TOTP Hack (Google Authenticator)

I use a VPN for my work network access. It uses TOTP as 2FA password. In a day I connect and disconnect to VPN at least 10 times and every time I try to connect I need to open my Google Authenticator app on mobile to get OTP. This is not a problem generally but it gets a little boring doing this 10 times a day and for me mobile phone is a productivity blackhole so I try to keep away from it.

In this article I mentioned a way in which you can generate an TOTP on your machine for easy access. For general purpose its not secure to follow this way for generating TOTP so I do not recommend doing this for important credential.

To start with, what is TOTP? It stands for Time-based One-Time Password, it’s an algorithm to generate OTP as a function of current time and a secret string. Essentially when you register for TOTP on google authenticator you basically input the secret to the authenticator app and the app then uses the secret and current time to generate a 6 digit (customisable) OTP. I have mentioned the steps below to achieve the same using your Terminal.

Step 1: Decode the QR code you use(d) for registering on Google Authenticator. You can simply do this by scanning (in most phones pointing camera at it should do the job) the QR code on your android or iPhone to get the link text. The decoded string looks something like below

otpauth://totp/<label>?secret=<secret>&issuer=<issuer>

Step 2: Install oath-toolkit, I’m on mac and I use Homebrew, so I used brew to install the same

brew install oath-toolkit

Step 3: Run the below command with secret from first step and make sure the printed OTP is same as that on Google Authenticator

oathtool — base32 — totp “<secret>”

Step 4: (Optional) You pretty much achieved what you are looking for in step 3, this and the next steps are to make it convenient and secure for regular usage
Create a .sh file with the below line, make it executable, update the default opening application to Terminal and keep it in a place that is easily accessible for you, you will get the OTP on your clipboard after opening this file, paste it wherever required

oathtool — base32 — totp “<secret>” | tr -d ‘\n’ | pbcopy

Step 5: (Optional) I have a sweet mouse with customisable buttons, so I mapped it to one of the buttons to run this file, then made the file hidden using below command, you can map the same to a key board shortcut or any other accessibility feature that’s at your disposable, in that way you can keep your file with the secret hidden in a safe location

chflags hidden <file name>.sh