WingNews logo WingNews GitHub [2]
top | item 39495378

TOTP Codes in the Terminal

103 points| sea-gold | 2 years ago |jpmens.net

72 comments

order
[+] evanb|2 years ago|reply
A pass[0] extension called pass-otp[1] can produce otp codes from the command line

    > pass edit git/hub
    [... put in your totp ...]
    otpauth://totp/GitHub/...
then you can

    > pass otp -c git/hub
    Copied OTP code for git/hub to clipboard. Will clear in 45 seconds.
pass-otp is also compatible with the passff firefox plugin; not sure beyond that.

[0]: https://www.passwordstore.org/

[1]: https://github.com/tadfisher/pass-otp

[+] miggol|2 years ago|reply
Neat! I should try this. Been using pass since forever. Does it support autofill on Android?

GNU Pass is a great example of Unix-y interoperability for me. I sync the .password-store folder over to my phone with Syncthing, where the Password Store android app reads it. Password Store in turn talks to OpenKeychain for my encryption key with biometrics support. Changes are also synced back to my other devices. Each piece of the puzzle can focus on doing one thing and doing it well, even on Android!

Password store for android: https://f-droid.org/packages/dev.msfjarvis.aps/ Openkeychain: https://f-droid.org/packages/org.sufficientlysecure.keychain...

[+] Tmpod|2 years ago|reply
I use it almost every single day, it's pretty simple and neat, haven't had the need for anything fancier.
[+] rendaw|2 years ago|reply
I think browserpass ff+chromium plugin supports otp as well. A nice thing is it's a native plugin so you can manage it with your system package manager (rather than the extension store).
[+] crtasm|2 years ago|reply
If you copy something else to the clipboard afterwards does it know not to clear it?
[+] coppsilgold|2 years ago|reply
KeePassXC[1] password manager supports TOTP and I use it for that purpose in addition to storing passwords. It never made sense to me to use an app like Authy.

I suspect most people make the assumption that an Authenticator app is something special that needs to talk to the service that issued the QR code/secret string.

It's nothing more than a SHA1 hash of a secret string and an adjusted current time.

[1] <https://keepassxc.org>

[+] mksybr|2 years ago|reply
KeePassXC also has a cli interface suitably named keepassxc-cli, so for TOTP in the terminal its something like:

   keepassxc-cli show -q "$KEEPASS_DB_FILE" "$ENTRY_NAME" --totp
   <type password>
   <prints totp>
edit: doubly so specifically regarding Authy since theyre discontinuing it on the desktop in a few months.
[+] sodality2|2 years ago|reply
For me it’s separation of secrets. If my vault is exposed they won’t be able to log in without the codes. Putting it all in one place is a bad idea, some may think.
[+] alwayslikethis|2 years ago|reply
I only use KeePassXC for TOTPs now. Note it can work on Android too. There is often no good way to back up phone authentication apps without a cloud service, which is a problem if I ever lost or broke my phone, and it requires me to use a separate device when using my computer, which I'd rather not do.

Autofill can save you a lot of time if you prefer to usually stay logged out of websites (auto-deleting cookies, for example) but need to log in sometimes.

[+] curben|2 years ago|reply
for anyone new keepassxc, do check out the auto-type feature. you can trigger it (through keyboard shortcut) to type TOTP digits.
[+] xyzzy_plugh|2 years ago|reply
Several comments here suggesting that using password managers for TOTP defeats the purpose of TOTP as a second factor. I don't agree.

I strongly prefer other factors (U2F/FIDO(2)/WebAuthn/Passkeys/whatever) but unfortunately TOTP is still extremely prevalent. Worse is when only a single secondary factor can be registered, in which case even if something other than SMS or TOTP is available, I slightly bias away from hardware security tokens in order to have a clear recovery path. I can at least back up most TOTP keys.

I agree that having a second vault for TOTP seems superior but from a UX and recovery perspective it's not so clear. Are both vaults available on all devices? Are they usually unlocked simultaneously? Is it likely that one vault but not the other would be stolen? Or you have a separate device or air-gap and now the usability adds friction. It seems like diminishing returns.

