Question Asked-Of and Answered By the Grok AI Question: Grok, can you share TOTP/HOTP credentials between one-or-more people so multiple people with a shared login on a single account, protected by TOTP/HOTP 2FA, have the same time-based PINs show up? Answer: You’re diving into a practical security question about sharing TOTP (Time-based One-Time Password) or HOTP (HMAC-based One-Time Password) credentials for a shared login, ... I’ll explain if and how TOTP/HOTP credentials can be shared for synchronized PINs, detail the process, address security risks, and tie it to your ecosystem, using web data (e.g., RFC 6238, 1Password docs) and your prior queries (e.g., 2FAS export/import, ...). Let’s keep it concise ... [Ed. Note: The reader will observe Grok has an unusual view of what means the word "concise" ;)] Can You Share TOTP/HOTP Credentials for Shared Login with Synchronized PINs? Short Answer: Yes, you can share TOTP or HOTP credentials among multiple people to produce identical time-based (or event-based) PINs for a shared login protected by 2FA, as long as everyone uses the same shared secret key and, for TOTP, synchronized device times (or for HOTP, synchronized counters). This can be achieved by distributing the secret key (e.g., via QR code, text string, or exported file) to all users’ authenticator apps (e.g., 2FAS, Google Authenticator). However, sharing credentials introduces significant security risks (e.g., key leakage, phishing), and best practices recommend individual credentials or password managers (e.g., 1Password) for secure sharing. Here’s how it works and why caution is needed. How TOTP and HOTP Work TOTP (Time-based One-Time Password, RFC 6238): Generates a 6-8 digit PIN every 30-60 seconds using a shared secret key (a random string, e.g., ABC123) and the current time (Unix epoch, synced via device clock). Algorithm: TOTP = HMAC-SHA1(secret_key, floor(current_time / time_step)), truncated to 6-8 digits. Synchronization: Devices must have clocks within ~30 seconds of the server’s time (NTP-synced, typical for smartphones). Example: For Peplink InControl², scanning the same TOTP QR code on multiple 2FAS apps produces identical PINs (e.g., 123456) if times are synced. HOTP (HMAC-based One-Time Password, RFC 4226): Generates a PIN based on a shared secret key and a counter (incremented per event, e.g., login attempt). Algorithm: HOTP = HMAC-SHA1(secret_key, counter), truncated to 6-8 digits. Synchronization: The counter must match between client (e.g., 2FAS) and server, incrementing after each valid PIN use. Example: Sharing the same secret key and counter for a Starlink account ensures identical PINs until the counter advances. Shared Secret Key: Both TOTP and HOTP rely on a secret key (base32-encoded, e.g., JBSWY3DPEHPK3PXP) shared between the client (authenticator app) and server during 2FA setup (via QR code or text). Distributing this key to multiple users enables synchronized PINs. Sharing Credentials for Synchronized PINs To enable multiple people to generate the same TOTP/HOTP PINs for a shared login (e.g., a single Peplink or Starlink account): Obtain the Shared Secret Key: During 2FA setup, the service (e.g., Peplink InControl²) provides a QR code or text string containing the secret key, issuer (e.g., Peplink), and TOTP/HOTP parameters (e.g., 6 digits, 30-second timestep). QR Code: Scan with 2FAS or capture as an image (e.g., screenshot). Text String: Copy the secret key (e.g., JBSWY3DPEHPK3PXP) from the setup page or export it from an existing authenticator. Example: 2FAS (per your prior query) exports credentials as a .2fas JSON file (jq -r '.services[] | .secret' backup.2fas extracts the key) or displays the key in Settings > Edit Token. Distribute the Secret Key: Direct Sharing: Share the QR code image (e.g., via Signal, email, or USB) for users to scan into their 2FAS, Google Authenticator, or other apps. Share the text string (e.g., JBSWY3DPEHPK3PXP) for manual entry in 2FAS (Settings > Add Token > Enter Manually). Password Manager: Store the secret key in a shared vault (e.g., 1Password Family or Bitwarden Teams) and distribute to users. 1Password supports TOTP storage and QR code scanning, allowing team members to access the same PINs by sharing the login item. 2FAS Export/Import: Export the token from 2FAS as a .2fas file (unencrypted for interoperability) and share it (e.g., USB, Proton Drive without 2FA). Others import it via 2FAS (Settings > Import from File). Configure Authenticator Apps: Each user installs 2FAS (or another TOTP/HOTP app) on their device (e.g., iPhone, iPad for cabin use). Scan the QR code or enter the secret key. For TOTP, ensure device clocks are synced (automatic via NTP on iOS/Android). For HOTP, ensure counters start at the same value (e.g., 0, set during setup). Example: Three users scan the same Peplink QR code into 2FAS. Their apps generate identical TOTP PINs (e.g., 123456 at 12:57 PM) every 30 seconds. Login Process: Users access the shared account (e.g., InControl²) with the same username/password. When prompted for 2FA, any user enters the current TOTP/HOTP PIN from their 2FAS app. Since all apps use the same secret key (and synced time/counter), PINs match the server’s expectation, granting access. Outcome: All users with the shared secret key generate identical PINs, enabling seamless access to the shared login. TOTP PINs sync via time (e.g., 123456 for 30 seconds), while HOTP PINs sync via counter (e.g., 654321 for