Multiple secrets

[davidgfnet]

Hey there!
Typically one generates a fresh secret and adds it to an authenticator App or even some hardware TOTP device. An individual might have several codes for each machine/role they might want to log in as. It can also be shared among team members and so.
However there's also some sort of inverse case: each person has a single secret, typically because they have a single hardware device (per person) so having a new secret per account is a bad idea. In this case it would be awesome if .google_authenticator file could have a list of secrets and attempt to validate them all. As long as one works it can proceed to login.
There's some caveats like: what if there's a few hundreds of secrets? Well it might be slow. Even worse some of them might be valid by chance increasing the chances of an attacker to log in, not great.

Can you please at least give it a thought? Or perhaps suggest some alternatives?

Thanks a lot!

[ThomasHabets]

In general I think it's an antipattern to have multiple people logging in to the same account. I know it's the most realistic solution in many cases though.

Like you say some of them would be valid. Since a window of codes is accepted it's actually already a concern.

I would recommend something else, like creating unique accounts and then control access to the role using /etc/sudoers. Or have some other system that uses 2FA that issues short-lived SSH certificates.

[davidgfnet]

Agreed!
I was also thinking on the usecase of a user having two devices (with two different secrets). Some devices do not allow for secret "injection" but rather only "random generation"

[ThomasHabets]

For two devices for the same user there's the solution to provision both devices at the same time, with the same QR code.