pass-otp

18 December 2020

Here is a CLI method for creating OTP codes without the need for a cell phone or mobile device. This is a great alternative for having good security practices for those who do not have, or are trying to get rid of their cell phone.

Some prerequisites are needed. I use Arch Linux so I will only reference packages that are available on this distribution. Search out the packages for your distribution on your own.

pass-otp

zbar

You will also need to have already setup a gpg keypair on your computer using:

$ gpg --full-gen-key

Either follow the prompts on that command or look up how to do this on your own.

Go to the website you want to setup 2FA on and get to the area where you get the QR code. This is the QR code that you would otherwise scan with your cell phone's 2FA app. Instead, download the image to your computer. Leave the dialog page up on the website for now.

In your terminal on the computer navigate to where you saved the QR image and run the following command on it. We'll use this fake file name for the purpose of this tutorial: fakeimage.png The name of our example website will be fakewebsite.com.

$ zbarimg -q fakeimage.png

From there the terminal will output something that looks like this:

$ QR-Code:otpauth://totp/fake website:myemail%someplace.com?secret=aspidujjbg0a8s7dghfas08d977&issuer=fake_website

What that does is output the contents of the QR image.

Next you'll run the following command to add that output into pass OTP so it can generate your random codes to enter into the website.

$ pass otp add fakewebsite

The terminal will then ask you to enter the otpauth location. You'll copy/paste that output from above starting with the "otpauth..." part like this:

$ otpauth://totp/fake website:myemail%someplace.com?secret=aspidujjbg0a8s7dghfas08d977&issuer=fake_website

Once you do that twice, for verification of correct and matching path's, you can now generate 2FA codes for the website with the following command.

$ pass otp fakewebsite

The terminal will output a six-digit random generated code that changes every 30 seconds.

$ 456123

Now you can enter that new code into the website that is awaiting your code based on the QR code image you first downloaded.