blob: c447242d0f90da2608d51b7977fb1505bad2eb5f (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
html lang="en" {
head { m4_include(head.gsp) }
body {
header {
div {
h1 {-Easy Password Generation}
m4_include(nav.gsp)
}
figure .quote {
blockquote {
p {=
The C preprocessor is worse than m4, and I would kill myself before I
had to use m4.
}
}
figcaption {-Arav K.}
}
}
main {
p {
em {-
You can find the @code{-totp} git repository over at
@a href="https://git.sr.ht/~mango/totp" target="_blank" {-sourcehut}
or
@a href="https://github.com/Mango0x45/totp" target="_blank" {-GitHub}.
}
}
h2 {-Table of Contents}
ul {
li {a href="#prologue" {-Prologue}}
li {a href="#terms" {-Terminology}}
li {a href="#usage" {-Basic Usage}}
li {a href="#qr" {-Working with QR Codes}}
}
h2 #prologue {-Prologue}
p {-
m4_abbr(TOTP) codes are pretty cool, and really easy to do. They’re
also the backbone of modern two-factor authentication. With
@code{-totp} I hope to handling m4_abbr(TOTP) codes as easy and
extensible as possible
}
h2 #terms {-Terminology}
p {-
There are a few terms that I will be using throughout this post, so it’s
good to make sure that we’re all on the same page about what I’m
referring to.
}
dl {
dt {-Secret}
dd {
p {-
Your @em{-secret} is a
@a
href="https://en.wikipedia.org/wiki/Base32"
target="_blank"
{-base32}
encoded secret key that you should under no circumstances share with
anyone else. It is from this secret key that we can generate valid
m4_abbr(TOTP) codes.
}
}
dt {-Digits}
dd {
p {-
Your @em {-digits} is the length of the generated m4_abbr(TOTP) in
digits. If @em{-digits} is 8, then your generated key could be
‘01234567’. When dealing with m4_abbr(2FA) this is typically 6.
}
}
dt {-Period}
dd {
p {-
Your @em{-period} it the duration for which the generated key is
valid in seconds. When working with m4_abbr(2FA) this is typically
30.
}
}
}
h2 #usage {-Basic Usage}
p {-
@code{-totp} takes secret keys as command-line arguments, but also reads
them from the standard input if none are provided. It assumes that
@em{-digits} is 6 and @em{-period} is 30. These defaults can be changed
with the @code{--d} and @code{--p} flags.
}
figure {
pre { m4_fmt_code(basic-usage.sh.gsp) }
}
aside {
p {-
I’m using @code{-mkpass} to generate a random secret. You can
see my post about @code{-mkpass} @a href="/prj/mkpass" {-here}.
}
}
h2 #qr {-Working with m4_abbr(QR) Codes}
p {-
Often times when enabling m4_abbr(2FA) on your account on some website
or platform, you will be shown a m4_abbr(QR) code you can scan with your
m4_abbr(2FA) mobile application. These m4_abbr(QR) codes contain
@em{-otpauth} m4_abbr(URI)s. We can extract these from downloaded
images using utilities such as @code{-zbarimg} and use them in
@code{-totp} using the @code{--u} flag to enable ‘m4_abbr(URI) mode’
}
figure {
pre { m4_fmt_code(zbarimg.sh.gsp) }
}
p {-
…and that’s all! There’s nothing else you need. You can use secret
keys and otpauth m4_abbr(URI)s, and you can configure the @em{-digits}
and @em{-period} of the generated codes. You can generate multiple keys
at once, and all outputs are printed to the standard output.
}
}
hr{}
footer { m4_footer }
}
}
|