2fa-totp.html - www.codemadness.org - www.codemadness.org saait content files
(HTM) git clone git://git.codemadness.org/www.codemadness.org
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
(DIR) LICENSE
---
2fa-totp.html (3950B)
---
1 <!DOCTYPE html>
2 <html dir="ltr" lang="en">
3 <head>
4 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
5 <meta http-equiv="Content-Language" content="en" />
6 <meta name="viewport" content="width=device-width" />
7 <meta name="keywords" content="oauthtool, zbarimg, totp, 2FA, authenticator" />
8 <meta name="description" content="Using 2FA TOTP without crappy authenticator apps" />
9 <meta name="author" content="Hiltjo" />
10 <meta name="generator" content="Static content generated using saait: https://codemadness.org/saait.html" />
11 <title>2FA TOTP without crappy authenticator apps - Codemadness</title>
12 <link rel="stylesheet" href="style.css" type="text/css" media="screen" />
13 <link rel="stylesheet" href="print.css" type="text/css" media="print" />
14 <link rel="alternate" href="atom.xml" type="application/atom+xml" title="Codemadness Atom Feed" />
15 <link rel="alternate" href="atom_content.xml" type="application/atom+xml" title="Codemadness Atom Feed with content" />
16 <link rel="icon" href="/favicon.png" type="image/png" />
17 </head>
18 <body>
19 <nav id="menuwrap">
20 <table id="menu" width="100%" border="0">
21 <tr>
22 <td id="links" align="left">
23 <a href="index.html">Blog</a> |
24 <a href="/git/" title="Git repository with some of my projects">Git</a> |
25 <a href="/releases/">Releases</a> |
26 <a href="gopher://codemadness.org">Gopherhole</a>
27 </td>
28 <td id="links-contact" align="right">
29 <span class="hidden"> | </span>
30 <a href="feeds.html">Feeds</a> |
31 <a href="pgp.asc">PGP</a> |
32 <a href="mailto:hiltjo@AT@codemadness.DOT.org">Mail</a>
33 </td>
34 </tr>
35 </table>
36 </nav>
37 <hr class="hidden" />
38 <main id="mainwrap">
39 <div id="main">
40 <article>
41 <header>
42 <h1>2FA TOTP without crappy authenticator apps</h1>
43 <p>
44 <strong>Last modification on </strong> <time>2022-03-23</time>
45 </p>
46 </header>
47
48 <p>This describes how to use 2FA without using crappy authenticator "apps" or a
49 mobile device.</p>
50 <h2>Install</h2>
51 <p>On OpenBSD:</p>
52 <pre><code>pkg_add oath-toolkit zbar
53 </code></pre>
54 <ul>
55 <li>oath-toolkit is used to generate the digits based on the secret key.</li>
56 <li>zbar is used to scan the QR code text.</li>
57 </ul>
58 <h2>Steps</h2>
59 <p>Save the QR code image from the authenticator app, website to an image file.
60 Scan the QR code text from the image:</p>
61 <pre><code>zbarimg image.png
62 </code></pre>
63 <p>An example QR code:</p>
64 <p><img src="downloads/2fa/qr.png" alt="QR code example" /></p>
65 <p>The output is typically something like:</p>
66 <pre><code>QR-Code:otpauth://totp/Example:someuser@codemadness.org?secret=SECRETKEY&issuer=Codemadness
67 </code></pre>
68 <p>You only need to scan this QR-code for the secret key once.
69 Make sure to store the secret key in a private safe place and don't show it to
70 anyone else.</p>
71 <p>Using the secret key the following command outputs a 6-digit code by default.
72 In this example we also assume the key is base32-encoded.
73 There can be other parameters and options, this is documented in the Yubico URI
74 string format reference below.</p>
75 <p>Command:</p>
76 <pre><code>oathtool --totp -b SOMEKEY
77 </code></pre>
78 <ul>
79 <li>The --totp option uses the time-variant TOTP mode, by default it uses HMAC SHA1.</li>
80 <li>The -b option use base32 encoding of KEY instead of hex.</li>
81 </ul>
82 <p>Tip: you can create a script that automatically puts the digits in the
83 clipboard, for example:</p>
84 <pre><code>oathtool --totp -b SOMEKEY | xclip
85 </code></pre>
86 <h2>References</h2>
87 <ul>
88 <li><a href="https://linux.die.net/man/1/zbarimg">zbarimg(1) man page</a></li>
89 <li><a href="https://www.nongnu.org/oath-toolkit/man-oathtool.html">oathtool(1) man page</a></li>
90 <li><a href="https://datatracker.ietf.org/doc/html/rfc6238">RFC6238 - TOTP: Time-Based One-Time Password Algorithm</a></li>
91 <li><a href="https://docs.yubico.com/yesdk/users-manual/application-oath/uri-string-format.html">Yucibo.com - otpauth URI string format</a></li>
92 </ul>
93
94 </article>
95 </div>
96 </main>
97 </body>
98 </html>