A Python OATH implementation.
OATH is the Initiative for Open Authentication — not to be confused with OAuth, the Open Standard to Authorization, which is an entirely different paradigm.
Pyoath implements the HOTP Algorithm defined in RFC 4226, published in December of 2005, and the TOTP Algorithm defined in RFC 6238, published in May of 2011. It has been designed for both the client- and server-sides of two-factor authentication systems.
- Python >= 2.7, 3.4, 3.5, 3.6
For Users:
pip install pyoath
For Developers:
git clone git@github.com:markgollnick/pyoath.git cd pyoath python setup.py build install # Alternatively... python setup.py sdist pip install dist/pyoath-*.tar.gz
Once installed, you can use it as a script (that is, on the client-side)…
$ pyoath -h usage: pyoath.py [-h] [--google] [--loop] secret positional arguments: secret shared secret [file] between client and server optional arguments: -h, --help show this help message and exit --google Google Authenticator mode (assumes secret is encoded in base32) --loop start an authenticator instance that will continue until killed
…or, you can use it as a library (that is, on the server-side):
>>> import pyoath >>> pyoath.HOTP(b'secret', 0) '814628' >>> pyoath.HOTP(b'secret', 1, Digit=8) '28533881' >>> pyoath.TOTP(b'secret') '123456' >>> pyoath.TOTP(b'secret', Digit=8) '12345678' >>> import hashlib >>> pyoath.TOTP(b'secret', Digit=8, Mode=hashlib.sha512) '87654321'
Since most services provide their users with two-factor secret keys in the form of scannable QR Codes, you might be interested in the following utilities:
- Open Source QR Code Library, a CLI tool written in Java to read QR Codes
- pyqrcode, a Python library offering bindings based on the above Java tool
- BarCapture, a GUI tool written in Java to extract the data from QR Codes
- Special thanks to James Cuff for the Java-based Google Authenticator Desktop Client, which inspired this project.
- Special thanks to Yusuke Yanbe for the Open Source QR Code Library.
- Special thanks to Pierre G. Richard of Jaxo Systems for the BarCapture tool, and for his work with barcode interpretation on mobile platforms.
- Special thanks to OpenSSH for the bold notice about poor file access bits.
- Special thanks to AJ for the padlock icons.
THIS IS A PROOF-OF-CONCEPT.
It is *NOT* recommended that you store your two-factor authentication secret keys on your hard-disk, as this significantly recudes most semblances of security that two-factor authentication provides. The whole point of two-factor authentication is that a would-be attacker must jump through two separate hoops:
- (S)he must crack (or glean through hacking, social engineering, etc.) your password or passphrase to the system or service.
- (S)he must gain access to the device containing your two-factor secret key, which is usually your mobile phone, or a key fob which you should have on your person at all times.
Since it’s likely that the computer you use to log into your other systems and online services has its own form of password caching and/or storage, storing a second secret key somewhere on the machine nullifies this idea of device separation, and makes it that much easier for a would-be attacker to gain access to things they shouldn’t.
As it says in the license:
In other words, use this software — wisely, or unwisely — at YOUR OWN RISK.
Now that that’s out of the way… however you choose to go about it, you should still
Two.
Boost Software License, Version 1.0: <http://www.boost.org/LICENSE_1_0.txt>