Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
See . This snippet uses the ykman command to generate an OATH-TOTP credential on the Yubikey which can be used with services that require you to supply your own TOTP secret.
# Create an alias for ykman pointing the install location
set-alias ykman "$env:programfiles\Yubico\YubiKey Manager\ykman.exe"
# Get the Yubikey's serial number with ykman
# Not required but will be used to import into Duo later (to test)
$serialNumber = ykman info | where { $_ -like "Serial number:*" } |
%{ $_ -replace "Serial number: ",""}
# Generate a random 40 character hex secret
# See - thanks Forty3
# The length of the hex secret must be divisible by 5 to leverage HumanEquivalentUnit's
# byte to base32 conversion code below - I used a 40 digit secret
$hexSecret = (((40)|%{((1..$_)|%{('{0:X}' -f (random(16)))})}) -Join "").ToLower()
# Convert the hex secret key to base32 (with byte array as an intermediary)
# This seemed like the easier path vs. generating a base32 secret and converting back to hex
# First, from hex to bytes
# See
# ( function Convert-HexToByteArray ) - thanks Jon Friesen
$byteSecret = $hexSecret -replace '^0x', '' -split "(?<=\G\w{2})(?=\w{2})" |
%{ [Convert]::ToByte( $_, 16 ) }
# Then, from bytes to base32
# See
# Thanks humanequivalentunit
$byteArrayAsBinaryString = -join $byteSecret.ForEach{
[Convert]::ToString($_, 2).PadLeft(8, '0')
$base32Secret = [regex]::Replace($byteArrayAsBinaryString, '.{5}', {
'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'[[Convert]::ToInt32($Match.Value, 2)]
# Create a new OATH-TOTP credential in the Yubikey for Yubico Authenticator
ykman oath add -o TOTP -d 6 -p 30 "DuoTest" "$base32Secret"
# Write out the TOTP token info in Duo CSV format
# Not required but will be used to import into Duo for testing
write-host "$serialNumber,$hexSecret"
# Clear variables
$serialNumber = ""
$hexSecret = ""
$byteSecret = ""
$base32Secret = ""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.