Two Factor Authentication App on Pinephone

Published 2020-04-09 on Anjan's Homepage

I picked up the pinephone but it wasn’t daily driver ready. A couple days ago, my android phone completely broke so I needed to make the pinephone daily driver ready. First things first - I need a two factor authentication app for my phone.

Issues with gnome-authenticator

On postmarketos, gnome-authenticator is my preferred two factor authentication app because it is in the main repositories and it works. However, debian is currently a much better experience daily driving. I’ve fixed a couple of issues in postmarketos and I’d love to use it but right now I need an os that works1.

Debian lacks a package for gnome-authenticator. I tried installing gnome-authenticator from flatpak and the app did launch but adding a provider caused the app to crash. Launching gnome-authenticator a second time caused a giant error and the app never opened again 2.


Using the command line on the pinephone is a pain. I often leave my phone upstairs and when a totp/hotp challenge appears in my web browser, I have to walk upstairs and get the totp pin. However, if I use a command line two factor application, I can simply ssh and get the otp.

Currently, I use gopass and I found a simple application that integrates with gopass: pass-otp 3. Furthermore, pass-otp has support for importing my android otp client’s (freeotp) uri backup.

Installing pass-otp on debian is as simple as running:

sudo apt install pass-extension-otp

RTC and pass-otp

After installing pass-otp and trying to generate some otps, I would always get the incorrect otp. The time on my system was correct but the time on my rtc was incorrect.

To check the time, ran sudo timedatectl and got the following output:

debian@pinephone:~/go/gopass$ sudo timedatectl
               Local time: Thu 2020-04-09 19:43:42 PDT
           Universal time: Fri 2020-04-10 02:43:42 UTC
                 RTC time: Fri 2020-04-10 02:43:43
                Time zone: America/Vancouver (PDT, -0700)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

My RTC time is universal time. To change RTC time to local time, I ran:

sudo timedatectl set-local-rtc true

Finally, as a check I ran sudo timedatectl and found my RTC time was now synced with local time:

               Local time: Thu 2020-04-09 19:44:13 PDT
           Universal time: Fri 2020-04-10 02:44:13 UTC
                 RTC time: Thu 2020-04-09 19:44:14
                Time zone: America/Vancouver (PDT, -0700)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: yes

Warning: The system is configured to read the RTC time in the local time zone.
         This mode cannot be fully supported. It will create various problems
         with time zone changes and daylight saving time adjustments. The RTC
         time is never updated, it relies on external facilities to maintain it.
         If at all possible, use RTC in UTC by calling
         'timedatectl set-local-rtc 0'.

Now, I get the correct otp with pass-otp but I may run into problems like the warning above says. If you have a better way to fix this issue, please email me.

For now, it works and I might write a gui for pass-otp like I did for gopass with mobpass. I still need to change mobpass to work with kirigami.



My issues with daily driving postmarketos are documented here.


I should probably report the following error:

debian@pinephone:~$ flatpak run com.github.bilelmoussaoui.Authenticator
Traceback (most recent call last):
  File "/app/lib/python3.7/site-packages/Authenticator/", 
    line 59, in do_startup self._setup_actions()
  File "/app/lib/python3.7/site-packages/Authenticator/", 
    line 142, in _setup_actions Keyring.get_default().
  File "/app/lib/python3.7/site-packages/Authenticator/models/", 
    line 49, in get_default Keyring.instance = Keyring()
  File "/app/lib/python3.7/site-packages/Authenticator/models/", 
    line 44, in __init__ self.props.can_be_locked = 
    self.is_password_enabled() and self.has_password()
  File "/app/lib/python3.7/site-packages/Authenticator/models/", 
    line 136, in is_password_enabled
    state = Secret.password_lookup_sync(schema, {}, None)
gi.repository.GLib.Error: g-io-error-quark: user interaction failed (0)
Traceback (most recent call last):
  File "/app/lib/python3.7/site-packages/Authenticator/", 
    line 77, in do_activate 
    window = Window.get_default()
  File "/app/lib/python3.7/site-packages/Authenticator/widgets/", 
    line 70, in get_default
    Window.instance = Window()
  File "/app/lib/python3.7/site-packages/Authenticator/widgets/", 
    line 62, in __init__

I know gopass has otp support but gopass in debian’s official repos is ancient. When I go get gopass but I got a known error. Building from source is not an option cause I want my password manager to auto-update.

Have a comment on one of my posts? Start a discussion in my public inbox by sending an email to ~anjan/ [mailing list etiquette]

Articles from blogs I follow around the net

These articles/blogs do not represent my own opinions or views.

Todo.txt-more: Efficiently managing your todo list and your time

Todo.txt More: Efficiently managing your todo list and your time Introduction I tend to get fairly enthusiastic when it comes to lists, even more so when there's a chance to optimise my productivity. The end of the year is a time for looking backward an…

via Proycon's website December 31, 2022

The PineTab2 is a new, faster Linux tablet - and it's not alone

In their December update, Pine64 announced the PineTab2, which is the successor to their PineTab from 2018. As a major change, the PineTab2 upgrades the slow A53-based A64 SoC with an A55-based Rockchip RK3566, the same chip that was used for the Quartz64…

via TuxPhones - Linux phones, tablets and portable devices December 19, 2022

I shall toil at a reduced volume

Over the last nine years I have written 300,000 words for this blog on the topics which are important to me. I am not certain that I have much left to say. I can keep revisiting these topics for years, each time adding a couple more years of wisdom and impro…

via Drew DeVault's blog December 1, 2022

Generated by openring