A Google Authenticator replacement for OS X CLI
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.



I was increasingly annoyed with having to unlock my phone, launch Google Authenticator and type in the code to the web page every time I was prompted with a Two Factor Authentication screen. I wanted a CLI tool to do the same thing on my Mac. For a long time, I've used oathtool combined with a shell script that I'd keep adding my TFA keys to. That obviously was very insecure and I was wondering if I could use Keychain since it can be used to store various secure credentials.

So long story short, one evening in Nov 2014, I sat down to code a Ruby based tool to offload key storage to Keychain and authentic was born.


Install the tool by running:

$ gem install authentic

(you might need to put a sudo in front of that command if your Ruby installation requires it)


Once installed, the command should be available on the PATH so you can type:

$ authentic help

which should print out something like this:

$ authentic help
Authentic commands:
  authentic add NAME SECRET_KEY [LABEL]  # Add a new TOTP key
  authentic delete NAME                  # Delete a TOTP key
  authentic generate                     # Generate TOTP codes
  authentic help [COMMAND]               # Describe available commands or one specific command

In order to start using the tool, you first need to find your TFA key for the service that you are trying to add. This could be tricky for some services, but this code is actually what is encoded by the QR code displayed in most services. So click around (or view source) to try to find your TFA key, remember it will only be displayed the first time you setup TFA for the service.

Once you have your TFA key in hand, adding it to authentic is as simple as:

$ authentic add MyService qwdrft6789jkh
✓ Service MyService added to keychain

Now you can simply type:

$ authentic

to generate your codes. If you have a single service registered, the generated code will be automatically copied to the clipboard (if you don't want that run the command with the -s flag, as in authentic -s). If you have more than one service registered, the tool will prompt you to select a key number to copy. At this point you can enter the key number you want to copy or just press Enter to exit the tool without copying anything.


I am not a security expert and haven't had any security experts vet this tool. Use it at your own risk, I won't take any responsibility for anything that happens to you as a result of using this tool.

If you feel (or even better know) that I am doing something wrong, please create an Issue or submit a Pull Request.


  1. Fork it ( https://github.com/paracycle/authentic/fork )
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create a new Pull Request