m4_include(head.html)

Easy Password Generation

m4_include(nav.html)

The C preprocessor is worse than m4, and I would kill myself before I had to use m4.

Arav K.

You can find the totp git repository over at sourcehut or GitHub.

Table of Contents

Prologue

TOTP codes are pretty cool, and really easy to do. They’re also the backbone of modern two-factor authentication. With totp I hope to make handling TOTP codes as easy and extensible as possible.

Terminology

There are a few terms that I will be using throughout this post, so it’s good to make sure that we’re all on the same page about what I’m referring to.

Secret

Your secret is a base32 encoded secret key that you should under no circumstances share with anyone else. It is from this secret key that we can generate valid TOTP codes.

Digits

Your digits is the length of the generated TOTP in digits. If digits is 8, then your generated key could be ‘01234567’. When dealing with 2FA this is typically 6.

Period

Your period it the duration for which the generated key is valid in seconds. When working with 2FA this is typically 30.

Basic Usage

totp takes secret keys as command-line arguments, but also reads them from the standard input if none are provided. It assumes that digits is 6 and period is 30. These defaults can be changed with the -d and -p flags.

m4_fmt_code(basic-usage.sh.html)

Working with QR Codes

Often times when enabling 2FA on your account on some website or platform, you will be shown a QR code you can scan with your 2FA mobile application. These QR codes contain otpauth URIs. We can extract these from downloaded images using utilities such as zbarimg and use them in totp using the -u flag to enable ‘URI mode’

m4_fmt_code(zbarimg.sh.html)
…and that’s all! There’s nothing else you need. You can use secret keys and otpauth URIs, and you can configure the digits and period of the generated codes. You can generate multiple keys at once, and all outputs are printed to the standard output.