2FA on the command line

There is no shortage of OTP 2FA apps availiable for your phone, such as Google Authenticator or Duo Mobile. These apps take an initial secret code, and create a TOTP anytime you need a 2FA code for login. It’s also possible to do 2FA on the CLI. Some advantages:

  1. Easy to add, maintain, and backup with a simple key=val text file
  2. Copy/Paste is easier than typing digits displayed on your phone
  3. No issues with being locked out due to dead/lost/new phones

This is accomplised with a utility named oathtool. It can be installed on Debian/Ubuntu via: apt install oathtool. I use a helper script as well as a file of initial secrets.


#!/usr/bin/env bash
if [ -z $1 ]; then
  echo "Usage:"
  echo "   otp google"
  echo "Configuration: $HOME/.otpkeys"
  echo "Format: name=key"
OTPKEY="$(sed -n "s/${1}=//p" $HOME/.otpkeys)"
if [ -z "$OTPKEY" ]; then
  echo "$(basename $0): Bad Service Name '$1'"
oathtool --totp -b "$OTPKEY"


aws={secret code}
google={secret code}

Getting a 2FA code:

$ otp aws

Send Them to Mir

A random collection of fungi and dust mites. Possibly some DevOps related stuff.

External Links

  1. GitHub
  2. LinkedIn