You can find the
totp git repository over at
Table of Contents
TOTP codes are pretty cool, and really easy to do. They’re
also the backbone of modern two-factor authentication. With
totp I hope to handling TOTP codes as easy and
extensible as possible
There are a few terms that I will be using throughout this post, so it’s good to make sure that we’re all on the same page about what I’m referring to.
Your secret is a base32 encoded secret key that you should under no circumstances share with anyone else. It is from this secret key that we can generate valid TOTP codes.
Your digits is the length of the generated TOTP in digits. If digits is 8, then your generated key could be ‘01234567’. When dealing with 2FA this is typically 6.
Your period it the duration for which the generated key is valid in seconds. When working with 2FA this is typically 30.
totp takes secret keys as command-line arguments, but also reads
them from the standard input if none are provided. It assumes that
digits is 6 and period is 30. These defaults can be changed
Working with QR Codes
Often times when enabling 2FA on your account on some website
or platform, you will be shown a QR code you can scan with your
2FA mobile application. These QR codes contain
otpauth URIs. We can extract these from downloaded
images using utilities such as
zbarimg and use them in
totp using the
-u flag to enable ‘URI mode’
…and that’s all! There’s nothing else you need. You can use secret keys and otpauth URIs, and you can configure the digits and period of the generated codes. You can generate multiple keys at once, and all outputs are printed to the standard output.