ExpeDat and SyncDat have built-in support for Time-based One-Time Password (TOTP) Multifactor Authentication (MFA).  This can be used with standard authenticator apps, including those from Microsoft and Google, to generate one-time codes for authenticating user sessions.

Multifactor Authentication is intended to verify that an authorized human operator is present.  As such, some automation functions are not available when MFA is being used.

TOTP MFA starts with the creation of a user secret.  The secret must be a 16-character, base-32 string.  For example: R7EXAD4DPMK4M57Z.  There are many utilities available to create TOTP secrets, including the mkpasswd utility.  This secret must be communicated to both the server and any authenticator app which will be used to generate the TOTP codes.  Many authenticator apps can read a QR encoded URL, typically of the form:

otpauth://totp/TOTP00082AC6?secret=R7EXAD4DPMK4M57Z&digits=6&issuer=ExpeDat

Once an authenticator app has a secret that has been shared with the ExpeDat or SyncDat server, the app can generate TOTP codes for use with ExpeDat and SyncDat clients.  Because codes are time based, both client and server machines must have synchronized clocks.

servedat

TOTP is activated and the secret supplied by adding the TOTP option to an AuthFile entry.  For example:

joey:3df7708aff91…71768b6eaa0:101:101:/home/joey:ReadOnly,RestrictHome,TOTP=R7EXAD4DPMK4M57Z

Users with TOTP declared must supply a valid TOTP code in addition to their regular password.

Clients

As of ExpeDat 1.23A and SyncDat 1.10A, TOTP is supported by the ExpeDat Desktop, movedat, and syncdat clients.  Support for additional clients may be added in future releases.

For ExpeDat Desktop, you must activate MFA mode by enabling the button to the right of the server field.  Enter the server address, username, and password as usual, then click the green arrow ("Go" button).  You will be prompted to enter a TOTP code.  Once the password and TOTP code are validated, you will be placed in an MFA session and will not need to enter another code until the session ends.  You may not change servers while in an MFA session.  Disable the MFA button or quit ExpeDat Desktop to end the session.

For movedat and syncdat, use the -V option to enable MFA mode.  When you run the command, you will be prompted to enter a TOTP code in addition to your password.  If password caching has not been disabled, your MFA session will be saved and remain valid for several hours or until you remove it with the -E option.  These clients may establish MFA sessions with multiple servers.

mkpasswd

The mkpasswd utility is found in the "Server Files" folder of the ExpeDat and SyncDat full distribution packages and is installed on CloudDat for AWS Marketplace at /usr/local/expedat/mkpasswd.  It can be used to generate compatible secrets and URLs using the -s and -u options:

# mkpasswd -s R7EXAD4DPMK4M57Z # mkpasswd -u R7EXAD4DPMK4M57Z otpauth://totp/TOTP00082AC6?secret=R7EXAD4DPMK4M57Z&digits=6&issuer=ExpeDat

You may also use mkpasswd to generate TOTP codes by using the -t option:

# mkpasswd -t R7EXAD4DPMK4M57Z 667896

Standards

This implementation of TOTP follows the RFC 4226, RFC 4648, RFC 6234, and RFC 6238 standards for 6-digit SHA1 TOTP, which is the only format fully supported by all common authenticator apps.

The server will tolerate up to 60 seconds of time variance.  To account for network lag and clock skew, it is recommended to submit each TOTP code within 30 seconds from the time generated to the time submitted.  Note that if the network is down or the initial connection to the server is otherwise delayed, the code may expire before the client reaches the server.