Replacing Google Authenticator with oathtool and gpg

I've thought it would be cool to have Two Factor Authentication operating on the command line, perhaps in some isolated container, rather than having it in a phone which can easily be lost or broken.

We will also combine it with gpg encryption, so that we have an additional layer of security.

How TFA works
It's important to understand that TFA is a general term for all systems that require multiple authentication factors.

However, the vast majority of sites offering TFA for end users are based on the same technology, known as TOTP.

TOTP stands for Time-based One-time-password. The site generates a random password/secret and sends it to the authenticator device, typically through a QR code.

To put the algorithm in over-simple terms, each time you generate a code, you are simply inserting an epoch into the original secret.(Unix epoch is defined as the number of seconds since Jan 01 1970)

Because the site you're authenticating with knows when you received the secret, they will know what the expected value of the auth code should be at the current time.

If your value and the sites value agree, then you're authenticated on the basis that there's proof you posess the original secret.

Remember those QR codes are sensitive but useful

If you've got a sufficiently secure place, e.g. a locked filing cabinet, it may be a good idea to keep the QR code you're meant to scan with your phone. Anyone with access to the key can generate valid totp codes. So you can use it as backup if your phone dies, or even have them on multiple devices.

Just with anything like TFA, in addition to security in terms of your account getting compromised, you need to also look at security in terms of availability. By adding more restrictions, it increases the likelihood of getting into a situation where you're unable to access your own account.

I didn't want my phone to have that much riding on it .

Let's start

Install oathtool and gpg2

$ sudo apt-get update
$ apt-get install oathtool gnupg2

If you don't have a gpg key to use, generate one

$ gpg2 --full-gen-key

Keep track (temporarily) of the totp secret

$ read secret

Check its functioning properly (the site is accepting these keys)

$ oathtool --base32 --totp $secret

Now we encrypt the totp secret

$ echo $secret | gpg2 --encrypt \
  --recipient \
  --output ~/.tfa/secret/exampleservice 

Now we check its decrypting properly
We replace our $secret variable with the SHA-1 hash of itself.
We then check the decrypted output gives the same hash

secret=`sha1sum <<<$secret`
$ gpg2 --decrypt ~/.tfa/secret/exampleservice.gpg | sha1sum
$ echo $secret

Putting it together

$ oathtool --base32 --totp "`gpg2 --quiet --decrypt ~/tfa/secret/exampleservice.gpg 2>/dev/null`"

We should make an alias

$ alias totp='oathtool --base32 --totp'

Use pass (gpg+shell based password locker)

Then our one script can put the password in clipboard for 40sec
as well as printing the totp code

$ pass -c ~/.password-store/exampleservice_tfa
$ totp "`pass exampleservice_tfa 2>/dev/null`"