API for Google's OTP

[seamus]

Odd question perhaps, and maybe not the correct forum, but here goes:

OPNsense has done a fabulous job of integrating Google's OTP service. I have a project that needs OTP authentication also. Until I looked into this, I thought that Google's OTP code was open source, and therefore generally available for such usage by a 3rd party. However, I've learned that it's no longer open source; Google has made it proprietary. And so I wonder how is it that the OPNsense project is able to continue using it?

Can someone provide a brief explanation, or better, point me toward documentation that explains it?

Thnx,
~S

[phoenix]

I can't answer your specific question but there is an Open Source version here: https://github.com/google/google-authenticator

Perhaps that's the one (or something similar) that's being used.

[mimugmail]

OPNsense uses TOTP which is an open Standard. There are many open and closed clients supporting it

[seamus]

OPNsense uses TOTP which is an open Standard. There are many open and closed clients supporting it

Oh that's interesting... so why does the OPNsense documentation refer users to Google to set up and use OTP authentication to the firewall?

[mimugmail]

Because it works best on most devices it think
 You can also use FreeOTP from Redhat if you wish

[fabian]

OPNsense uses TOTP which is an open Standard. There are many open and closed clients supporting it

Oh that's interesting... so why does the OPNsense documentation refer users to Google to set up and use OTP authentication to the firewall?

It does not only refer to Google Authenticator - it is already included in the sources but the build is not released yet:
https://github.com/opnsense/docs/blob/27a90b3e0721d72525bd44ef23ee9f1ead1dd7c9/source/manual/how-tos/two_factor.rst#step-4---activate-authenticator-for-this-otp-seed

[seamus]

OPNsense uses TOTP which is an open Standard. There are many open and closed clients supporting it

Oh that's interesting... so why does the OPNsense documentation refer users to Google to set up and use OTP authentication to the firewall?

It does not only refer to Google Authenticator - it is already included in the sources but the build is not released yet:
https://github.com/opnsense/docs/blob/27a90b3e0721d72525bd44ef23ee9f1ead1dd7c9/source/manual/how-tos/two_factor.rst#step-4---activate-authenticator-for-this-otp-seed

These responses are confusing, I think - perhaps I haven't phrased my question clearly:

Yes - I've been using the Google Authenticator with my OPNsense firewall for several months now, and I've read through the documentation a few times now; esp the "How To" page. And I'm aware that 2FA is not proprietary to Google; it's an open standard, covered by an RFC, and there are other implementations that implement the standard that would be perfectly compatible with Google's implementation. However, unless I am misinformed, Google has recently made their code/their implementation of 2FA proprietary.

And so given all of that is true, my question is, "Why use Google's software and/or services in OPNsense?" In other words, given that it's an open standard, and other implementations are available, why is OPNsense's practice to refer users to Google - at least for the client side of the solution? Is it just because Google has a mobile app, and that's convenient for some users?

And please don't take this question as a challenge to decisions made by the OPNsense project. I support the project whole-heartedly, and I only want to understand the logic behind the approach.

Best Rgds,
~S

P.S. And finally and FWIW, as a personal opinion only, I find using most all of Google's "services" and software these days is a frustrating PITA - it's far too arcane.

[fabian]

Yes - I've been using the Google Authenticator with my OPNsense firewall for several months now, and I've read through the documentation a few times now; esp the "How To" page. And I'm aware that 2FA is not proprietary to Google; it's an open standard, covered by an RFC, and there are other implementations that implement the standard that would be perfectly compatible with Google's implementation. However, unless I am misinformed, Google has recently made their code/their implementation of 2FA proprietary.

You can still download the sources and they are under an open source license:
https://github.com/google/google-authenticator-android/

And so given all of that is true, my question is, "Why use Google's software and/or services in OPNsense?" In other words, given that it's an open standard, and other implementations are available, why is OPNsense's practice to refer users to Google - at least for the client side of the solution? Is it just because Google has a mobile app, and that's convenient for some users?

I did not write the original documentation but it is very likely because it is the most commonly used OTP app and it is available on Android and iOS. Also the documentation is created by us and we usually document the software we use by ourself - so it is also tested with the mentioned platforms. You can see that when you look at the different platforms used to create screenshots.

And please don't take this question as a challenge to decisions made by the OPNsense project. I support the project whole-heartedly, and I only want to understand the logic behind the approach.

Everybody can contribute to the docs but most documentation has been written by Ad, Jos and me, so the documentation refers to the tools, operating systems etc. we are using (at the moment we write the documentation).

P.S. And finally and FWIW, as a personal opinion only, I find using most all of Google's "services" and software these days is a frustrating PITA - it's far too arcane.

You are very likely free, not to use it

[seamus]

Yes - I've been using the Google Authenticator with my OPNsense firewall for several months now, and I've read through the documentation a few times now; esp the "How To" page. And I'm aware that 2FA is not proprietary to Google; it's an open standard, covered by an RFC, and there are other implementations that implement the standard that would be perfectly compatible with Google's implementation. However, unless I am misinformed, Google has recently made their code/their implementation of 2FA proprietary.

You can still download the sources and they are under an open source license:
https://github.com/google/google-authenticator-android/

And from the same URL:

Code: [Select]

This project is an older fork of the one on the Play store. It's an older version
that doesn't get changes synced to it from the Play store version.Other modules relating to 2FA have been marked with similar notes that they will not be maintained (by Google), or have been superseded by 'newer' versions. Just sayin'...