It seems that in announcing STRIP's new support for generating time-based one-time passwords (also known as TOTP passwords or TOTP access codes) for use with two-step verification in popular web services like Dropbox and Google accounts we may have confused some of our customers on its utility and use. Two-step verification (also called two-factor authentication and multi-factor authentication) is an additional check performed when you log in to a web service to protect your account should someone else obtain your password. When two-step verification is in use the web service prompts you for an access code to verify that the person using your password is really you. Google has a good explanation of what it is and how it works over here.

There are two main ways that you obtain the six-digit access code to prove your identity to the service:

1. The service sends you a six-digit access code (the TOTP password) via SMS
2. You generate the six-digit access code using a key supplied by the service

How does STRIP fit in?

When enabling two-step verification (for example with Dropbox or Google) you are typically prompted to choose either receiving the codes via SMS or generating them yourself. If you choose the latter, you can simply paste the key supplied by the service into STRIP and it will begin generating six-digit access codes you can use to verify your identity. We've got a short screencast that takes you through the process of enabling two-step verification in Dropbox and configuring STRIP to provide the correct access codes:

Enabling Dropbox 2-Factor Authentication with STRIP for OS X from Zetetic on Vimeo.

Once you've saved the key to a TOTP field in STRIP the current access code will always be displayed on the record. The next time you need to supply the code on login to the service, just pop over to STRIP and copy the current code, no need to do anything else with they key.

Two-step verification is not used for logging into STRIP, we didn't mean to suggest that it was. To log into STRIP you only need to provide your master password as before.

If you are having trouble using the feature or any questions at all, please get in touch at support@zetetic.net.

This morning we're excited to introduce the next revision to STRIP with a great new feature: Time-Based One Time Password (OATH TOTP) fields that generate one-time access codes for Google, Dropbox, AWS, Microsoft and other services that use compatible 2-step authentication. Available now for Android, iOS, OS X and Windows, just save a TOTP key from your service provider in a TOTP field after you update STRIP and you'll begin seeing access codes and a count-down timer.

Download

Instructions for upgrading STRIP on all platforms are available here. If you're new to STRIP and you'd like to pick up a copy, head on over to getstrip.com.

Clipboard Timer for Android and iOS

Hot on the heels of our introduction of a preference to erase values copied to the clipboard after two minutes in STRIP 2.2 for OS X and Windows is a clipboard timer for Android and iOS, along with a matching preference to enable and disable the feature. Once you've exited STRIP the timer fires, clearing any data saved to the clipboard after two minutes.

Changes

STRIP for Android:

• Adds TOTP support
• Adds timer for clearing clipboard after two minutes
• Fixes entry editor scrolling on KitKat

STRIP for iOS:

• Adds TOTP support
• Adds timer for clearing clipboard after two minutes

STRIP for OS X:

• Adds TOTP support
• Restores support for OS X Mountain Lion (by popular demand!)

STRIP for Windows:

• Adds TOTP support
• Disable sync menu when in edit mode
• Add 4 and 8 hour autolock timeout periods within preferences
• New toolbar/menu icons

Last year we learned about Per Thorsheim and Jeremi Gosney's Passwords conference, an annual and free conference on all things related to passwords, so I headed out to Las Vegas at the beginning of August to attend. It was such a fantastic, fun and deeply informative experience that this year we're heading back with our engineering team and are proud to announce our sponsorship of Passwords 14!

If you deal with passwords, password and security policies, hashing them, cracking them, protecting them with key-derivation, or you just want to know what makes a good password these days, this is the conference for you. Last year's single-track format never had a dull moment, with both high-level conceptual talks and in-depth demonstrations of newly-developed password hashing attacks—really some mind-blowing stuff even if you follow the topic regularly. Rare was the talk that did not involve oclHashcat at some point, and the Q&A sessions at the end of each talk were engrossing engagements. This year they'll be featuring two tracks of presentations, offensive and defensive, and I hear there's going to be a pool party! I'll let the guys give you the main pitch:

Passwords is the first and only conference of its kind, where leading researchers, password crackers, and experts in password security from around the globe gather in order to better understand the challenges surrounding digital authentication, and how to adequately address them. While large mainstream conferences tend to focus on current hot topics in the information security industry, Passwords events explore fringe conversations on everything from analysis and education to creating, securing, cracking, and exploiting authentication solutions. And unlike other events where the speaker is rushed in and out, Passwords provides an intimate environment for participants to directly engage speakers before, during, and after their presentations.

No need to register, Passwords 14 is being held at Tuscany Suites & Casino August 5-6th, so just book yourself a flight and a room.

Hope to see you there! Look for the guys wearing Zetetic shirts and say hello. Here's one of the talk from last year:

STRIP for Android stores sensitive information, which may cause some to pause when they see the permissions required to run the application on their Android devices. STRIP for Android requires access to the Internet, access to your Google accounts, and telephone permissions to name a few. We would like to clarify the need for those permissions, and in doing so, explain a feature available in STRIP for those unaware.

STRIP for Android provides a mechanism when long tapping on any given field to allow you to perform context-specific actions on the data you store. For example, if you long tap on a URL, STRIP for Android will offer to launch that URL in a browser. Likewise, if you have a telephone number stored, a long tap will offer to dial that number for you. You can think of it as a quick action feature associated to the data you store, should you wish to invoke it. With regard to account access, that is to allow STRIP access to your Google Drive account, should you wish to perform backups/synchronize your data to your Google Drive account. That said, we do not make phone calls without your request, we also do not access your account information without your permission. An example of the context sensitive menu within STRIP for Android is shown below.

With this, we hope you can use the quick action features within STRIP to streamline your experience within the application when accessing your information.

This morning we're excited to pull the switch on two important updates to STRIP for Android and OS X. STRIP for Android is carrying numerous bug fixes we've been working on for a while and a new full-screen theme. STRIP for OS X has been updated to fix the previously noted data persistence bug and is now quite a bit more robust in that department.

To get the latest:

• STRIP for Android in the Google Play store
• STRIP for OS X in the Mac App Store
• Or, if you purchased SfOX from us directly, STRIP menu -> Check for Updates