A time-based one-time password (TOTP) code generator written in Go. A command-line interface that's like Google Authenticator or Authy for your Windows, macOS, or Linux machine.
It generates TOTP codes used for two-factor authentication at sites such as Google, GitHub, Dropbox, PayPal, Amazon, and many more.
Warning Every copy of your two-factor credentials increases your risk profile. Using this utility is no exception. This utility will store your TOTP secrets unencrypted on your filesystem. The only protection offered is to store these secrets in a file readable by only your user and protected by the operating system only.
Add TOTP secrets to the TOTP configuration file with the config add option, specifying the name and secret value. Note the secret names are case sensitive.
totp config add mysecretname NV4XGZLDOJSXICQGenerate TOTP codes using the totp command to specify the secret name. Note that because totp reserves the use of the words config and version for commands, don't use them to name a secret. If you've generated and installed totp completions for for your shell, pressing tab on a partially completed secret name will trigger autocomplete.
totp mysecretnameList the secret entries with the config list command.
totp config listAliases are ls and l.
Update secret entries using the config update command. Note that config update and config add are actually the same command and can be used interchangeably.
totp config update mysecretname NV4XGZLDOJSXICQRename the secret entries with the config rename command
totp config rename mysecretname mynewnameAliases are ren and mv.
Delete secret entries with the config delete command
totp config delete mynewnameAliases are remove, erase, rm, and del.
Remove all the secrets and start over using the config reset command
totp config resetUse an ad-hoc secret to generate a code by using the --secret option
totp --secret NV4XGZLDOJSXICQContinuous code output can be generated with the --follow option.
totp --follow mysecretnameUse a QR Code to move an entry into your mobile device.
totp --qrcode mysecretnamewill output a QR code suitable for scanning into a mobile device app such as Google Authenticator or Authy.
A one-off QR code can also be generated by providing both the name and the secret, for example:
totp --qrcode --secret NV4XGZLDOJSXICQ mysecretnameFor help on any of the above, use the --help option. Examples are
totp --help
totp config --helpShell completion can be enabled by using the completion command.
Bash
. <(totp completion bash)Powershell
. totp completion powershell | Out-String | Invoke-ExpressionThe location for saved data is extracted from the LOCALAPPDATA environment variable in Windows and the HOME environment for Linux/MacOS and in the file totp-config.json. This can be customized using the --file option or by setting the TOTP_CONFIG environment variable.
totp implements the --time, --forward, and --backward options to manipulate the time for which the TOTP code is generated. This is useful if totp is being used on a machine with the incorrect time.
The --time option takes an RFC3339 formatted time string as its argument and uses it to generate the TOTP code. Note that the --forward and --backward options will internally modify this option value.
Examples with --time:
$ date '+%FT%T%:z'
2019-06-01T19:58:47-05:00
$ totp --time $(date '+%FT%T%:z') --secret NV4XGZLDOJSXICQ
931665
$ totp --time 2019-06-01T20:00:00-05:00 --secret NV4XGZLDOJSXICQ
526171The --forward and --backward options move the current time forward and backward by their duration formatted arguments. See Go's time.ParseDuration() documentation for more details on this format.
Examples with --forward and --backward
$ totp --time 2019-06-01T20:00:00-05:00 --backward 3m --secret NV4XGZLDOJSXICQ
222296
$ totp --time 2019-06-01T20:00:00-05:00 --forward 30s --secret NV4XGZLDOJSXICQ
820148The --follow option is also compatible with the time machine.
totp --time 2001-10-31T20:00:00-05:00 --follow --secret NV4XGZLDOJSXICQ
877737
208737If storing secrets in the clear isn't ideal for you, totp supports streaming the shared secret collection through stdin and stdout with the --stdio option. This allows you to roll your own encryption or support other methods of maintaining shared secrets.
The totp <secret name> and totp config list commands support loading the collection via standard input. The
totp config update, totp config delete, and totp config rename commands support loading via standard input and sending the modified collection to standard output. Experiment with the --stdio option to observe how this works.
Note the --file option can achieve the same results as this example. This is meant to teach how stdio works with totp.
Create a collection
totp config add --stdio secretname myvalue < /dev/null > totp.jsonView the collection
totp config list --stdio < totp.jsonGenerate a TOTP code
totp secretname --stdio < totp.jsonUsing what was learned above, a contrived example for encrypting data with GnuPG follows.
Create an encrypted collection
totp config add --stdio secretname myvalue < /dev/null | \
gpg --batch --yes --passphrase mypassphrase --output totp-collection.gpg --symmetricView the collection
gpg --quiet --batch --passphrase mypassphrase --decrypt totp-collection.gpg | \
totp config list --stdioAdd another secret
gpg --quiet --batch --passphrase mypassphrase --decrypt totp-collection.gpg | \
totp config add --stdio newname newvalue | \
gpg --batch --yes --passphrase mypassphrase --output totp-collection.gpg --symmetricView the modified collection
gpg --quiet --batch --passphrase mypassphrase --decrypt totp-collection.gpg | \
totp config list --stdioGenerate a TOTP code
gpg --quiet --batch --passphrase mypassphrase --decrypt totp-collection.gpg | totp --stdio secretnametotp is mostly developed using Go 1.19.x on Debian based systems. Only go is required but to use the automated actions the Makefile provides, make must be installed.
To build everything:
git clone https://github.com/arcanericky/totp.git
cd totp
makeFor unit tests and code coverage reports:
make testThe coverage is output to coverage.html. Load it in browser for review. For example:
/opt/google/chrome/chrome file://$PWD/coverage.htmlTo build for a single platform (see the Makefile for the different targets)
make linux-amd64See the Makefile for how to use the go command natively.
Contributions and issues are welcome. These include bugs reports and fixes, code comments, spelling corrections, and new features. If adding a new feature, please file an issue so it can be discussed prior to implementation so your time isn't wasted.
Unit tests for new code are required. Use make test to verify coverage. Coverage will also be checked with Codecov when pull requests are made.
My ga-cmd project is more popular than I expected. It's basically the same as totp with a much smaller executable, but the list of secrets must be edited manually and there aren't as many command line options. This totp project allows the user to maintain the secret collection through the totp command line interface, run on a variety of operating systems, and gives me a platform to practice my Go coding.
This utility uses the otp package by pquerna. Without this library, I probably wouldn't have bothered creating this front-end.