TOTP (Time-based One-Time Password) is commonly used to grant access to internet resources in addition to common user and password.
TOTP is used primarily with Google Authenticator mobile app. But the algorithm can be easily implemented. All that is needed is the key provided by the internet resource we want to access to. Only using that alphanumeric key and the current time, a six digit value is calculated which acts as a second step verification for access granting. This way, a password snooping, even if it involves the TOTP value, cannot be reused: that’s because the TOTP changes every 30 seconds and cannot be predicted from previous values – it can only be calculated if the key is known, and the key itself is only interchanged when the 2-step verification is first activated.
An interesting particularity here is the use of Unix time and the “problem” of the leap seconds… So as an oddity, a particular TOTP token used at the end of June or December in next years could be valid for 31 seconds. More exactly, if a leap second is added, the Unix time for the first second of the next day will be repeated twice, so that minute will really have two 0 seconds…
Anyway, as I wanted to obtain TOTP tokens via command line, but didn’t want the key to be directly visible in the code, I made a python script which can be configured to use mangled TOTP keys in code: the keys are “encrypted” with XOR and a random ASCII key.
This way a casual inspection of the code or an automatic hacking won’t directly obtain the key… Of course this can be discussed :-)
Warning: it is a self-modifying script!
First, you’ll have to open it with a text editor and insert the TOTP keys you have, in the secret array:
# This is the secret array you have to first fill with your TOTP key(s). # You can later add new clear keys AFTER THE PREVIOUS ONES: the # script will detect and encrypt them on the next run secret = [ ['site1', 'MZXW633PN5XW6MZX'], #['site2', 'MZXW633PN5XW6MZY'], #['site3', 'MZXW633PN5XW6MZZ'], # ... ]
Once configured, and after a first run to rewrite itself with encrypted keys, it will print on screen TOTP tokens for all your sites, indicating the time in seconds that they will last… after each 30 s interval new values will be printed in screen. By default two consecutive 30 s intervals are printed: this should allow easy use of the tokens for accessing any site.
$ vi twisted2sv.py #<-- insert your TOTP key(s) $ python3 twisted2sv.py Auto-phagocytizing to encrypt TOTP keys ... Done. $ python3 twisted2sv.py 4 #<-- print 4 sets of tokens (4*30 = 2 minutes time) site1: (1) 973722 my site 2: (1) 008862 site1: (2) 862833 my site 2: (2) 274628 (13) <-- this decremental counter tells you the seconds until these tokens' death
In case you need to retrieve the original TOTP keys just print the actual XOR key (mangling_string) as option:
$ twisted2sv.py _IoWK8zAOMOKNTai #<-- here the script is in the $PATH site1: LFEESWDVLJXVK6S2 site2: K5PUWWBTKRUVQR2Y
Note that the script can also overwrite itself to erase the TOTP keys and the mangling_string used to XOR them, replacing them with random values which will seem valid on next runs:
$ twisted2sv.py Delete Deleting keys ! Please note that new tokens WON'T BE VALID ! Auto-phagocytizing to wipe out TOTP keys ... deleting key site1... deleting key site2... Done.