How to configure passbolt to use TOTP

Passbolt Pro Edition since v2.4.0 support TOTP (Time-based One Time Password).

TOTP is a type of authentication method that generates a new, unique password at set intervals (such as every 30 seconds) to be used in addition to a static username and password.

Security considerations

When using Time-based One-time Passwords (TOTP) as a form of multi-factor authentication, it is important to enable and set up at least one additional form of multi-factor authentication as a backup, in case the TOTP service becomes temporarily unavailable.

This will ensure that users are still able to access their accounts even if one form of authentication is not working.

Another consideration is to ensure that the time-synchronization between the server and the client devices is accurate, if not TOTP codes will not match and the authentication will fail.

Install a TOTP application

In order to use this authentication service, each of your users will need to install an application that supports Time Based One Time Passwords (TOTP) such as Google Authenticator or FreeOTP. Throughout this page, we will take the Google authenticator mobile application which works on smartphones or tablets.

• Google Authenticator for Android on google play store.
• Google Authenticator for iOS on apple store.

Enable TOTP

Log in to Passbolt and navigate to the administration page. (Administration > Multi Factor Authentication).

You should be able to enable “Time-based One Time Password”.

fig. Enable TOTP in Administration settings

Do not forget to save settings.

Configure TOTP

Log in to Passbolt and navigate to the settings page by clicking on your avatar. Navigate to Settings > Multi Factor Authentication. You should be able to select a provider.

As mentionned before, troughout this example we will take Google Authenticator TOTP.

fig. Enable TOTP in User settings

After you clicked on your provider, you are allowed to go further by clicking on “Get Started!”.

A QR code will be displayed, which you can scan using the Google Authenticator app. The app will generate a six-digit code that changes every 30 seconds. Enter this code into Passbolt to verify that it is working correctly. Save the backup key provided or write it down in a secure place. You will need this key to recover your account if you lose your phone.

Once you have set up TOTP, every time you log in to Passbolt, you will be prompted to enter the six-digit code generated by the Google Authenticator app. This code is unique to your device and changes every 30 seconds, providing an extra layer of security for your Passbolt account.

fig. TOTP successfully enabled