Skip to content

Zero Factor Authentication

Dear Internet, Today I Learned that oath-toolkit exists in Homebrew.

So, this is a thing:

$ brew install oath-toolkit
$ alias totp='oathtool --totp -b YOURSECRET32BLA | pbcopy'

And so is this:

#! /usr/bin/env expect -f
set totp [ exec oathtool --totp -b MYSECRET7W22 ]
spawn ssh
expect "Password:"
sleep 1
send "thisIsN0t1GoodPaszwort@\r"
expect "Two Factor Token:"
sleep 1
send "$totp\n"

Yup, it’s totally possible to laugh and cry at the same time.

Published inErklärbärFluffy FluffHackerterrorcybercyber


  1. Martin

    I hope nobody is surprised. When you check public webcams, you will probably find more than a dozen cams that will show a RSA token live…..

  2. kris kris

    Today I learned that both 1P and Enpass implement that: They do have a TOTP generator embedded and you can enter your TOTP secret into the vault.


    They also try to implement 0FA, but 1P seems to be unable to do so with their current architecture for 3 years now:

    What does work, though, is automatically preloading the paste buffer with the current TOTP value when autofilling with Cmd-Backslash. So a login using 1P is “Cmd-Backslash, click TOTP field, Paste”. 1P even restores the old content of the paste buffer after that paste.

Leave a Reply

Your email address will not be published. Required fields are marked *