pyoath 1.0.1

Python OATH implementation for two-factor systems.



pyoath

A Python OATH implementation.

OATH is the Initiative for Open Authentication — not to be confused with OAuth, the Open Standard to Authorization, which is an entirely different paradigm.

Pyoath implements the HOTP Algorithm defined in RFC 4226, published in December of 2005, and the TOTP Algorithm defined in RFC 6238, published in May of 2011. It has been designed for both the client- and server-sides of two-factor authentication systems.

Requirements

• Python >= 2.7, 3.4, 3.5, 3.6

Installation

For Users:

pip install pyoath

For Developers:

git clone git@github.com:markgollnick/pyoath.git
cd pyoath
python setup.py build install
# Alternatively...
python setup.py sdist
pip install dist/pyoath-*.tar.gz

Usage

Once installed, you can use it as a script (that is, on the client-side)…

$ pyoath -h
usage: pyoath.py [-h] [--google] [--loop] secret

positional arguments:
  secret      shared secret [file] between client and server

optional arguments:
  -h, --help  show this help message and exit
  --google    Google Authenticator mode (assumes secret is encoded in base32)
  --loop      start an authenticator instance that will continue until killed

…or, you can use it as a library (that is, on the server-side):

>>> import pyoath
>>> pyoath.HOTP(b'secret', 0)
'814628'
>>> pyoath.HOTP(b'secret', 1, Digit=8)
'28533881'
>>> pyoath.TOTP(b'secret')
'123456'
>>> pyoath.TOTP(b'secret', Digit=8)
'12345678'
>>> import hashlib
>>> pyoath.TOTP(b'secret', Digit=8, Mode=hashlib.sha512)
'87654321'

Extras

Since most services provide their users with two-factor secret keys in the form of scannable QR Codes, you might be interested in the following utilities:

• Open Source QR Code Library, a CLI tool written in Java to read QR Codes

• pyqrcode, a Python library offering bindings based on the above Java tool

• BarCapture, a GUI tool written in Java to extract the data from QR Codes

Acknowledgments

• Special thanks to James Cuff for the Java-based Google Authenticator Desktop Client, which inspired this project.

• Special thanks to Yusuke Yanbe for the Open Source QR Code Library.

• Special thanks to Pierre G. Richard of Jaxo Systems for the BarCapture tool, and for his work with barcode interpretation on mobile platforms.

• Special thanks to OpenSSH for the bold notice about poor file access bits.

• Special thanks to AJ for the padlock icons.

Disclaimer

THIS IS A PROOF-OF-CONCEPT.

It is *NOT* recommended that you store your two-factor authentication secret keys on your hard-disk, as this significantly recudes most semblances of security that two-factor authentication provides. The whole point of two-factor authentication is that a would-be attacker must jump through two separate hoops:

1. (S)he must crack (or glean through hacking, social engineering, etc.) your password or passphrase to the system or service.

2. (S)he must gain access to the device containing your two-factor secret key, which is usually your mobile phone, or a key fob which you should have on your person at all times.

Since it’s likely that the computer you use to log into your other systems and online services has its own form of password caching and/or storage, storing a second secret key somewhere on the machine nullifies this idea of device separation, and makes it that much easier for a would-be attacker to gain access to things they shouldn’t.

As it says in the license:

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT

SHALL THE COPYRIGHT HOLDERS OR ANYONE DISTRIBUTING THE SOFTWARE BE LIABLE

FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE,

ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER

DEALINGS IN THE SOFTWARE.

In other words, use this software — wisely, or unwisely — at YOUR OWN RISK.

Now that that’s out of the way… however you choose to go about it, you should still

Two.

Factor.

Everything.

License

Boost Software License, Version 1.0: <http://www.boost.org/LICENSE_1_0.txt>