Life Of Navin

Random Musings, Random Bullshit.


Google Authenticator 2FA on Mac OS with oathtool

Multi-factor authentication (Commonly 2FA) is a security godsend. You really should enable it on every account you have that supports it. I usually use Google Authenticator for time-variant OTP systems. However, I find it irritating to have to reach for my phone to check for the OTP every time I log in to a site. Why do I find it irritating? Because of 2 reasons:
  1. I actually have to get to my physical device, which I usually don't carry around with me. 
    • In office, I usually keep my phone away from me to avoid distraction/unwanted calls/notifications.
  2. Even after I open up Authenticator, I have to type out the digits from screen to screen. 
    • I know there are other alternatives, but Google Authenticator is most widely supported across services I use daily: AWS, Okta, Google Suite, Pager etc. and it's not going away soon.
I always wondered if there is an easier way to get the added security of 2FA, with more flexibility. And the solution was to simply use 2FA from my laptop itself. So I came up with a workflow. This is my current workflow on Mac OS Sierra (but should work on any Mac).

Step 1: Generate 2FA tokens on laptop
This turned out to be simpler than I imagined. I simply needed to use the awesome oath-toolkit, which basically behaves like Google Authenticator for the laptop. It can be used to easily generate time-variant one time passwords, which is what GA does! Setting it up is a breeze:

$ brew install oath-toolkit
$ oathtool --totp -b "your_key_here" | pbcopy

The key you use here is a key generated when you set up OTP (You probably remember scanning a QR code). If you don't have the key saved locally, you will have to do a one-time reset of your 2FA to generate a new key.

We pipe the generated token to pbcopy to copy it to clipboard. This allows us to generate totp tokens and have them ready to be pasted when needed. No need to look for your mobile phone for OTP anymore!

Step 2: Smoother Workflow
Now that we can generate OTP tokens without a phone, let's clean up the process. Currently, we need to go to the terminal every time we want to generate a new token. What if we could bind this to a global key command instead? Mac OS has an awful global keyboard macro system (Yay Linux as always), but it can still be done. This is how I do it:
  • Install ICanHazShortcut, a nifty Mac app for global hotkeys. It's not too fancy, but delivers what it promises!
  • Set up an Automator service to simply paste clipboard contents when called:
    • Go to Applications -> Automator -> New -> Service
    • Service receives "no input" in "any application"
    • Drag the "Run Applescript" action to the right and fill in the following and then save the workflow as paste-from-clipboard. You can save it in your home directory:

  • Finally, bring it all together! Set up keyboard shortcuts in ICanHazShortcut, and set the command to run as:  
/usr/local/bin/oathtool --totp -b "your_key_here" | pbcopy | automator ~/paste-from-clipboard.workflow/
Here I assume that the workflow you created was named paste-from-clipboard and saved in your home directory. You may not need to specify the full path for oathtool, but I had to.

And that's it! Now whenever you're on a page that needs a 2FA token, simply type in your keyboard shortcut, and your token will be filled in!

...And the love kickstarts again ;)

PS: Yes, this is unsafe because if someone get's physical access to your system, then he can access your 2FA key and generate tokens, thereby rendering your 2FA useless. Then again, if he has physical access to your system, then this is just one of a million ways to get access to your data, so the attack vector surface increase is not as prominent. Of course, if you're uber concerned about security, skip this. But if you want a compromise between security and usability then this is a decent solution! :)


Unknown said...

Hi. You don't really need to deal with Automator, you can simply call osascript instead:
osascript -e 'tell application "System Events" to keystroke "v" using command down'


Finally after all these years, here's to the beginning of what was there, what is there and hopefully what will remain!! So here are my thoughts & words -Online!!

Blog Archive