2fa-totp.html - www.codemadness.org - www.codemadness.org saait content files (HTM) git clone git://git.codemadness.org/www.codemadness.org (DIR) Log (DIR) Files (DIR) Refs (DIR) README (DIR) LICENSE --- 2fa-totp.html (3950B) --- 1 <!DOCTYPE html> 2 <html dir="ltr" lang="en"> 3 <head> 4 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> 5 <meta http-equiv="Content-Language" content="en" /> 6 <meta name="viewport" content="width=device-width" /> 7 <meta name="keywords" content="oauthtool, zbarimg, totp, 2FA, authenticator" /> 8 <meta name="description" content="Using 2FA TOTP without crappy authenticator apps" /> 9 <meta name="author" content="Hiltjo" /> 10 <meta name="generator" content="Static content generated using saait: https://codemadness.org/saait.html" /> 11 <title>2FA TOTP without crappy authenticator apps - Codemadness</title> 12 <link rel="stylesheet" href="style.css" type="text/css" media="screen" /> 13 <link rel="stylesheet" href="print.css" type="text/css" media="print" /> 14 <link rel="alternate" href="atom.xml" type="application/atom+xml" title="Codemadness Atom Feed" /> 15 <link rel="alternate" href="atom_content.xml" type="application/atom+xml" title="Codemadness Atom Feed with content" /> 16 <link rel="icon" href="/favicon.png" type="image/png" /> 17 </head> 18 <body> 19 <nav id="menuwrap"> 20 <table id="menu" width="100%" border="0"> 21 <tr> 22 <td id="links" align="left"> 23 <a href="index.html">Blog</a> | 24 <a href="/git/" title="Git repository with some of my projects">Git</a> | 25 <a href="/releases/">Releases</a> | 26 <a href="gopher://codemadness.org">Gopherhole</a> 27 </td> 28 <td id="links-contact" align="right"> 29 <span class="hidden"> | </span> 30 <a href="feeds.html">Feeds</a> | 31 <a href="pgp.asc">PGP</a> | 32 <a href="mailto:hiltjo@AT@codemadness.DOT.org">Mail</a> 33 </td> 34 </tr> 35 </table> 36 </nav> 37 <hr class="hidden" /> 38 <main id="mainwrap"> 39 <div id="main"> 40 <article> 41 <header> 42 <h1>2FA TOTP without crappy authenticator apps</h1> 43 <p> 44 <strong>Last modification on </strong> <time>2022-03-23</time> 45 </p> 46 </header> 47 48 <p>This describes how to use 2FA without using crappy authenticator "apps" or a 49 mobile device.</p> 50 <h2>Install</h2> 51 <p>On OpenBSD:</p> 52 <pre><code>pkg_add oath-toolkit zbar 53 </code></pre> 54 <ul> 55 <li>oath-toolkit is used to generate the digits based on the secret key.</li> 56 <li>zbar is used to scan the QR code text.</li> 57 </ul> 58 <h2>Steps</h2> 59 <p>Save the QR code image from the authenticator app, website to an image file. 60 Scan the QR code text from the image:</p> 61 <pre><code>zbarimg image.png 62 </code></pre> 63 <p>An example QR code:</p> 64 <p><img src="downloads/2fa/qr.png" alt="QR code example" /></p> 65 <p>The output is typically something like:</p> 66 <pre><code>QR-Code:otpauth://totp/Example:someuser@codemadness.org?secret=SECRETKEY&issuer=Codemadness 67 </code></pre> 68 <p>You only need to scan this QR-code for the secret key once. 69 Make sure to store the secret key in a private safe place and don't show it to 70 anyone else.</p> 71 <p>Using the secret key the following command outputs a 6-digit code by default. 72 In this example we also assume the key is base32-encoded. 73 There can be other parameters and options, this is documented in the Yubico URI 74 string format reference below.</p> 75 <p>Command:</p> 76 <pre><code>oathtool --totp -b SOMEKEY 77 </code></pre> 78 <ul> 79 <li>The --totp option uses the time-variant TOTP mode, by default it uses HMAC SHA1.</li> 80 <li>The -b option use base32 encoding of KEY instead of hex.</li> 81 </ul> 82 <p>Tip: you can create a script that automatically puts the digits in the 83 clipboard, for example:</p> 84 <pre><code>oathtool --totp -b SOMEKEY | xclip 85 </code></pre> 86 <h2>References</h2> 87 <ul> 88 <li><a href="https://linux.die.net/man/1/zbarimg">zbarimg(1) man page</a></li> 89 <li><a href="https://www.nongnu.org/oath-toolkit/man-oathtool.html">oathtool(1) man page</a></li> 90 <li><a href="https://datatracker.ietf.org/doc/html/rfc6238">RFC6238 - TOTP: Time-Based One-Time Password Algorithm</a></li> 91 <li><a href="https://docs.yubico.com/yesdk/users-manual/application-oath/uri-string-format.html">Yucibo.com - otpauth URI string format</a></li> 92 </ul> 93 94 </article> 95 </div> 96 </main> 97 </body> 98 </html>