality quickly.

If OTP isn't going to work in standalone v3 people are just going to downgrade and use older versions or ditch the extension entirely and use another. Taking away functionality because you think it's bad will only make things worse

[maximbaz]

In case it wasn't clear, the functionality was not taken away, it was not reimplemented while the extension was being rewritten from scratch. I do think that it should not be part of the main extension, but this thread exists for us to find a solution that will satisfy everyone.

If you want to help implementing it, say so, if you want to use the unmaintained version or something else entirely, you are free to do this as well 🙂

It wasn't reimplemented into the new extension, therefor the functionality was taken away.

[DamienCassou]

It wasn't reimplemented into the new extension, therefor the functionality was taken away.

I would also like OTP to be supported. Nevertheless, I understand the maintainer's opinion and I can see that he is doing his best to satisfy everyone without sacrificing his view.

[gmOjjFj9Ezm2]

I would like to have a plugin for OTP support, I can help test, not a developer but an advanced user and technologist.

[ashkitten]

now that browserpass 3.0 is out, i've had a chance to see what it's like. my take for implementing otp is that we could have another extension button that is normally grayed out but when we decode a password with an otp uri then that otp button activates and clicking on it copies the otp to clipboard. would this be possible/satisfactory to everyone?

[apiraino]

[the] otp button activates and clicking on it copies the otp to clipboard

sounds fine for me, that's pretty much how it works in 2.x - I'd also add a keyb shortcut, too (if available and not conflicting)

[erayd]

@ashkitten That won't be happening - as per the original post in this thread, we've decided to move the OTP functionality into a different extension. There won't be buttons for it in the main Browserpass popup.

The workflow you describe (as per v2) isn't ideal, because it results in a lot of useless buttons attached to entries which may not even contain OTP at all. The new workflow will simply trigger the new OTP extension when an entry that contains an OTP secret is used. If an entry is used which does not contain an OTP secret, then nothing happens.

I'd also add a keyb shortcut, too (if available and not conflicting)

The OTP extension can certainly implement keyboard shortcuts - in my opinion, doing so is a good idea, and will improve the user experience.