Matthew Schellenberg

Home Gallery Software Videos Blog Links Contact

Minimalist Multi-Factor Authentication

Or, Surviving Without a Phone

Amazon Web Services recently announced mandatory Multi-Factor Authentication (MFA) for everyone. Their documentation suggested apps like Google Authenticator and Twilio Authy. All desktop applications they listed were either proprietary or mobile-based. The only GUI option I found was Open Authenticator, which, at the time of writing this post, wasn't available for Linux.

AWS MFA uses the Time-based One Time Password (TOTP) algorithm. pass-otp is the answer: a lightweight cli tool for generating those coveted 6-digit codes:

world/pass-otp
    A pass extension for managing one-time-password (OTP) tokens.

Installation

Via package manager:

$ sudo pacman -S pass-otp             #Arch-based
$ sudo apt install pass-otp           #Debian-based
$ sudo apt install pass-extension-otp #Debian-based

From source:

$ git clone https://github.com/tadfisher/pass-otp
$ cd pass-otp
$ sudo make install

Make a directory for the key:

$ cd
$ mkdir .totp
$ cd .totp

A secret hash is generated once logged in on AWS. Copy it to the clipboard and replace the 0's:

$ vim aws.txt
otpauth://totp/totp-secret?secret=000000000000000000000000000000000000000&issuer=totp-secret

Create an OpenPGP key pair. Personal information won't be necessary:

$ gpg --full-generate-key
<RSA>
4096
<Never expire>
Real Name: <single letter>
Email Address: <blank>
Comment: <blank>
<Create master password in GUI>

Find your new GPG ID:

$ gpg --list-secret-keys --keyid-format=long
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
[keyboxd]
---------
sec   rsa4096/0000000000000000 2025-01-01 [SC]
      0000000000000000000000000000000000000000
uid                 [ultimate] M
ssb   rsa4096/0000000000000000 2025-01-01 [E]

Use the ID hash found directly after: sec rsa4096/:

$ pass init 0000000000000000
$ pass otp insert totp-secret < aws.txt

Generate the verification codes. After a few seconds, run the command again to get a new code:

$ pass otp totp-secret
123456
$ pass otp totp-secret #10 seconds later
654321

If the browser session expires:

  1. Log in to AWS again
  2. Replace the key in aws.txt
  3. Rerun the insert totp-secret command
  4. Generate new codes

From now on, new logins will only require one code from pass otp totp-secret. Make an alias in .bashrc:

$ vim ~/.bashrc
alias aws='pass otp totp-secret'
$ source ~/.bashrc
$ aws
123456
$

See https://gist.github.com/angela-d/8b27670bac26e4bf7c431715fef5cc51 for migrating to another machine. Don't forget to copy ~/.totp over as well.



Printable
Raw Markdown
Back to Posts

Matthew Schellenberg 2025

Bitcoin: (QR) bc1qccepmxa32feqgkrrvca0ecua4rlpscsh7upkkr