Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
2-factor authentication terminal app in Python
#!/usr/bin/env python
import os, os.path, stat, sys, base64
# TOTP lib inlined
import time, hmac, base64, hashlib, struct
def pack_counter(t):
return struct.pack(">Q", t)
def dynamic_truncate(raw_bytes, length):
offset = raw_bytes[19] & 0x0f
decimal_value = ((raw_bytes[offset] & 0x7f) << 24) | (
(raw_bytes[offset + 1] & 0xff) << 16
) | ((raw_bytes[offset + 2] & 0xFF) << 8) | (raw_bytes[offset + 3] & 0xFF)
return str(decimal_value)[-length:]
def hotp(secret, counter, length=6):
if type(counter) != bytes: counter = pack_counter(int(counter))
if type(secret) != bytes: secret = base64.b32decode(secret)
digest =, counter, hashlib.sha1).digest()
return dynamic_truncate(digest, length)
def totp(secret, length=6):
"""TOTP is implemented as HOTP, but with the counter being the floor of
the division of the Unix timestamp by 30."""
counter = pack_counter(round(time.time() // 30))
return hotp(secret, counter, length)
# end TOTP lib inline
KEYS_PATH = os.path.expanduser("~/.2fa")
if os.path.exists(KEYS_PATH) and stat.S_IMODE(
os.stat(KEYS_PATH).st_mode) != 0o600:
print("# Insecure keys file! #")
print("# Set your .2fa file #")
print("# to be read-write by #")
print("# you only! #")
print("# Command: #")
print("# chmod go=,u=rw ~/.2fa #")
print("Refusing to use insecure key file")
class DirtyDict:
def __init__(self, d=None, **kwargs):
self.dict = d if d is not None else kwargs
self.dirty = False
def __getitem__(self, k):
return self.dict[k]
def __setitem__(self, k, v):
self.dict[k] = v
self.dirty = True
def __contains__(self, i):
return i in self.dict
KEYS = DirtyDict()
if os.path.exists(KEYS_PATH):
with open(KEYS_PATH) as f:
for n, line in enumerate(f, 1):
line = line.strip().split("\t")
if len(line) != 2:
print(f"Invalid entry on line {n}: expects `name<tab>key`")
KEYS[line[0]] = base64.b32decode(line[1].encode("ascii"))
print(f"Invalid entry on line {n}: invalid key")
KEYS.dirty = False # reset dirty flag
args = list(sys.argv[1:])
def new_key_wizard():
print("Hello, friend! Let's get your 2fa account set up!")
"First, give this key a name. I would suggest using the name of the site, or maybe"
print("the account name if you have more than one account on a site.")
name = input("Key name: ").strip()
print("Alright, now that we have a name, let's get that key.")
"On the site you're trying to add, you should see a QR code. I can't see that, so"
print("you should click on the option to manually enter the key.")
"It should give you a bunch of letters and numbers, somewhere in the ballpark of"
print("16-32 characters is common. Type that in here.")
entry = True
while entry:
key = input("Enter key: ").strip()
key = base64.b32decode(key)
KEYS[name] = key
entry = False
except KeyboardInterrupt:
print("That didn't work. Try typing it again?")
print("Great! That works!")
print("Your verification code is", totp(key))
def delete_key_wizard():
for i, key in enumerate(KEYS.dict, 1):
print(f"{i}.) {key}")
entry = True
while entry:
index = int(
input("Which key do you want to delete?: ").strip()) - 1
name = list(KEYS.dict.keys())[index]
entry = False
except KeyboardInterrupt:
except Exception as e:
print("Invalid index!")
print(f"Are you sure you want to delete the key for `{name}`?")
print(f"Once it's gone, there's no going back!")
c = input(f"Delete key `{name}`?(y/N): ")
if not c: c = "n"
if not c.lower()[0] == "y": return
del KEYS.dict[name]
print(f"Deleted key `{name}`.")
if len(args) == 1:
if args[0] in KEYS: # `2fa reddit`
print("Your code: " + totp(KEYS[args[0]]))
elif args[0] in ("wizard",
"new"): # `2fa wizard` or `2fa new` without args
elif args[0] in ("del", "delete", "remove", "rm"):
elif args[0] == "help":
print("2fa - 2 factor authentication app")
print("2fa <key> - generate code for key `key`")
print("2fa new - new key wizard")
print("2fa wizard - direct link to the above")
print("2fa <del/delete/rm/remove> - key removal wizard")
"2fa new <name> [key] - direct key addition. If key is not provided, it will be asked for."
elif len(args) == 2 and args[0] == "new": # `2fa new reddit`
entry = True
while entry:
key = input("Enter Base32 key: ").strip()
key = base64.b32decode(key.encode("ascii"))
entry = False
print("Invalid key!")
KEYS[args[1]] = key
elif len(args) == 3 and args[0] == "new": # `2fa new reddit ABCDEFGHIJKLMNOP`
key = base64.b32decode(args[2].encode("ascii"))
print("Invalid key!")
KEYS[args[1]] = key
if KEYS.dirty:
r = os.path.exists(KEYS_PATH)
with open(KEYS_PATH, "w") as f:
for key in KEYS.dict:
[key, base64.b32encode(KEYS[key]).decode("ascii")]))
if not r:
os.chmod(KEYS_PATH, 0o600)


A 2-factor auth app in the terminal. Coded in Python.


2fa - 2 factor authentication app
2fa <key> - generate code for key `key`
2fa new - new key wizard
2fa wizard - direct link to the above
2fa <del/delete/rm/remove> - key removal wizard
2fa new <name> [key] - direct key addition. If key is not provided, it will be asked for.

This comment has been minimized.

Copy link

@yunruse yunruse commented Apr 5, 2020

Bit of a nitpick but you can simplify DirtyDict and inherit dict features with:

class DirtyDict(dict):
    def __init__(self, d=None, **kwargs):
        self.dict.__init__(self, d, **kwargs)
        self.dirty = False

    def __setitem__(self, k, v):
        dict.__setitem__(self, k, v)
        self.dirty = True

This comment has been minimized.

Copy link
Owner Author

@MineRobber9000 MineRobber9000 commented Apr 8, 2020

Meh, it's not that important to me. It works, and that's the important part. That would probably be a more Pythonic way to do it (although the real Pythonic way would most likely be subclassing collections.UserDict), but it works and that's the important thing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment