2 Factor Authentication
The 2FA is a mechanism that generates a second password(known as TOTP), that is dynamic, for you to use along with the first password (static), when connecting to your account. TOTP, or Time-based One-time Password, is an algorithm used to generate the second password/factor, based on a secret key and the current time.
So, in simple terms:
TOTP = secret_key + current_time
or
totp(secret_key, current_time)
But in practice, there are more variables that you can control, so you can read here about the: TOTP. Or here about a C client.
Both the authenticator and the authenticatee compute the TOTP value, then the authenticator checks whether the TOTP value supplied by the authenticatee matches the locally generated TOTP value. Some authenticators allow values that should have been generated before or after the current time in order to account for slight clock skews, network latency and user delays.
The secret key can be any base32 string (spaces are ignored). So, in order to generate a TOTP(Time-based One-Time Password) for any given secret key, you can use the oathtool
command (install using apt install oathtool
):
paul@server:/$ oathtool --totp=SHA1 --verbose --base32 "ABCD 2345 EFGH 6723 IJKL 4567 MNOP 2345"
Hex secret: 00443d6f9d214c7f7f5b4254be77df635cfd6f9d
Base32 secret: ABCD2345EFGH6723IJKL4567MNOP2345
Digits: 6
Window size: 0
TOTP mode: SHA1
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2021-07-07 08:30:27 UTC (1625646627)
Counter: 0x33AD8BC (54188220)
003916
# Or just run:
paul@server:/$ oathtool --totp=SHA1 --base32 "ABCD 2345 EFGH 6723 IJKL 4567 MNOP 2345"
003916
# Or you can even control the variables: start_time(T0 - default 0 - unix epoch), time_interval(Tx - default: 30s), current_time(T - default: now), digits(default: 6):
paul@server:/$ oathtool --totp=SHA1 --start-time="1998-10-15 12:34:56 UTC" --time-step-size=10s --now="2021-07-07 08:41:25 UTC" --digits=8 --base32 "ABCD 2345 EFGH 6723 IJKL 4567 MNOP 2345" --verbose
Hex secret: 00443d6f9d214c7f7f5b4254be77df635cfd6f9d
Base32 secret: ABCD2345EFGH6723IJKL4567MNOP2345
Digits: 8
Window size: 0
TOTP mode: SHA1
Step size (seconds): 10
Start time: 1998-10-15 12:34:56 UTC (908454896)
Current time: 2021-07-07 08:41:25 UTC (1625647285)
Counter: 0x4465946 (71719238)
83402138
If you want to generate a QR code for a secret key, you can use the qrencode
(install using apt install qrencode
) command:
# Generate a .svg file with the QR code
paul@server:/$ qrencode -t svg -o- "otpauth://totp/my_identification?secret=ABCD2345EFGH6723IJKL4567MNOP2345&issuer=my_company&algorithm=SHA1&digits=6&period=30"
# Generate a .png file with the QR code
paul@server:/$ qrencode -t png -o/data/qr.png "otpauth://totp/my_identification?secret=ABCD2345EFGH6723IJKL4567MNOP2345&issuer=my_company&algorithm=SHA1&digits=6&period=30"
# Generate and display(show) the QR code
paul@server:/$ qrencode -t svg -o- "otpauth://totp/my_identification?secret=ABCD2345EFGH6723IJKL4567MNOP2345&issuer=my_company&algorithm=SHA1&digits=6&period=30" | display
Here is a .svg QR code generated:
If you load this 2FA secret key in a 2FA app, Google Authenticator for example, it will show up like:
my_company (my_identification)
402 468
If you want to read the contents of a QR code, you can use the zbarimg
(install using apt-get install zbar-tools
) command:
paul@server:/$ zbarimg --raw /data/qr.svg --quiet
otpauth://totp/my_identification?secret=ABCD2345EFGH6723IJKL4567MNOP2345&issuer=my_company&algorithm=SHA1&digits=6&period=30
paul@server:/$ zbarimg --raw /data/qr.png --quiet
otpauth://totp/my_identification?secret=ABCD2345EFGH6723IJKL4567MNOP2345&issuer=my_company&algorithm=SHA1&digits=6&period=30