The `otp` library implements HMAC-based one-time passwords. By extension, this includes time-based passwords. See GoDoc for full documentation, but here are some highlights:
$ go get github.com/tristanwietsma/otp
There is nothing magical or secure about using your phone to implement 2-factor authentication. Sure, mobile phones provide us with some awesome conveniences (scanning QR codes is nice), but the primary security advantage of 2-factor authentication results from the fact that dictionary attacks against such systems are futile.
Use the Go tool to install 2fa. Run `init` to create a dot-file config in your home directory.
$ go get github.com/tristanwietsma/otp/2fa $ 2fa init $ cat ~/.2fa.toml # 2fa configuration # # Example: # # [key.label] # issuer = "The Issuer" # secret = "Base32 encoded secret key"
Tip: Keep the label short and lean on the `issuer` entry for a longer description if you have multiple keys to manage with the same service. Here is an example:
[key.gh] issuer = "GitHub" secret = "MFRGGZDFMZTWQ2LK"
2fa was modeled after the Go tool's clean interface. To list keys in your config, run the `list` command:
$ 2fa list Label Issuer -------------- gh GitHub
Codes are built to Google Authenticator defaults: 30 second period, SHA1 hashing, 6 digits long.
$ 2fa calc gh 814498 (16 seconds)
Want to print your codes as convenient QR code images or transfer them to Google Authenticator? Start up the QR code server.
$ 2fa qrcodes serving QR codes at http://localhost:3000