You can find the totp git repository over at
sourcehut
or
GitHub.
Table of Contents
Prologue
TOTP codes are pretty cool, and really easy to do. They’re
also the backbone of modern two-factor authentication. With
totp I hope to handling TOTP codes as easy and
extensible as possible
Terminology
There are a few terms that I will be using throughout this post, so it’s good to make sure that we’re all on the same page about what I’m referring to.
- Secret
Your secret is a base32 encoded secret key that you should under no circumstances share with anyone else. It is from this secret key that we can generate valid TOTP codes.
- Digits
Your digits is the length of the generated TOTP in digits. If digits is 8, then your generated key could be ‘01234567’. When dealing with 2FA this is typically 6.
- Period
Your period it the duration for which the generated key is valid in seconds. When working with 2FA this is typically 30.
Basic Usage
totp takes secret keys as command-line arguments, but also reads
them from the standard input if none are provided. It assumes that
digits is 6 and period is 30. These defaults can be changed
with the -d and -p flags.
$ code=`mkpass A-Z0-7`$ totp $code475867$ echo $code | totp475867$ totp -d 10 $code0718732338
Working with QR Codes
Often times when enabling 2FA on your account on some website
or platform, you will be shown a QR code you can scan with your
2FA mobile application. These QR codes contain
otpauth URIs. We can extract these from downloaded
images using utilities such as zbarimg and use them in
totp using the -u flag to enable ‘URI mode’
$ zbarimg -q my-qr-code.svg # Also works with jpg, png, etc.QR-Code:otpauth://totp/GitHub:Mango0x45?secret=O1AIWMONKWVRJY4H&issuer=GitHub$ zbarimg -q my-qr-code.svg | sed s/QR-Code:// | totp -u554210
…and that’s all! There’s nothing else you need. You can use secret keys and otpauth URIs, and you can configure the digits and period of the generated codes. You can generate multiple keys at once, and all outputs are printed to the standard output.