OTP is not deprecated (gopasspw#2277)

RELEASE_NOTES[DOCUMENTATION]=OTP is no longer considered deprecated

Related to gopasspw#1301

Signed-off-by: Yolan Romailler <[email protected]>

README.md

@@ -33,17 +33,19 @@ Please see [docs/features.md](https://github.com/gopasspw/gopass/blob/master/doc
 | **Feature**                 | **State**     | **Description**                                                   |
 | --------------------------- | ------------- | ----------------------------------------------------------------- |
 | Secure secret storage       | *stable*      | Securely storing encrypted secrets                                |
-| Recipient management        | *beta*        | Easily manage multiple users of each store                        |
 | Multiple stores             | *stable*      | Mount multiple stores in your root store, like file systems       |
-| password quality assistance | *beta*        | Checks existing or new passwords for common flaws                 |
-| password leak checker       | *integration* | Perform **offline** checks against known leaked passwords         |
+| Recipient management        | *stable*      | Easily manage multiple users of each store                        |
+| password quality assistance | *beta*        | Checks existing or new passwords for common flaws **offline**     |
+| password leak checker       | *integration* | Perform **offline** checks against known leaked passwords using [gopass-hibp](https://github.com/gopasspw/gopass-hibp)  |
 | PAGER support               | *stable*      | Automatically invoke a pager on long output                       |
 | JSON API                    | *integration* | Allow gopass to be used as a native extension for browser plugins |
 | Automatic fuzzy search      | *stable*      | Automatically search for matching store entries if a literal entry was not found |
 | gopass sync                 | *stable*      | Easy to use syncing of remote repos and GPG keys                  |
 | Desktop Notifications       | *stable*      | Display desktop notifications and completing long running operations |
-| REPL                        | *beta*        | Integrated Read-Eval-Print-Loop shell with autocompletion. |
+| REPL                        | *beta*        | Integrated Read-Eval-Print-Loop shell with autocompletion by running `gopass`. |
+| OTP support                 | *stable*      | Generate TOTP/(HOTP) tokens based on the stored secret            |
 | Extensions                  |               | Extend gopass with custom commands using our API                  |
+| Fully open source!          |               | No need to trust it, check our code and/or improve it!            |
 
 ## Design Principles
 
@@ -60,12 +62,12 @@ Please see [docs/setup.md](https://github.com/gopasspw/gopass/blob/master/docs/s
 If you have [Go](https://golang.org/) 1.18 (or greater) installed:
 
 ```bash
-go install github.com/gopasspw/gopass
+go install github.com/gopasspw/gopass@latest
 ```
+(and make sure your `$GOBIN` is in your `$PATH`.)
 
 WARNING: Please prefer releases, unless you want to contribute to the
-development of gopass. The master branch might not be very well tested and
-can contain breaking changes without further notice.
+development of gopass. The master branch might not be stable and can contain breaking changes without any notice.
 
 ## Getting Started
 

docs/commands/mount.md

@@ -23,3 +23,13 @@ $ gopass mounts remove mount/point
 * Add a new mount
 * List existing mounts
 * Remove an existing mount
+
+## Creating new mounts
+
+You can also create new mounts using `init` even if your store is already initialized:
+
+```
+gopass init --store mynewsubstore pgpkeyidentitfier
+```
+
+(You can also specify a specific local path using `--path`, just make sure to keep your PGP key identifier, e.g. its email or fingerprint, as the last argument.)

docs/features.md

@@ -156,9 +156,7 @@ The `edit` command uses the `$EDITOR` environment variable to start your preferr
 
 ### Adding OTP Secrets
 
-Warning: OTP support is deprecated.
-
-*Note: Depending on your security needs, it may not behoove you to store your OTP secrets alongside your passwords! Look into [Multiple Stores](https://github.com/gopasspw/gopass/blob/master/docs/features.md#multiple-stores) if you need things to be separate!*
+*Note: Depending on your security needs, it may not behoove you to store your OTP secrets alongside your passwords! Look into [Multiple Stores](https://github.com/gopasspw/gopass/blob/master/docs/features.md#multiple-stores) if you need things to be separate! Ideally using a hardware token requiring user interaction to store the key that is able to decrypt your OTP codes.*
 
 Typically sites will display a QR code containing a URL that starts with `oauth://`. This string contains information about generating your OTPs and can be directly added to your password file. For example:
 
@@ -168,7 +166,7 @@ secret1234
 otpauth://totp/golang.org:gopher?secret=ABC123
 ```
 
-Alternatively, you can use YAML (notice the usage of the YAML separator to indicate it is a YAML secret):
+Alternatively, you can use YAML (notice the usage of the YAML separator `---` to indicate it is a YAML secret):
 
 ```
 gopass show golang.org/gopher

docs/usecases/secure-otp.md

@@ -64,6 +64,19 @@ gopass otp local-passwordstore/website/yourOtp
 897402 lasts 17s 	|-------------=================|
 ```
 
+## Rely on a hardware token
+
+Notice that ideally, the secret key that's able to decrypt your OTP secrets should be stored on a hardware token that is requiring some kind of user interaction to decrypt them.
+
+This is done with Gopass by setting up a second store and not using the same public keys as for your main password store.
+Refer to [our mount doc for setting one up](docs/commands/mount.md).
+
+The public keys used for your OTP store should ideally be stored only on hardware tokens, or maybe generated on an airgaped machined and then backuped offline, before being transferred on a hardware token.
+(There are [multiple](https://research.kudelskisecurity.com/2017/04/28/configuring-yubikey-for-gpg-and-u2f/) [guides](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) online about how to do this.)
+
+It is highly recommended to set your ["touch policy" to `always`](https://docs.yubico.com/yesdk/users-manual/application-piv/pin-touch-policies.html#touch-policies) when using a hardware token for OTP.
+
+This avoids storing 2FA codes in the same place as your passwords, which would kind of nullify the security advantage of relying on a 2FA code in the first place.
 
 ## Threat analysis