Generating 2FA Authentication Code From the Linux CLI

Two-factor authentication (2FA) is a security process that requires two forms of identification to access an account. This provides an extra layer of protection against unauthorized access, even if a hacker or cybercriminal gains access to a user's password. Some reasons why using 2FA is important for accessing your online accounts are:

• Protection against password theft: 2FA makes it more difficult for hackers to access your account by requiring a second factor of authentication. Even if a hacker gains access to your password, they will not be able to access your account without the second form of authentication typically or preferably on a secondary platform.
• Preventing unauthorized access: 2FA makes it more difficult for unauthorized users to access your account, even if they know your password.
• Reducing the risk of identity theft: 2FA helps protect your personal information by making it more difficult for someone to gain unauthorized access to your account and steal your identity.
• Meeting regulatory requirements: Many organizations are required to use 2FA as part of regulatory compliance measures.

However, if you don't want to use the Google Authenticator or Authy app on your iPhone or Android phone, which generate two-step authentication/verification (2FA) codes, there is a way to generate 2FA codes for popular websites like Gmail, Twitter, Facebook, Amazon, and others from the Linux command line. Here's how.

A computer algorithm known as Time-based One-time Password (TOTP) uses CLI or GUI applications on your system to generate a one-time password (OTP). To safeguard your online accounts from hackers (black hats), the mobile apps generate secure two-step verification codes. You receive an additional level of protection. For each login, you must enter 2FA codes, when prompted, in addition to your password. In this article, I'll explain how to protect your Gmail and other online accounts using oathtool OTPs (one-time passwords) in Linux. Verification codes can be obtained for free from the oathtool Linux command instead of having to receive text messages or using a mobile authenticator like Google Authenticator. I'll also show you how to activate this 2FA process and set it up on a USB key that you might have lying around. This USB key (not to be confused with a YubiKey) will be your secondary platform for generating the 6-digit 2FA codes needed to access your online accounts. When you want to access your Twitter account, for instance, you would simply insert your USB key into your Desktop PC, log into your Twitter account using your username/password, then, when prompted for the 2FA OTP, you run a command from your USB key, enter your passphrase, and your 6-digit code appears which you then use to copy and paste or manually enter into the 2FA prompt via your online account and you're in. 

The following process for creating your 2FA USB key is compatible with Fedora, RHEL, Arch, Debian, Ubuntu, SuSE, and OpenSuSE Linux. You'll need a Desktop PC or Laptop, a spare USB key with at least 8GB of storage space, an online account you wish to setup with 2FA that supports TOTP, a fair amount of Linux knowledge, and access to a Linux Terminal.

Step 1:

Installing gpg2 oathtool

To install oathtool and gnupg2, two packages that you will need to create your 2FA USB Key, open the Linux Terminal on your distro of Linux and run the following command:

Fedora:

$ sudo dnf install oathtool gnupg2

RHEL:

Enable the EPEL Repo, then run the command:

$ sudo yum install oathtool gnupg2

Debian / Ubuntu:

$ sudo apt update

$ sudo apt upgrade

$ sudo apt install oathtool gnupg2

SuSE / OpenSuSE:

$ sudo zypper ref

$ sudo zypper in oath-toolkit gpg2

Once you've verified that oathtool and gnupg2 have successfully installed, move on to Step 2.

Step 2:

Linux 2-Step/Factor Authentication Using oathtool

To generate the TOTP using oathtool, run the following command:

oathtool -b --totp 'private_key'

When 2FA is enabled for online services like Google/Gmail, Twitter, Facebook, Amazon, PayPal, bank accounts, and so on, the private_key is typically only displayed once. You are not permitted to share your private_key with anyone. A sample session that generates code for my personal Twitter account is provided here.

$ oathtool -b --totp 'can U Gue55 My seCret Pa55w0rd?'

A sample output provided was:

714552

Step 3:

Generating 2-Step Authentication Code From the Command-Line

If you don't have an existing gpg key, then run the following command:

$ gpg2 --full-gen-key

Follow the prompts for selecting the kind of key that you want to generate (I chose RSA and RSA default), the key size (I selected 3072), how long you want the key to last (I selected 0 for 'never expires'), responded "Y" when asked if the information was correct, provided my real name, provided my desired email address, entered a comment stating the purpose for the USB key, verified my USER-ID information was correct, then entered 'O' and pressed Enter to indicate that the information was (O)kay. When prompted for a passphrase, enter a strong passphrase that you will be able to remember.

