TOTP
A time-based one-time password (TOTP) code generator written in Go. A command-line interface that's like Google Authenticator or Authy for your Windows, macOS, or Linux machine.
What it Does
It generates TOTP codes used for two-factor authentication at sites such as Google, GitHub, Dropbox, PayPal, Amazon, and many more.
Warning Every copy of your two-factor credentials increases your risk profile. Using this utility is no exception. This utility will store your TOTP secrets unencrypted on your filesystem. The only protection offered is to store these secrets in a file readable by only your user and protected by the operating system only.
Quick Start
Add TOTP secrets to the TOTP configuration file with the config add
option, specifying the name and secret value. Note the secret names are case sensitive.
totp config add mysecretname NV4XGZLDOJSXICQ
Generate TOTP codes using the totp
command to specify the secret name. Note that because totp
reserves the use of the words config
and version
for commands, don't use them to name a secret. If you've generated and installed totp
completions for for your shell, pressing tab on a partially completed secret name will trigger autocomplete.
totp mysecretname
List the secret entries with the config list
command.
totp config list
Aliases are ls
and l
.
Update secret entries using the config update
command. Note that config update
and config add
are actually the same command and can be used interchangeably.
totp config update mysecretname NV4XGZLDOJSXICQ
Rename the secret entries with the config rename
command
totp config rename mysecretname mynewname
Aliases are ren
and mv
.
Delete secret entries with the config delete
command
totp config delete mynewname
Aliases are remove
, erase
, rm
, and del
.
Remove all the secrets and start over using the config reset
command
totp config reset
Use an ad-hoc secret to generate a code by using the --secret
option
totp --secret NV4XGZLDOJSXICQ
Continuous code output can be generated with the --follow
option.
totp --follow mysecretname
Use a QR Code to move an entry into your mobile device.
totp --qrcode mysecretname
will output a QR code suitable for scanning into a mobile device app such as Google Authenticator or Authy.
A one-off QR code can also be generated by providing both the name and the secret, for example:
totp --qrcode --secret NV4XGZLDOJSXICQ mysecretname
For help on any of the above, use the --help
option. Examples are
totp --help
totp config --help
Shell completion can be enabled by using the completion
command.
Bash
. <(totp completion bash)
Powershell
. totp completion powershell | Out-String | Invoke-Expression
TOTP Data Location
The location for saved data is extracted from the LOCALAPPDATA
environment variable in Windows and the HOME
environment for Linux/MacOS and in the file totp-config.json
. This can be customized using the --file
option or by setting the TOTP_CONFIG
environment variable.
Using the Time Machine
totp
implements the --time
, --forward
, and --backward
options to manipulate the time for which the TOTP code is generated. This is useful if totp
is being used on a machine with the incorrect time.
The --time
option takes an RFC3339 formatted time string as its argument and uses it to generate the TOTP code. Note that the --forward
and --backward
options will internally modify this option value.
Examples with --time
:
$ date '+%FT%T%:z'
2019-06-01T19:58:47-05:00
$ totp --time $(date '+%FT%T%:z') --secret NV4XGZLDOJSXICQ
931665
$ totp --time 2019-06-01T20:00:00-05:00 --secret NV4XGZLDOJSXICQ
526171
The --forward
and --backward
options move the current time forward and backward by their duration formatted arguments. See Go's time.ParseDuration()
documentation for more details on this format.
Examples with --forward
and --backward
$ totp --time 2019-06-01T20:00:00-05:00 --backward 3m --secret NV4XGZLDOJSXICQ
222296
$ totp --time 2019-06-01T20:00:00-05:00 --forward 30s --secret NV4XGZLDOJSXICQ
820148
The --follow
option is also compatible with the time machine.
totp --time 2001-10-31T20:00:00-05:00 --follow --secret NV4XGZLDOJSXICQ
877737
208737
Using the Stdio Option
If storing secrets in the clear isn't ideal for you, totp
supports streaming the shared secret collection through stdin and stdout with the --stdio
option. This allows you to roll your own encryption or support other methods of maintaining shared secrets.
The totp <secret name>
and totp config list
commands support loading the collection via standard input. The
totp config update
, totp config delete
, and totp config rename
commands support loading via standard input and sending the modified collection to standard output. Experiment with the --stdio
option to observe how this works.
Learning with Plaintext Data
Note the --file
option can achieve the same results as this example. This is meant to teach how stdio works with totp
.
Create a collection
totp config add --stdio secretname myvalue < /dev/null > totp.json
View the collection
totp config list --stdio < totp.json
Generate a TOTP code
totp secretname --stdio < totp.json
Encrypting Shared Secret Collection
Using what was learned above, a contrived example for encrypting data with GnuPG follows.
Create an encrypted collection
totp config add --stdio secretname myvalue < /dev/null | \
gpg --batch --yes --passphrase mypassphrase --output totp-collection.gpg --symmetric
View the collection
gpg --quiet --batch --passphrase mypassphrase --decrypt totp-collection.gpg | \
totp config list --stdio
Add another secret
gpg --quiet --batch --passphrase mypassphrase --decrypt totp-collection.gpg | \
totp config add --stdio newname newvalue | \
gpg --batch --yes --passphrase mypassphrase --output totp-collection.gpg --symmetric
View the modified collection
gpg --quiet --batch --passphrase mypassphrase --decrypt totp-collection.gpg | \
totp config list --stdio
Generate a TOTP code
gpg --quiet --batch --passphrase mypassphrase --decrypt totp-collection.gpg | totp --stdio secretname
Building
totp
is mostly developed using Go 1.19.x on Debian based systems. Only go
is required but to use the automated actions the Makefile
provides, make
must be installed.
To build everything:
git clone https://github.com/arcanericky/totp.git
cd totp
make
For unit tests and code coverage reports:
make test
The coverage is output to coverage.html
. Load it in browser for review. For example:
/opt/google/chrome/chrome file://$PWD/coverage.html
To build for a single platform (see the Makefile
for the different targets)
make linux-amd64
See the Makefile
for how to use the go
command natively.
Contributing
Contributions and issues are welcome. These include bugs reports and fixes, code comments, spelling corrections, and new features. If adding a new feature, please file an issue so it can be discussed prior to implementation so your time isn't wasted.
Unit tests for new code are required. Use make test
to verify coverage. Coverage will also be checked with Codecov when pull requests are made.
Inspiration
My ga-cmd project is more popular than I expected. It's basically the same as totp
with a much smaller executable, but the list of secrets must be edited manually and there aren't as many command line options. This totp
project allows the user to maintain the secret collection through the totp
command line interface, run on a variety of operating systems, and gives me a platform to practice my Go coding.
Credits
This utility uses the otp package by pquerna. Without this library, I probably wouldn't have bothered creating this front-end.