On Ubuntu 22.04.2, I would be glad to ear about a native and secure way to generate TOTP codes for using in any given application which needs 2FA.
Do you know an open-source way of doing that directly on an Ubuntu computer?
All tutorial I can find are based on the "mobile app" way (e.g. using Google Authenticator), which I cannot use because I don't have any other mobile device than a laptop.
This is a Linux native open-source password manager available from the Ubuntu repository. there is also a PPA if you want the latest.
Install keepassXC either from the Ubuntu store or from the terminal. Open a terminal and enter:
sudo apt install keepassxc
KeepassXC database is password protected by default. That is, to use a password (and TOTP) stored in the database, you have to open the KeepassXC app and enter a password to open the database. Optionally you may use a file (stored in an USB drive) for additional security in addition to the password. That is, if the specific file is not there in the USB drive or if the specific USB drive is not plugged in, no one can open the KeepassXC database and access the TOTPs or passwords.
You may have to begin the set up of TOTP again at the web pages that offer 2FA of this kind. For example, you may have to momentarily disable 2FA in your Google account, and set it up again to get a new QR code. Most web pages do not show the secret key or the corresponding QR code once the 2FA is setup. If you currently use an authentication app on the phone, the TOTP numbers generated by that app would become obsolete if you do the 2FA setup in the web page again.
On the plus side, KeeppassXC can generate the QR codes for each TOTP once it is set up. That is, you can scan the QR code generated by KeepassXC using your phone's authentication app to update it.
You may want to use the Chrome or Firefox extension for KeepassXC. This allows you to copy and paste userID, password, and TOTP (if available) with a couple of clicks.
The desktop and snap version was deprecated and it is not longer available.
Authy is another authentication app for mobiles, and tablets.
Unlike KeeppassXC, Authy does not manage passwords. It is only for generating TOTP. On the plus side, if you use Authy on your mobile or tablet, you can keep your TOTP synced between all the devices including the desktop. You have to create an Authy account to keep the Authy apps in every device in sync.
Hope this helps
If you only need to generate codes and not manage them (e.g. you do not mind storing the TOTP secret elsewhere and providing it each time you need to generate a code) you can use oathtool which is part of the oath-toolkit package. To generate a 6 digit code from a base32 encoded secret you can use the following command:
oathtool --base32 --totp "SECRET" -d 6
The default time step is 30 seconds and the default start time is 1970-01-01 00:00:00 UTC. See the manpage for more usage information. For sources see the debain repository and the Jammy sources.
If you do not want to use an external package or tool the algorithms required for TOTP generation are described in the related RFCs which you could use to write your own shell script:
This is related to a question I asked on security SE a while ago.
First of all, there is a useful command line tool called oathtool. You can use it to generate the 6 digit codes for 2fa using your 2fa secret. The steps are outlined here.
Obviously, your 2fa secrets are much more important to secure than the 2fa codes themselves. You could store the 2fa key in a password manager, and write a script to generate the 6 digit code from that.
If you store the keys on your machine, then you are not really doing 2fa. You just have two passwords. To address this, I did the following:
2fa:pass 2fa/$1 | xargs -d '\n' oathtool -b --totp
The net consequence of this (with my naming system) is that I can write 2fa gitlab and get the 6-digit code at my terminal. I have another script that writes it to my clipboard, and prompts me with a list of names (the same interface as my password manager).
Of course, none of this works without the USB drive, which makes it a bona-fide "something you have" solution. However, it will only work if you can decrypt the gpg files, which requires my private key. I only use 2fa on a few trusted machines at the moment, so this is okay for me. If I needed it to be more versatile then I may reconsider using a phone or Yubikey.
There are criticisms of this scheme in comparison to Yubikey on the original post. I recommend checking them out.
I use the Firefox extension Authenticator for this, with work's SSO - they recommend it in fact, for those who can't or won't* use a mobile device. This is set up on a couple of desktop machines (work and home); on a laptop I'd want decent device security as it's a bit too easy to get the codes.
* Microsoft Authenticator's permission demands etc. for Android rule it out for me on a personal phone, but I've since found a lightweight and reasonable alternative.
