Golang secure storage for your 2FA secret from your terminal.

gotp has only been tested on Mac OS X (Mojave). It requires specific installation to be used with pass on Linux.

Modern web services offer a 2-factor authentication as a complement of the traditional login/password method. This brings an additional security level, based on the Time-based One-Time Password (TOTP), because even if a user's traditional password is stolen or compromised, an attacker cannot gain access without the TOTP, which expires quickly.

A time-based one-time password (TOTP) is a temporary passcode generated by an algorithm that uses the current time of day as one of its authentication factors.

The TOTP specification (RFC-6238) describes the TOTP algorithm, as an time-based variant of the One-Time Password (OTP), namely the HMAC-based One-Time Password (HOTP) algorithm.

The TOTP is basicaly a hash-mac token computed from a shared key (generaly randomky generated) and seed with a 30-second valid timestamp. Lot's of mobile applications can provide such a service (Google Authenticator, ...)

When you wish to log into a 2FA protected service, you are asked to provide your credentials (login/password) then to enter the TOTP displayed on the application. The web service computed the same TOTP and make sure they are equal.

I started using this security feature long time ago, and was happy using the Google Authenticator application on my mobile phone. Until I realized I forgot to export all the secret keys I use every day at work on my new phone, and was unable to connect to AWS console for a day.

That day, I wish I had a backup solution on my laptop. Then I started to wonder how I could implement a desktop application with a secure storage backend.

Get the version for your OS here: download

go get -u github.com/jtbonhomme/gotp/cmd/gotp

In order to use the pass backend, you need to initialize it and specify which GPG encryption identity to use. For further informations, see the pass manual.

1 - find your GPG ID gpg --list-secret-keys --keyid-format LONG

uid                 [ultimate] you <you@rocks.com>
ssb   rsa4096/DF5E537CC91EF1CA 2020-03-06 [E]

2 - initialize the backend pass init DF5E537CC91EF1CA

All secrets will be stored under the root folder username:mfa

The shared secret shall be in the base-32 format.

gotp add -key=gmail -value=KZAUYVKFGA======

The code read is copied to the clipboard.

gotp get -key=AWS
code: 585146 (copied to clipboard)

gotp list

gotp del -key=gmail

gotp uses the keyring library to securely store the secret used to compute Time based OTP.

• Add an update function, to change key name
• Add tests on different OS.

gotp accepts Pull Requests! Feel free to add your own features, improve documentation or add tests.

$ make test

You can use act to execute locally your github actions. This tool relies on docker to run workflow jobs.

$ act -l
ID       Stage  Name              
build    0      GoReleaser build
release  0      Semver release
test     0      test
$ act -j test

• https://godoc.org/github.com/99designs/keyring
• https://tools.ietf.org/html/rfc6238
• https://medium.com/@n.moretto/two-factor-authentication-with-totp-ccc5f828b6df