Generating TOTP for 2FA directly from the computer (no mobile device)

KeepassXC

This is a Linux native open-source password manager available from the Ubuntu repository. there is also a PPA if you want the latest.

Install keepassXC either from the Ubuntu store or from the terminal. Open a terminal and enter:

sudo apt install keepassxc

1. Once installed you have to create a database to keep the passwords.
2. Then you have to create a new entry with the username and password. It does not allow creating TOPT at this step.
3. Finally, once you select the newly created entry (username and password) you can use the menu on top and select Entries > TOTP... > Set up TOTP.

Security

KeepassXC database is password protected by default. That is, to use a password (and TOTP) stored in the database, you have to open the KeepassXC app and enter a password to open the database. Optionally you may use a file (stored in an USB drive) for additional security in addition to the password. That is, if the specific file is not there in the USB drove or if the specific USB drive is not plugged in, no one can open the KeepassXC database and access the TOTPs or passwords.

Caveat

You may have to begin the set up of TOTP again at the web pages that offer 2FA of this kind. For example, you may have to momentarily disable 2FA in your Google account, and set it up again to get a new QR code. Most web pages do not show the secret key or the corresponding QR code once the 2FA is setup. If you currently use an authentication app on the phone, the TOTP numbers generated by that app would become obsolete if you do the 2FA setup in the web page again.

On the plus side, KeeppassXC can generate the QR codes for each TOTP once it is set up. That is, you can scan the QR code generated by KeepassXC using your phone's authentication app to update it.

Browser Extensions

You may want to use the Chrome or Firefox extension for KeepassXC. This allows you to copy and paste userID, password, and TOTP (if available) with a couple of clicks.

Authy

Authy is another authentication app for mobiles, tablets, and desktops. there is even a Snap version of it.

Unlike KeeppassXC, Authy does not manage passwords. It is only for generating TOTP. On the plus side, if you use Authy on your mobile or tablet, you can keep your TOTP synced between all the devices including the desktop. You have to create an Authy account to keep the Authy apps in every device in sync.

Hope this helps

If you only need to generate codes and not manage them (e.g. you do not mind storing the TOTP secret elsewhere and providing it each time you need to generate a code) you can use oathtool which is part of the oath-toolkit package. To generate a 6 digit code from a base32 encoded secret you can use the following command:

oathtool --base32 --totp "SECRET" -d 6

The default time step is 30 seconds and the default start time is 1970-01-01 00:00:00 UTC. See the manpage for more usage information. For sources see the debain repository and the Jammy sources.

If you do not want to use an external package or tool the algorithms required for TOTP generation are described in the related RFCs which you could use to write your own shell script:

• RFC 2104: HMAC: Keyed-Hashing for Message Authentication
• RFC 4226: HOTP: An HMAC-Based One-Time Password Algorithm
• RFC 6238: TOTP: Time-Based One-Time Password Algorithm

This is related to a question I asked on security SE a while ago.

First of all, there is a useful command line tool called oathtool. You can use it to generate the 6 digit codes for 2fa using your 2fa secret. The steps are outlined here.

Obviously, your 2fa secrets are much more important to secure than the 2fa codes themselves. You could store the 2fa key in a password manager, and write a script to generate the 6 digit code from that.

If you store the keys on your machine, then you are not really doing 2fa. You just have two passwords. To address this, I did the following:

• Store the 2fa key in an encrypted file, and store that file on a flash drive.
• When I plug in my flash drive, mount the folder containing the (possibly many) 2fa keys into a folder my password manager can see. I use pass, so this is very easy to do. At the moment I do this manually, but it can be automated.
• The interface is something you can customise, but I wrote the following bash script, called 2fa:

pass 2fa/$1 | xargs -d '\n' oathtool -b --totp

The net consequence of this (with my naming system) is that I can write 2fa gitlab and get the 6-digit code at my terminal. I have another script that writes it to my clipboard, and prompts me with a list of names (the same interface as my password manager).

Of course, none of this works without the USB drive, which makes it a bona-fide "something you have" solution. However, it will only work if you can decrypt the gpg files, which requires my private key. I only use 2fa on a few trusted machines at the moment, so this is okay for me. If I needed it to be more versatile then I may reconsider using a phone or Yubikey.

There are criticisms of this scheme in comparison to Yubikey on the original post. I recommend checking them out.

I use the Firefox extension Authenticator for this, with work's SSO - they recommend it in fact, for those who can't or won't* use a mobile device. This is set up on a couple of desktop machines (work and home); on a laptop I'd want decent device security as it's a bit too easy to get the codes.

* Microsoft Authenticator's permission demands etc. for Android rule it out for me on a personal phone, but I've since found a lightweight and reasonable alternative.