Step 4:

Creating Some Directories and Helper Scripts

Create the following directory and cd into it:

$ mkdir ~/.2fa/
$ cd ~/.2fa/

list your existing GPG keys including GnuPG user id and key id, by running:

$ gpg --list-secret-keys --keyid-format LONG

Create the following shell helper script called 

encrypt.key.sh

using the nano text editor. Add the following contents to the file and modify it where necessary:

#!/bin/bash
# Purpose: Encrypt the totp secret stored in $dir/$service/.key file
# Author: Vivek Gite {https://www.cyberciti.biz/} under GPL v 2.x or above
# --------------------------------------------------------------------------
# Path to gpg2 binary
_gpg2="/usr/bin/gpg2"
 
## run: gpg --list-secret-keys --keyid-format LONG to get uid and kid ##
# GnuPG user id 
uid="YOUR-EMAIL-ID"
 
# GnuPG key id 
kid="YOUR-KEY"
 
# Directory that stores encrypted key for each service 
dir="$HOME/.2fa"
 
# Now build CLI args
s="$1"
k="${dir}/${s}/.key"
kg="${k}.gpg"
 
# failsafe stuff
[ "$1" == "" ] && { echo "Usage: $0 service"; exit 1; }
[ ! -f "$k" ] && { echo "$0 - Error: $k file not found."; exit 2; }
[ -f "$kg" ] && { echo "$0 - Error: Encrypted file \"$kg\" exists."; exit 3; }
 
# Encrypt your service .key file 
$_gpg2 -u "${kid}" -r "${uid}" --encrypt "$k" && rm -i "$k"

Next, create a shell helper script called

decrypt.key.sh

using the nano text editor. Add the following contents to the file and modify it where necessary:

#!/bin/bash

# Purpose: Display 2FA code on screen

# Author: Vivek Gite {https://www.cyberciti.biz/} under GPL v 2.x or above

# --------------------------------------------------------------------------

# Path to gpg2 binary

_gpg2="/usr/bin/gpg2"

_oathtool="/usr/bin/oathtool"

## run: gpg --list-secret-keys --keyid-format LONG to get uid and kid ##

# GnuPG user id 

uid="YOUR-EMAIL-ID"

# GnuPG key id 

kid="YOUR-KEY"

# Directory 

dir="$HOME/.2fa"

# Build CLI arg

s="$1"

k="${dir}/${s}/.key"

kg="${k}.gpg"

# failsafe stuff

[ "$1" == "" ] && { echo "Usage: $0 service"; exit 1; }

[ ! -f "$kg" ] && { echo "Error: Encrypted file \"$kg\" not found."; exit 2; }

# Get totp secret for given service

totp=$($_gpg2 --quiet -u "${kid}" -r "${uid}" --decrypt "$kg")

# Generate 2FA totp code and display on screen

echo "Your code for $s is ..."

code=$($_oathtool -b --totp "$totp")

## Copy to clipboard too ##

## if xclip command found  on Linux system ##

type -a xclip &>/dev/null

[ $? -eq 0 ] && { echo $code | xclip -sel clip; echo "*** Code copied to clipboard too ***"; }

echo "$code"

# Make sure we don't have .key file in plain text format ever #

[ -f "$k" ] && echo "Warning - Plain text key file \"$k\" found.

Step 5:

Adding a Service to Your USB Key

To add a service to your USB key, perform the following steps (in this example, I'll add my Twitter account):

1. Log in to your online Twitter service and look for the Authenticator 2FA app. In this example, let us set up the Twitter account 2FA using the Linux command line app.
2. Copy the totp secret from the Twitter account. If a QR Code appears, select the option for a totp rather than a QR Code. The totp will appear.
3. Create a new service directory: mkdir ~/.2fa/twitter.com
4. Make a new .key file: echo -n 'your-twitter-totp-secret-key' > ~/.2fa/twitter.com/.key
5. Generate a new PGP encrypted file for security and privacy reasons: ~/.2fa/encrypt.key.sh twitter.com
6. Decrypt the totp secret and generate the 6-digit 2FA code when you need to log in into Twitter: ~/.2fa/decrypt.key.sh twitter.com

The ease with which you can back up your keys and /.2fa/ directory is the Linux command line's primary benefit. Gpg2 always protects your totp secrets and keys with a password. For security reasons, mobile apps like Google Authenticator typically do not permit you to sync or copy keys and secrets. Therefore, you wouldn't be able to access the account if you switched phones or lost your phone. As long as you remember your gpg2 passphrase, this setup is simple to backup and restore.

Step 6:

Final Step to Make 2FA available From the USB Key

To make your USB key your 2FA key for all your services, copy the ~/.2fa directory and its contents to the USB key. Then, when you wish to access one of your accounts--for instance, your Twitter account--all you need to do is take out your USB key, insert it into your system, and issue the command in Step # 6 of Step 5 above when prompted for the OTP for 2FA on the account. You'll be prompted for your passphrase as well, so please don't forget it.