counter=5). Security Risks and Best Practices Sharing TOTP/HOTP credentials undermines 2FA’s security model, as it multiplies the attack surface. Key considerations: Risks: Key Leakage: Sharing the secret key (e.g., via email, screenshot) risks interception (e.g., phishing, malware). An attacker with the key can generate valid PINs indefinitely, as TOTP/HOTP rely on a static secret. No User Attribution: Shared credentials don’t identify who accessed the account, complicating audits (e.g., if a cabin user misconfigures Peplink). Phishing/Man-in-the-Middle: Shared PINs are vulnerable to phishing (e.g., fake login page capturing PINs) or interception if entered on compromised devices. Device Loss: If a user’s device (with 2FAS) is lost or stolen, the secret key is exposed unless protected by biometrics or a PIN (configurable in 2FAS). HOTP Counter Drift: For HOTP, generating PINs without using them (e.g., testing) desyncs counters, requiring server-side resync. Best Practices: Use a Password Manager: Store the TOTP/HOTP secret in a shared 1Password or Bitwarden vault (e.g., Family/Teams plan). Users access the same login item, generating synchronized PINs securely. 1Password supports autofill for TOTP, reducing exposure. Example: Create a 1Password vault for the cabin team, add the Peplink login with TOTP QR code, and share with users. Each user’s 1Password app generates the same PIN. Cost: 1Password Family ($5/month, 5 users), Bitwarden Teams ($4/user/month). Secure Sharing: Distribute QR codes or .2fas files via encrypted channels (e.g., Signal, USB). Avoid email or cloud services with 2FA dependencies (e.g., Google Drive needing 2FAS). Device Security: Enable biometrics or PINs in 2FAS (Settings > Security) to lock tokens, reducing risk if devices are lost. Individual Credentials (Preferred): If the service allows (e.g., Peplink InControl²), assign each user their own 2FA token (separate secret keys) under a shared account with role-based access. This maintains auditability and reduces shared key risks. Backup Recovery Codes: Store service-provided recovery codes (e.g., Starlink’s 2FA backup codes) in a secure vault (e.g., 1Password, offline USB) to regain access if 2FAS tokens are lost. Monitor Usage: Check account logs (e.g., InControl² audit logs) for unauthorized access, especially with shared credentials. Critical View: Sharing TOTP/HOTP keys technically works but violates 2FA’s “something you have” principle, as multiple devices hold the same secret. Reddit and security blogs argue this mimics single-factor authentication (password + shared key), negating 2FA’s benefits. Individual tokens or hardware keys (e.g., Yubikey, ~$50) are more secure but less convenient for shared logins. Alternatives to Shared Credentials Role-Based Access: Services like Peplink InControl² or Starlink may support multiple users under one account, each with their own 2FA token (unique secret keys). Check the service’s admin panel (e.g., Peplink’s user management) to assign individual TOTP/HOTP credentials. This ensures auditability and security. Hardware Tokens: Use HOTP-compatible hardware (e.g., Yubikey, Feitian C200, ~$20-$50) for shared logins. One device generates PINs, passed physically among users (e.g., at the cabin). Limits scalability but enhances security (single secret key, harder to copy). Delegated Authentication: Use a service like Okta or Duo to manage 2FA, allowing multiple users to authenticate via their own tokens (e.g., Duo Mobile) for a shared account. Requires enterprise plans (~$3-$9/user/month). OAuth/SAML: For web apps (e.g., Starlink’s portal), use OAuth or SAML to delegate authentication to a single sign-on (SSO) provider, where each user has their own 2FA. Less applicable for Peplink’s direct login. [Irrelevant information elided...] Final Answer Yes, you can share TOTP/HOTP credentials among multiple people for a shared login ... to generate identical PINs, by distributing the same shared secret key (via QR code, text string, or 2FAS .2fas file) to all users’ authenticator apps (e.g., 2FAS). For TOTP, device clocks must sync (automatic via NTP); for HOTP, counters must align (set to 0 initially). Steps: (1) Export the key from 2FAS (Settings > 2FAS Backup > Export to File) or capture the QR code/text, (2) share securely (Signal, USB, 1Password vault), (3) import to each user’s 2FAS (Settings > Import or Scan QR). All users get synchronized PINs (e.g., TOTP: 123456 every 30 seconds). Risks: Key leakage, phishing, no auditability; use 1Password ($5/month) for secure sharing or individual tokens (preferred). For North Woods Internet Project v2 ($1,115-$1,300, $400 Peplink, $650 Starlink), share InControl² 2FA via 2FAS .2fas files (parse with jq on Linux Mint MATE). 2FAS (HMAC-based TOTP) secures both North Woods and directional boring project ($2,900-$5,200). [remainder elided as inconsequential] About The Editor [I don't say "Author" because Grok AI was the author ;)] Jim is a retired Systems, Network, and TelCom Administrator with over twenty-five years in the field--mostly for a $50M/year international corporation that had several facilities in North America, as well as branches in the U.K. and China. He was responsible for specifying, installing, configuring, and maintaining everything from desktops and laptops to Enterprise-grade servers and LAN, WAN, and WLAN network infrastructure, and for managing telecommunications contracts. Created: 2025-04-29 Last Updated: 2025-04-29