Golang secure storage for your 2FA secret from your terminal.
gotp has only been tested on Mac OS X (Mojave).
It requires specific installation to be used with pass on Linux.
Modern web services offer a 2-factor authentication as a complement of the traditional login/password method. This brings an additional security level, based on the Time-based One-Time Password (TOTP), because even if a user's traditional password is stolen or compromised, an attacker cannot gain access without the TOTP, which expires quickly.
A time-based one-time password (TOTP) is a temporary passcode generated by an algorithm that uses the current time of day as one of its authentication factors.
The TOTP specification (RFC-6238) describes the TOTP algorithm, as an time-based variant of the One-Time Password (OTP), namely the HMAC-based One-Time Password (HOTP) algorithm.
The TOTP is basicaly a hash-mac token computed from a shared key (generaly randomky generated) and seed with a 30-second valid timestamp. Lot's of mobile applications can provide such a service (Google Authenticator, ...)
When you wish to log into a 2FA protected service, you are asked to provide your credentials (login/password) then to enter the TOTP displayed on the application. The web service computed the same TOTP and make sure they are equal.
I started using this security feature long time ago, and was happy using the Google Authenticator application on my mobile phone. Until I realized I forgot to export all the secret keys I use every day at work on my new phone, and was unable to connect to AWS console for a day.
That day, I wish I had a backup solution on my laptop. Then I started to wonder how I could implement a desktop application with a secure storage backend.
Get the version for your OS here: download
go get -u github.com/jtbonhomme/gotp/cmd/gotpIn order to use the pass backend, you need to initialize it and specify which GPG encryption identity to use. For further informations, see the pass manual.
1 - find your GPG ID gpg --list-secret-keys --keyid-format LONG
uid [ultimate] you <[email protected]>
ssb rsa4096/DF5E537CC91EF1CA 2020-03-06 [E]
2 - initialize the backend pass init DF5E537CC91EF1CA
All secrets will be stored under the root folder username:mfa
The shared secret shall be in the base-32 format.
gotp add -key=gmail -value=KZAUYVKFGA======The code read is copied to the clipboard.
gotp get -key=AWS
code: 585146 (copied to clipboard)
gotp list
gotp del -key=gmailgotp uses the keyring library to securely store the secret used to compute Time based OTP.
- Add an update function, to change key name
- Add tests on different OS.
gotp accepts Pull Requests! Feel free to add your own features, improve documentation or add tests.
$ make testYou can use act to execute locally your github actions. This tool relies on docker to run workflow jobs.
$ act -l
ID Stage Name
build 0 GoReleaser build
release 0 Semver release
test 0 test
$ act -j test