1. 6
  1. 4

    I just use pass + oathtool.

    For instance, in “2fa/github”, I store:

    oathtool --totp --base32 MY_KEY

    In my .bashrc I have:

    eval $(pass 2fa/$1)

    and then when I need a code I use:

    2fa github

    I should write a blog article to explain that. :)

    EDIT: I just did.

    1. 2

      How is this different from using the pass-otp extension to pass? I don’t have experience with either, but I use pass to store my regular passwords.

      1. 1

        I just didn’t know pass-otp. It also uses oathtool and zbar, and it is packaged for Arch. I will add it to my post.

      2. 1

        Using pass-otp, it’s just a matter of:

        pass otp 2fa/github

        And storing the otpauth string in he pass file:


        1. 1

          worth noting that the pass iOS app can scan QR codes to add the otpauth to your entries, quite neat

      3. 2

        Perhaps I’m missing something, but I don’t like doing TOTP on the same device that my passwords are stored on.

        1. 2

          You can also do this on another device, e.g. a RPi whose only job is to generate TOTP tokens.

          1. 1

            I know some people think it defeats the purpose, but I consider the threat level of “someone can access arbitrary content in my password manager” higher than “someone can access any account I use TOTP on”.

            What it does prevent is someone on the network and/or on the other end from sniffing all of the credentials (it would also be the case if the system used a digest-based authentication method).

            Also, my phone is much easier to steal or hack into than any device I have a copy of my (encrypted) password store on.