The `otp` library implements HMAC-based one-time passwords. By extension, this includes time-based passwords. See GoDoc for full documentation, but here are some highlights:
$ go get github.com/tristanwietsma/otp
There is nothing magical or secure about using your phone to implement 2-factor authentication. Sure, mobile phones provide us with some awesome conveniences (scanning QR codes is nice), but the primary security advantage of 2-factor authentication results from the fact that dictionary attacks against such systems are futile.
Use the Go tool to install 2fa. Run `init` to create a dot-file config in your home directory.
$ go get github.com/tristanwietsma/otp/2fa
$ 2fa init
$ cat ~/.2fa.toml
# 2fa configuration
#
# Example:
#
# [key.label]
# issuer = "The Issuer"
# secret = "Base32 encoded secret key"
Tip: Keep the label short and lean on the `issuer` entry for a longer description if you have multiple keys to manage with the same service. Here is an example:
[key.gh]
issuer = "GitHub"
secret = "MFRGGZDFMZTWQ2LK"
2fa was modeled after the Go tool's clean interface. To list keys in your config, run the `list` command:
$ 2fa list
Label Issuer
--------------
gh GitHub
Codes are built to Google Authenticator defaults: 30 second period, SHA1 hashing, 6 digits long.
$ 2fa calc gh
814498 (16 seconds)
Want to print your codes as convenient QR code images or transfer them to Google Authenticator? Start up the QR code server.
$ 2fa qrcodes
serving QR codes at http://localhost:3000