Use oathtool Linux command line for 2 step verification (2FA)

Originally published at: https://www.cyberciti.biz/faq/use-oathtool-linux-command-line-for-2-step-verification-2fa/

I do not wish to use Google Authenticator or Authy app that generates 2 step verification (2FA) codes on my iOS/Android phone. Is there any way I can produce 2FA codes from Linux command line for popular sites such as Gmail, Twitter, Facebook, Amazon and more?

Using this solution, is it possible to have multiple Linux boxes from where 2FA codes can be generated for the same account?

This is the error I am getting while encrypting the key. I have inserted the key in code.
But still giving the error.

Are you using correct gpg key? Did you set up gpg key? Also don’t run command as root. This should be run as normal user.

Hi, instead of using Google Authenticator it makes more sense to try out Authy because they also allow sharing the 2FA tokens between multiple devices with default backup possibility on their systems (encrypted data with your local password) allowing multiple 2FA / authentication variants::
=> Why Is The Authy 2FA App Free For Users? - Authy
=> /blog/understanding-authys-multi-device-feature/
=> /blog/search-authy-2fa-ios-android/

Also for free are the Android and IOS apps “OpenOTP” from RCdevs with multiple authentication provider types:
www rcdevs com /solutions/unix/

and the OpenSource version “FreeOTP” is also availaboe on Android and IOS:
=> freeotp github io

LastPass has finally also an 2FA app which is backed up within it’s cloud.
But I didn’t like to share passwords and 2FA authentication both to same provider ;)…
And it seems that several security providers offers in meantime also their own app^…

yes as long as all account have same keys.

Yes it worked. I was using incorrect Key.

Hallo!

This was a great tutorial on the topic of using TOTP on GNU/Linux PCs, probably the best I came along in the internet. Thank you indeed for that! Now, I have a special case:

For specific reasons my computer time is intentionally 19 to 20 minutes ahead of the actual time. This of course renders a problem for the creation of TOTPs. Fortunately, oathtool offers the possibilty to manually define the current time with the --now argument. It expects an option like ‘2019-12-23 19:01:21 UTC’. As a work-around I manually change this in the script, but it would of course be nice it this could be done automatically.

Now, by use of sntp programm you can display your computer time and the offset from UTC. It returns a result like

$ sntp pool.ntp.org
sntp 4.2.8p12@1.3728-o (1)
Can't open KOD db file /var/lib/sntp/kod for writing: Permission denied
2019-12-23 23:55:39.167286 (-0100) -1169.921316 +/- 779.947834 pool.ntp.org 213.136.0.252 s1 no-leap

So in this case you would determine UTC by substracting one hour (-0100) and approximately 1170 seconds (-1169,921…). I am sure it would not be to hard to implement this in the code, but I am not skilled enough. Would anyone have an idea how to code this?

Best regards

@theltalpha

Use the following to get date in utc format and that too 20 mins ago:

date --utc -d '20 min ago'

For the --now argument try:

date --utc -d '20 min ago' +"%Y-%m-%d %T UTC"

For example, at the CLI:

NOW=$(date --utc -d '20 min ago' +"%Y-%m-%d %T UTC")
oathtool -b --totp "$totp" --now "$NOW"

One can modify script as follows

NOW=$(date --utc -d '20 min ago' +"%Y-%m-%d %T UTC")
code=$($_oathtool -b --totp "$totp" --now "${NOW}")

HTH

@nixcraft

Thanks to your hints I expanded the shell script by the following:

# Difference between local PC time and NTP UTC
diffLocalUTC=`sntp pool.ntp.org | grep +/- | cut -b 36-40`

# NTP UTC
NOW=`date --utc -d "${diffLocalUTC} seconds" +"%Y-%m-%d %T UTC"`

The relevant command to generate the code thus reads:
code=$($_oathtool -b --now "${NOW}" --totp "$totp")
I have verified, it works.

Since the whole script is about encrypting/hiding the secret TOTP key, you should add the hint that the echo -n 'hilp zs6i c5qu bx7z akiz q75e wk5z z66b' > ~/.2fa/vivek@gmail.com/.key command will remain in the shell history unless deleted. For bash I suggest the following:

$ history | grep echo

Note the relevant line number where the echo command appears.

$ history -d {line number} && history -w

Great article, except I would start with a version without gnupg,
for users who already live in bunkers and don’t need it.
Only then show the more complicated gnupg version.

Anyway, many users already use Authy and/or Google Authenticator,
and just wish to add oathtool as an additional tool.

So perhaps do mention ways of ‘exporting all my keys from Authy / Google
Authenticator’ and/or going to Facebook, Twitter, etc.
and getting my current (not new) keys again, for use in oathtool.
https://wiki.archlinux.org/index.php/Google_Authenticator#Command_line
has one way. For Authy, no root needed:

Boy, I will surely remember to copy down any key for future use, before
I enter it into any (Authy, Google Authenticator, oathtool) program!

P.S.,
$ oathtool -b --totp ‘N3V3R G0nn4 G1v3 Y0u Up’
oathtool: base32 decoding failed: Base32 string is invalid

Thanks for the rickroll