logo

gertjanassies.dev


ramblings of a chaotic mind

TOTP Exercise

on 2021-06-10 by Gertjan Assies reading time 0 min, viewed 16 times, read 0 times, liked 0 times

TOTP Exercise

TOTP stands for Time-based One Time Password and is an algorithm that most MFA (Multi-Factor Authentication) devices use

for obvious security reasons, I have set up MFA on all accounts that support it. but this can be a bit cumbersome in some situations.

Especially when you are working with Serverless applications on AWS. I work a lot with Cloudformation and SAM but that does mean that during the day I’ll be typing in MFA codes a lot.

As an exercise, I wanted to see if I could get those codes visible without having to resort to the Google Authenticator app.

What if I could have that code show up in the touch bar on my mac.
I know, I know MFA needs to be another device! so a disclaimer:

What is described below will lower the security of your system and your accounts: do so at your own risk!

but if I would do this, at least I would need to do the following:

  • use sudo to enable it and disable it automatically after a certain amount of time.
  • only shows it in the touch bar after pressing a secret key combination.
  • store any secrets in the keychain.

I’m already using a tool called BetterTouchTool that allows customisation of the touch bar on my mac.

so first of all how do we get that code?

Whenever you add an application to for instance Google Authenticator, you have to scan a QR Code. this QR Code contains a secret if you would scan that with a normal QR code scanner you will get this URL with a secret param: (the account and secret are replaced by placeholders here)

otpauth://totp/Amazon%20Web%20Services:[account]?secret=[secret]&issuer=Amazon%20Web%20Services

Now here you can see that it uses TOTP (Timebase One Time Password) which is an extension to HOTP (HMAC-Based One Time Password)

to summarize really quickly:

HOTP uses a hash algorithm to create a digest from the secret and a counter) TOTP introduces a time-based component for the counter (the counter is x second (default is 30) steps counted from the epoch)

Now Python has an OTP library that can create the MFA code from that secret.

#!/usr/bin/env python3import pyotp  
import syssecret = sys.argv[1]  
totp = pyotp.TOTP(secret)  
print(totp.now())

This will when you give it a secret return the 6 digit code

To not have the secret in my scripts I’ve added it to the keychain with

security add-generic-password -a [account] -s totp-exercise -w [secret]

and retrieve it again in a bash script

#!/bin/bash  
me=`whoami`  
secret=`security find-generic-password -a $me -s totp-exercise -w`  
echo `python3 [path]/get_code.py $secret`

so now I have something I can call from BetterTouchTool:

In BetterTouchTool you can create a button (widget) and then run an AppleScript when started and another one when you press the button, you can also define a key combination to only show it when pressed.

so when starting it It will run this AppleScript: it will execute the script and set the text property with the result to have it shown as the button text

set code to do shell script "/Users/[account]/btt_scripts/code_aws.sh"  
return "{\"text\":\"" & code & "\"}"

when pressed it gets the latest code again but now put the code on the clipboard

set code to do shell script "/Users/[account]/btt_scripts/code_aws.sh"  
set the clipboard to code as text

To conclude with the pytotp library it is trivial to build your own google authenticator application.

Now that I’ve “proofed the concept” I will remove it again!

And focus on getting this to run on an embedded device, for instance on an M5 Stack which has an ESP32 controller and a screen. although this will probably mean I have to port the python library to C, as I haven’t found any libraries that work with the AWS secret, just some abandoned projects that tried to do the same.
But that’s another story

Opinions expressed here are my own and not the views of my employer or anyone else, (re)use is free, but quoting the source is appreciated.
This blog is licensed under a Creative Commons Attribution 4.0 International License. © 2023 by Gertjan Assies