Skip to content

Zero Factor Authentication

Dear Internet, Today I Learned that oath-toolkit exists in Homebrew.

So, this is a thing:

$ brew install oath-toolkit
$ alias totp='oathtool --totp -b YOURSECRET32BLA | pbcopy'

And so is this:

#! /usr/bin/env expect -f
 
set totp [ exec oathtool --totp -b MYSECRET7W22 ]
 
spawn ssh verysecure.doma.in
expect "Password:"
sleep 1
send "thisIsN0t1GoodPaszwort@\r"
expect "Two Factor Token:"
sleep 1
send "$totp\n"
interact

Yup, it’s totally possible to laugh and cry at the same time.

Published inErklärbärFluffy FluffHackerterrorcybercyber

4 Comments

  1. Martin

    I hope nobody is surprised. When you check public webcams, you will probably find more than a dozen cams that will show a RSA token live…..

  2. kris kris

    Today I learned that both 1P and Enpass implement that: They do have a TOTP generator embedded and you can enter your TOTP secret into the vault.

    Enpass: https://www.enpass.io/docs/desktop-windows/totp.html
    1Password: https://support.1password.com/one-time-passwords/

    They also try to implement 0FA, but 1P seems to be unable to do so with their current architecture for 3 years now: https://discussions.agilebits.com/discussion/39322/auto-fill-one-time-password

    What does work, though, is automatically preloading the paste buffer with the current TOTP value when autofilling with Cmd-Backslash. So a login using 1P is “Cmd-Backslash, click TOTP field, Paste”. 1P even restores the old content of the paste buffer after that paste.

Leave a Reply

Your email address will not be published. Required fields are marked *