Conversely a single vault still offers significant protection from many attack vectors, including keyloggers and phishing. Even if access is obtained via MITM'ing a TOTP, the blast radius is often limited to a single session. Many services have poor session security, once established, but many do not. And in my experience it's still nearly impossible to get rid of SMS 2FA.

TOTP is almost always strictly better than SMS 2FA, and storing your TOTP keys alongside your passwords doesn't really diminish the effectiveness of TOTP very much at all. Unless you have the keys themselves exposed, they're still closer to "something you have" than "something you know", at least from where I'm sitting.

Their main weakness is that they can be backed up or copied at all, as well as MITM'd. How I securely store them doesn't have much impact.

[+] JoshTriplett|2 years ago|reply
> Their main weakness is that they can be backed up or copied at all

Which is also a major strength. I've had the experience of a phone app losing all of my TOTP information, and spending a long while having to use the recovery paths of various websites. After that experience, I want my second factor to be something I can back up and restore.

That'll continue to be true until either all websites reliably accept multiple 2FA devices (e.g. register multiple hardware keys) or I can buy multiple redundant hardware devices that produce the same TOTP codes so I can register "one" device with a site and still have a backup.

I wish the Firefox password manager had builtin TOTP support.

[+] bawolff|2 years ago|reply
Most of the security benefits of TOTP is really for the service providers. Service providers get blamed when users are hacked because they used the same weak password across multiple websites. With TOTP service provider chooses the key the codes are derrived from, so user cannot choose a stupid one.

Most of the other threats that people talk about TOTP fixing are movie plot threats and not ones that happen in the real world to ordinary people. The only major exception is that webauthn prevents phishing, but TOTP cannot help with that.

[+] mistrial9|2 years ago|reply
TOTP codes acceptable to Github etc. can be generated via

    oathtool - Open AuTHentication (OATH) one-time password tool

     OATH Toolkit provide components to build one-time password
     authentication systems.  It contains shared C libraries, command line
     tools and a PAM module.  Supported technologies include the
     event-based HOTP algorithm (RFC 4226), the time-based TOTP algorithm
     (RFC 6238), and Portable Symmetric Key Container (PSKC, RFC 6030) to
     manage secret key data.  OATH stands for Open AuTHentication, which is
     the organization that specify the algorithms.
[+] 22c|2 years ago|reply
I use an alias to oathtool to generate OTPs.

It seems like this method at least keeps the secret key inside 2FAS backups, so it's probably slightly better opsec.

[+] cypherpunks01|2 years ago|reply
PSA: Authy Desktop is being killed off this year, which could mean the last opportunity to export your tokens out of Authy (for migration, or for external backup)

There are a few gists floating around regarding how to export by remote chrome debugging an older version of Authy desktop app, which still worked for me recently. This page explains too:

https://jaketrent.com/post/export-authy-desktop-data/

[+] willmacdonald|2 years ago|reply
If you have a M1/2/3 Mac you can install the iPad version of Authy which works as a replacement.
[+] TacticalCoder|2 years ago|reply
I wrote once many years ago, showing me all my TOTP codes in a terminal. I'd run it on a text-only offline/airgapped Raspberry Pi (an old one, with not even WiFi capabilities).

I was also pissed off by the clock issue, so I'd show both the previous, present and next code to come: because it's really a PITA when you see 213987 but you've got only two seconds left before it rolls. So I may as well start entering the next code (what the server accept is something not in my control).

And I always, always, always have a known, public, 2FA which I can use to double-check that everything is smooth (for example by entering it on some online computer and verifying that I get the same tokens generated).

I just reused whatever 2FA/TOTP Java library I found and wrapped that in a little CLI utility.

My secrets were unlocked by entering a password when I'd start the app.

[+] AlexanderTheGr8|2 years ago|reply
You don't need to use the previous, present, and next code. Most decently implemented TOTP servers take time-sync-issues into account and accept codes a few seconds here and there. They do this also bec the time for a packet to move around the earth can also sometimes take a couple seconds.

