Re: OAUTH TOTP

[Martin Husemann <martin%duskware.de@localhost>]

On Mon, Apr 29, 2024 at 06:04:23PM +0100, Patrick Welche wrote:
> Apparently I need to "purchase an inexpensive OATH TOTP compatible
> token device."
> 
> $ wtf oath
> wtf: I don't know what `oath' means!
> $ wtf totp
> TOTP: time-based one time password
> 
> Any suggestions on something that works on NetBSD/amd64?

There is simple python code available that does it, if you only have one
site that needs it and can guarantee security for your local scripts
you can do something very simple like:

--8<--
#!/usr/bin/env python3.10

import base64, datetime, hashlib, os, sys, unittest
from warnings import warn

from urllib.parse import urlparse, parse_qsl

sys.path.insert(0, os.path.join(os.path.dirname(__file__), '../TOTP/pyotp-2.6.0/src'))
import pyotp  # noqa


print(pyotp.TOTP('YOUR_SECRET_CODE_HERE').now())
-->8--

(importing the local pyotp lib is a historic artifact, I should clean it up)

When "registereing" the device with your web site you will be shown a QR
code typically, or often can get one after selecting "something else, not
Google or MS authenticator", sometimes with the cleartext code shown
that you add in above script instead of YOUR_SECRET_CODE_HERE.

If only a QR code is shown, point your mobile camera at it and copy the
URL, it contains the code and you can manually extract it.

All of TOTP is a mangling of the current time + the pre shared secret.

I think there are several more "password manager" like python
applications in pkgsrc, but for me the simple single-target python
script was most convenient for now (I avoid TOTP where possible, prefering
WebAuthN with a yubikey whenever supported).

Martin