#Minimalist Multi-Factor Authentication

Or, Surviving Without a Phone

Amazon Web Services [recently announced](https://aws.amazon.com/jp/blogs/security/security-by-design-aws-to-enhance-mfa-requirements-in-2024/) mandatory Multi-Factor Authentication (MFA) for everyone. Their documentation suggested apps like Google Authenticator and Twilio Authy. All desktop applications they listed were either proprietary or mobile-based. The only GUI option I found was [Open Authenticator](https://openauthenticator.app/), which, at the time of writing this post, wasn't available for Linux.

AWS MFA uses the Time-based One Time Password (TOTP) algorithm. [pass-otp](https://github.com/tadfisher/pass-otp) is the answer: a lightweight cli tool for generating those coveted 6-digit codes:
```
world/pass-otp
A pass extension for managing one-time-password (OTP) tokens.
```

##Installation

Via package manager:
```
$ sudo pacman -S pass-otp #Arch-based
$ sudo apt install pass-otp #Debian-based
$ sudo apt install pass-extension-otp #Debian-based
```

From source:
```
$ git clone https://github.com/tadfisher/pass-otp
$ cd pass-otp
$ sudo make install
```

Make a directory for the key:
```
$ cd
$ mkdir .totp
$ cd .totp
```

A secret hash is generated once logged in on AWS. Copy it to the clipboard and replace the 0's:
```
$ vim aws.txt
otpauth://totp/totp-secret?secret=000000000000000000000000000000000000000&issuer=totp-secret
```

Create an OpenPGP key pair. Personal information won't be necessary:
```
$ gpg --full-generate-key
<RSA>
4096
<Never expire>
Real Name: <single letter>
Email Address: <blank>
Comment: <blank>
<Create master password in GUI>
```

Find your new GPG ID:
```
$ gpg --list-secret-keys --keyid-format=long
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
[keyboxd]
---------
sec rsa4096/0000000000000000 2025-01-01 [SC]
0000000000000000000000000000000000000000
uid [ultimate] M
ssb rsa4096/0000000000000000 2025-01-01 [E]
```

Use the ID hash found directly after: `sec rsa4096/`:
```
$ pass init 0000000000000000
$ pass otp insert totp-secret < aws.txt
```

Generate the verification codes. After a few seconds, run the command again to get a new code:
```
$ pass otp totp-secret
123456
$ pass otp totp-secret #10 seconds later
654321
```

If the browser session expires:
1. Log in to AWS again
2. Replace the key in aws.txt
3. Rerun the insert totp-secret command
4. Generate new codes

From now on, new logins will only require one code from `pass otp totp-secret`. Make an alias in .bashrc:
```
$ vim ~/.bashrc
alias aws='pass otp totp-secret'
$ source ~/.bashrc
$ aws
123456
$
```

See [https://gist.github.com/angela-d/8b27670bac26e4bf7c431715fef5cc51](https://gist.github.com/angela-d/8b27670bac26e4bf7c431715fef5cc51) for migrating to another machine. Don't forget to copy `~/.totp` over as well.