Your setup on raspberry Pi sounds complicated. Mine was simpler. Just a CLI showing totp. Less secure but more convenient.

[+] timenova|2 years ago|reply
For people storing One-Time Passwords in 1Password, you can access them in the terminal too:

    op item get <item_name> --otp
To copy to clipboard just use pbcopy or xclip:

    op item get <item_name> --otp | pbcopy        # MacOS
    op item get <item_name> --otp | xclip -sel c  # Linux
[+] 4hg4ufxhy|2 years ago|reply
Implementing TOTP is a fun exercise to learn crypto. But key storage is a bit more interesting as it has so many different approaches and trade offs.
[+] Tmpod|2 years ago|reply
Yeah, seems like a small enough thing to get your hands dirty. Might give it a shot soon, thank you for the suggestion!
[+] normaler|2 years ago|reply
I use aegis (previously i used andotp) and backup to a folder shared via syncthing. This allows me to usw OT via andotp -cli in emergency vor to use it in a new phone. For some i also use keepassxc (my credential/information store.) but the important ones. I prefer yubikeys, but keep totp AS a backup mechanism when i can add two methods.
[+] lloeki|2 years ago|reply
A few years back, on a limb, as a quick experiment a coworker of mine (github.com/jkirsteins) wrote `twofa`.

Surprisingly usable for a few day's worth of hacking around!

https://github.com/sqreen/twofa

[+] iamawacko|2 years ago|reply
rbw (a terminal client for Bitwarden) can also generate totp codes.
[+] Tmpod|2 years ago|reply
Just be careful not to use the same account/database/vault for OTPs and passwords, when using a manager like Bitwarden or KeePass, otherwise they no longer contribute a second factor to your authentication.

To be honest, password managers that support TOTPs should always come with a very clear disclaimier that keeping all your eggs in the same basket is a detriment to your safety, and that you should either use a different software for these codes or a separate account. I don't believe they do, but correct me if I'm wrong.

[+] macropin|2 years ago|reply
YubiKeys support cli access with the benefit of being hardware backed, and optionally requiring a physical touch:

  $ ykman oath accounts code <slot>
  Touch your YubiKey...
[+] markuman123|2 years ago|reply
I store my TOTP secrets in the Gnome Keyring

      totp() {
        TOKEN=$(keyring get totp $1)
        oathtool -b --totp $TOKEN | xclip
      }
and my TOTP secrets are saved via ansible-vault

    - name: set TOTP in keyring
      with_items: "{{ TOTP }}"
      community.general.keyring:
        service: totp
        username: "{{ item }}"
        password: "{{ TOTP[item] }}"
        keyring_password: "{{ keyring_password }}"
[+] teddyh|2 years ago|reply
Beware: That shell function will use the secret on a command line, leaking the secret to the process list, available to every user on the system. The oathtool manual page even warns about this.

I would instead recommend something like:

  totp() {
    oathtool --base32 --totp -- @<(keyring get totp "$1") | xclip
  }
(Bash required.)
[+] phyzome|2 years ago|reply
Frankly, I'm glad Authy Desktop is dead. It didn't allow exporting of TOTP secrets, so migrating off of it was a pain. I've been much, much happier with a tiny shell alias to oathtool and gpg.

For extra benefit, bind a keyboard shortcut and use xsel (Linux) or pbcopy (Mac) to drop the TOTP code into the clipboard. Now entering a frequent TOTP code is as simple as two keyboard chords.

(I only do this because my employer offers very limited options for MFA and I don't have a smartphone. I'd much rather use the Yubikeys I already have...)

[+] McGuffin|2 years ago|reply
It is actually doable to export secrets from authy desktop, but it involves starting it in debug mode and connecting chrome to it (it's an electron app). It was the solution I found to extract the secrets back when I set up https://pypi.org/project/totp/
[+] jeffrallen|2 years ago|reply
Users of 1Password with Dropbox sync can get TOTP in a terminal window with GitHub.com/jeffallen/1pw

It is a crude hack, but it works for me.

[+] BiteCode_dev|2 years ago|reply
tetripin does that too, but you have to pip install it.