html lang="en" { head { m4_include(head.gsp) } body { header { div { h1 {-Easy Password Generation} m4_include(nav.gsp) } figure .quote { blockquote { p {= The C preprocessor is worse than m4, and I would kill myself before I had to use m4. } } figcaption {-Arav K.} } } main { p { em {- You can find the @code{-totp} git repository over at @a href="https://git.sr.ht/~mango/totp" target="_blank" {-sourcehut} or @a href="https://github.com/Mango0x45/totp" target="_blank" {-GitHub}. } } h2 {-Table of Contents} ul { li {a href="#prologue" {-Prologue}} li {a href="#terms" {-Terminology}} li {a href="#usage" {-Basic Usage}} li {a href="#qr" {-Working with QR Codes}} } h2 #prologue {-Prologue} p {- m4_abbr(TOTP) codes are pretty cool, and really easy to do. They’re also the backbone of modern two-factor authentication. With @code{-totp} I hope to handling m4_abbr(TOTP) codes as easy and extensible as possible } h2 #terms {-Terminology} p {- There are a few terms that I will be using throughout this post, so it’s good to make sure that we’re all on the same page about what I’m referring to. } dl { dt {-Secret} dd { p {- Your @em{-secret} is a @a href="https://en.wikipedia.org/wiki/Base32" target="_blank" {-base32} encoded secret key that you should under no circumstances share with anyone else. It is from this secret key that we can generate valid m4_abbr(TOTP) codes. } } dt {-Digits} dd { p {- Your @em {-digits} is the length of the generated m4_abbr(TOTP) in digits. If @em{-digits} is 8, then your generated key could be ‘01234567’. When dealing with m4_abbr(2FA) this is typically 6. } } dt {-Period} dd { p {- Your @em{-period} it the duration for which the generated key is valid in seconds. When working with m4_abbr(2FA) this is typically 30. } } } h2 #usage {-Basic Usage} p {- @code{-totp} takes secret keys as command-line arguments, but also reads them from the standard input if none are provided. It assumes that @em{-digits} is 6 and @em{-period} is 30. These defaults can be changed with the @code{--d} and @code{--p} flags. } figure { pre { m4_fmt_code(basic-usage.sh.gsp) } } aside { p {- I’m using @code{-mkpass} to generate a random secret. You can see my post about @code{-mkpass} @a href="/prj/mkpass" {-here}. } } h2 #qr {-Working with m4_abbr(QR) Codes} p {- Often times when enabling m4_abbr(2FA) on your account on some website or platform, you will be shown a m4_abbr(QR) code you can scan with your m4_abbr(2FA) mobile application. These m4_abbr(QR) codes contain @em{-otpauth} m4_abbr(URI)s. We can extract these from downloaded images using utilities such as @code{-zbarimg} and use them in @code{-totp} using the @code{--u} flag to enable ‘m4_abbr(URI) mode’ } figure { pre { m4_fmt_code(zbarimg.sh.gsp) } } p {- …and that’s all! There’s nothing else you need. You can use secret keys and otpauth m4_abbr(URI)s, and you can configure the @em{-digits} and @em{-period} of the generated codes. You can generate multiple keys at once, and all outputs are printed to the standard output. } } hr{} footer { m4_footer } } }