A centralized totp solution based on google-authenticator
Python Perl HTML Puppet Roff Shell CSS
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.



A centralized totp solution based on google-authenticator

Author: mricon@kernel.org
Copyright: Konstantin Ryabitsev and contributors
Version: 0.6.0


The idea of totpcgi (pronounced "Toopy-CGI") came when lamenting that google-authenticator implementation is "almost there" to be used as a generic org-wide 2-factor solution, but is annoyingly written to be a one-secret-per-service (or -per-host) solution. Thus, totpcgi was born, which uses files generated by google-authenticator and serves them from a central installation.

It is intended to be used with pam_url.


  1. Fully interoperable with Google-Authenticator
  2. Uses Google-Authenticator-generated secret files
  3. Supports pincodes (i.e. users log in with 'usercode555555')
  4. Supports file-based state backend for non-redundant installations and Postgresql for load-balanced setups.
  5. Supports encrypting the Google-Authenticator master secret with the user's pincode.
  6. Supports web-based provisioning to generate Google-Authenticator compatible files (or database entries).


  1. pyotp
  2. google-authenticator to generate the .totp files by hand
  3. flup (for .fcgi only)
  4. psycopg2 (for postgresql backend support)
  5. py-bcrypt (for pincode support using bcrypt)
  6. pycrypto and passlib (for encrypted-secret support)
  7. pam_url (for PAM support)
  8. python-qrcode (for provisioning support)
  9. MySQL-python (for MySQL backend support)

All of these dependencies are in EPEL for RHEL 6.



Please open an issue on GitHub: https://github.com/mricon/totp-cgi/issues