twisted 2-step verification TOTP script

TOTP (Time-based One-Time Password) is commonly used to grant access to internet resources in addition to common user and password.

TOTP is used primarily with Google Authenticator mobile app. But the algorithm can be easily implemented. All that is needed is the key provided by the internet resource we want to access to. Only using that alphanumeric key and the current time, a six digit value is calculated which acts as a second step verification for  access granting. This way, a password snooping, even if it involves the TOTP value, cannot be reused: that’s because the TOTP changes every 30 seconds and cannot be predicted from previous values – it can only be calculated if the key is known, and the key itself is only interchanged when the 2-step verification is first activated.


The HOTP algorithm involves the use of SHA-1.

An interesting particularity here is the use of Unix time and the “problem” of the leap seconds… So as an oddity, a particular TOTP token used at the end of June or December in next years could be valid for 31 seconds. More exactly, if a leap second is added, the Unix time for the first second of the next day will be repeated twice, so that minute will really have two 0 seconds…

Anyway, as I wanted to obtain TOTP tokens via command line, but didn’t want the key to be directly visible in the code, I made a python script which can be configured to use mangled TOTP keys in code: the keys are “encrypted” with XOR and a random ASCII key.

This way a casual inspection of the code or an automatic hacking won’t directly obtain the key… Of course this can be discussed :-)

The Python3 script can be obtained at github.

Warning: it is a self-modifying script!

First, you’ll have to open it with a text editor and insert the TOTP keys you have, in the secret[] array:

# This is the secret[] array you have to first fill with your TOTP key(s).
# You can later add new clear keys AFTER THE PREVIOUS ONES: the
# script will detect and encrypt them on the next run
secret = [
 ['site1', 'MZXW633PN5XW6MZX'],
 #['site2', 'MZXW633PN5XW6MZY'],
 #['site3', 'MZXW633PN5XW6MZZ'], # ...

Once configured, and after a first run to rewrite itself with encrypted keys, it will print on screen TOTP tokens for all your  sites, indicating the time in seconds that they will last… after each 30 s interval new values will be printed in screen. By default two consecutive 30 s intervals are printed: this should allow easy use of the tokens for accessing any site.

$ vi #<-- insert your TOTP key(s)
$ python3
Auto-phagocytizing to encrypt TOTP keys ...
$ python3 4 #<-- print 4 sets of tokens (4*30 = 2 minutes time)
site1:     (1) 973722
my site 2: (1) 008862

site1:     (2) 862833
my site 2: (2) 274628
(13) <-- this decremental counter tells you the seconds 
        until these tokens' death

In case you need to retrieve the original TOTP keys just print the actual XOR key (mangling_string) as option:

$ _IoWK8zAOMOKNTai #<-- here the script is in the $PATH

Note that the script can also overwrite itself to erase the TOTP keys and the mangling_string used to XOR them, replacing them with random values which will seem valid on next runs:

$ Delete 
Deleting keys !

Please note that new tokens WON'T BE VALID !

Auto-phagocytizing to wipe out TOTP keys ...

deleting key site1...
deleting key site2...




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s