You can find the totp git repository over at
sourcehut
or GitHub.
Table of Contents
Prologue
TOTP codes are pretty cool, and really easy to
do. They’re also the backbone of modern two-factor authentication.
With totp I hope to make
handling TOTP codes as easy and extensible as
possible.
Terminology
There are a few terms that I will be using throughout this post, so it’s good to make sure that we’re all on the same page about what I’m referring to.
- Secret
-
Your secret is a base32 encoded secret key that you should under no circumstances share with anyone else. It is from this secret key that we can generate valid TOTP codes.
- Digits
-
Your digits is the length of the generated TOTP in digits. If digits is 8, then your generated key could be ‘01234567’. When dealing with 2FA this is typically 6.
- Period
-
Your period it the duration for which the generated key is valid in seconds. When working with 2FA this is typically 30.
Basic Usage
totp takes secret keys as command-line arguments, but also
reads them from the standard input if none are provided. It assumes
that digits is 6 and period is 30. These defaults can
be changed with the -d and -p flags.
m4_fmt_code(basic-usage.sh.html)
Working with QR Codes
Often times when enabling 2FA on your account
on some website or platform, you will be shown
a QR code you can scan with
your 2FA mobile application.
These QR codes
contain otpauth URIs. We can extract
these from downloaded images using utilities such
as zbarimg and use them in totp using
the -u flag to enable ‘URI mode’
m4_fmt_code(zbarimg.sh.html)