← Back to context

Comment by jvanderbot

2 days ago

You should try a CLI-based workflow for 2FA. As long as you can exfiltrate the secret (and you often can by pretending you can't scan QR codes), then you can use oathtool to generate passcodes.

1. use 'pass' to save the secret: 'pass edit work.secret' <enter it and quit>

2. use oathtool to generate 2fa given a secret:

' #!/bin/bash

oathtool -b --totp "`pass show $1.secret`" >&1 '

use it like '2fa work'

If you have 'xsel' you can even do

'oathtool -b --totp "`pass show $1.secret`" | xsel -ib'

to copy it to clipboard automatically.

8 comments

jvanderbot

Reply
mxmlnkn  2 days ago

Even if you only have the QR code, you can download the image or screenshot it and then extract the secret without ever having to use a smartphone by using zbarimg and then manually extracting the secret from the URI:

    sudo apt-get install zbar-tools oathtool
    zbarimg qr-2fa-code.png

Output:

    QR-Code:otpauth://totp/username?secret=ABCDEFSECRET012349BASE32&period=30&digits=6

If you have some 2FA that you need to enter 10 times per day, then you can also add a global shortcut to automatically paste it. Of course, this undermines the "second device" security. Some PC password managers also support 2FA, e.g. https://github.com/paolostivanin/OTPClient ( sudo apt install otpclient )

  • Gormo  2 days ago

    I have this little one-liner mapped to a hotkey combo:

    `bash -c 'xfce4-screenshooter -r -o zbarimg | gxmessage -title "Decoded Data" -fn "Consolas 12" -wrap -geometry 640x480 -file -'`

    Works great if you have xfce4-screenshooter, gxmessage, and zbarimg installed. It allows you to draw a box around a screen region, screenshots it, decodes it via zbarimg, and pipes the output into a dialog box with copyable text.

pmahoney  2 days ago

Just to add, 'pass' has an otp extension to simplify this a bit [1]

With that, you can do

    $ zbarimg -q --raw qrcode.png | pass otp insert <some-name>
    $ pass otp <some-name>  # or pipe to xsel

[1] https://github.com/tadfisher/pass-otp

  • chriswarbo  2 days ago

    Heh, I use pass like this; but it's on my (Pine)Phone, so it doesn't solve the parent's original problem ;-)

    Although the nice thing about CLI workflows is that I can easily run it by SSHing into my phone (just make sure you set up GPG so the passphrase prompt will appear in your terminal, and not as a popup on the phone!)

reddit_clone  2 days ago

We also have Microsoft authentication that displays a number on the browser and asks you to enter in on the device! :-(

  • roywashere  2 days ago

    My company also uses MS auth + 2fa for everything. Even signing into corporate G-suite :-). But I do not like the Microsoft Authenticator - I previously had issues where it would not show the number - and I was able to switch to a different TOTP provider. It’s a bit buried in the menus but possible

  • svelle  2 days ago

    Unless they have explicitly disabled it even m365 has the option to add a totp 2fa method. Might be worth double checking.