Jeremy Luscombe

OTP from the command line (AKA ditch your smartphone)

I'm in the middle of an experiment to ditch my smartphone for a month.

I've had a crummy little Nokia knocking around that I threw my sim into a few times in the last few years in an attempt to curb my smartphone addiction (the type we all have). I always enjoyed the few days of respite it gave me from the relentlesness of smartphone ownership, but I never stuck to it, lured back in my the conveniences of a handheld PC.

Anyway, i've found new resolve and i'm just using my Nokia dumbphone now, but a problem occurred today at work - how do I manage all my OTP needs? Usually I get a text or open up the Google Authenticator app to get access to systems.

Enter pass and pass otp.

Command line password managment & OTP

Turns out you can access all your OTP codes from the command line pretty easily if you're using a unix system.

Fire up your terminal, first you need to install pass, which is the standard local password manager for unix systems. We need pass in order to use pass otp, which is a pass plugin.

For MacOS you can install using brew:

$ brew install pass

Now you need to initialise pass, which uses one of your gpg keys to encrypt the password file on your local machine:

If you don't know how to setup a gpg key, follow this guide, but it's basically:

$ brew install gpg
$ gpg --gen-key

Then init pass:

$ pass init "GPG key ID"

Now we need to install pass otp, which is an extension of pass and will allow us to get one time passwords for all our logins. You can't have one without the other.

$ brew install pass-otp

We also need to install zbar (more on that in a moment):

$ brew install zbar

Once that's done, we're good to go.

Setting up your first OTP

When you setup OTP for a website, you get given the QR code for your authenticator app to scan. To setup OTP from the command line we take the following steps:

  • Download the QR image
  • Use zbarimg to decode the URI of the QR code
  • Pass the URI to pass otp
  • OTP generation can now be done locally

First, grab the QR code provided by whatever system you're logging in to, download it and cd into the directory with that image.

Decode the QR code URI:

$ zbarimg download.png

This will output a URI that looks something like this (using Soundclound QR code as an example)

QR-Code:otpauth://totp/SoundCloud?secret={RANDOMALPHANUMERICSTRING}

We need to rip everything after QR-Code:, so: otpauth://totp/SoundCloud?secret={RANDOMALPHANUMERICSTRING}.

We now need to run our OTP command:

$ pass otp add soundcloud

soundcloud here is the name of our OTP entry for this service.

We will be prompted to add our otpath:// URI, add the URI from before.

Done!

Now anytime we are prompted by Soundcloud to add our OTP we simply run:

$ pass otp soundcloud

We'll get back a six digit OTP.

You could also automate this process with a shell script, i've created one over here.

No smartphone, no problem. This actually has a benefit of not pulling you out of your workflow and being distracted while working / doing whatever.