I use a mobile device to store TOTP tokens (one time use passcodes), but as I
also wish to use my workstation device to generate these tokens, I’ve
historically used a tool called oathtool<https://www.nongnu.org/oath-toolkit/>
to generate these one time tokens (from a stored secret), but due to
portability issues with the tool, I ended up porting it to Python. Now with
keyring<https://pypi.org/project/keyring/> and
oathtool<https://pypi.org/project/oathtool/> and
jaraco.clipboard<https://pypi.org/project/jaraco.clipboard/>, I’m able to (a)
store the Github-generated key in a secure location, (b) generate tokens from
the command line, and (c) copy them to the clipboard for easy pasting into a
form (independent of platform). Since I use xonsh for my shell, I’m able to
readily create aliases for each of the sites I use thus:
```xonsh
def get_oath(system, user):
code = keyring.get_password(system, user).replace(' ', '')
otp = $(oathtool @(code)).rstrip()
jaraco.clipboard.copy(otp)
def add_mfa(alias, system, user):
aliases[alias] = functools.partial(get_oath, system, user)
add_mfa('github-mfa', 'GitHub MFA', 'jaraco')
```
Now, when I type `github-mfa` in my shell, keyring retrieves the key from a
secure storage, oathtool converts that to a valid one time passcode, and then
jaraco.clipboard puts that on the clipboard, all using nothing but Python and a
few libs.
The workflow may not be the best for you, and is probably not quite as secure
as a hardware token like Yubikey, but as long as the password store is kept as
secure as the hardware token, it’s comparable, and a fair deal more secure than
with a password and does supply a second factor. I welcome others to copy all
or part of the approach.
On 14 Jun, 2021, at 18:29, Terry Reedy
<[email protected]<mailto:[email protected]>> wrote:
On 6/14/2021 3:38 PM, Brett Cannon wrote:
I have discovered someone tried to break into my GitHub account (you can check
yourself by going to https://github.com/settings/security-log
<https://github.com/settings/security-log> and looking for "failed to login"
attempts for potentially odd geographical locations for yourself).
I checked and the only logins are me, at home, with the same IP address. (I
realize that this could change.) My only development system is on my desktop,
so github *could* let me check a box to use the location as a quasi 2nd factor.
If the IP address changes, they *could* immediately email (if requested).
TJR
_______________________________________________
python-committers mailing list --
[email protected]<mailto:[email protected]>
To unsubscribe send an email to
[email protected]<mailto:[email protected]>
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at
https://mail.python.org/archives/list/[email protected]/message/IZPTKBBDWK3FA2GVJRZ4HBL2CJRUA76Q/
Code of Conduct: https://www.python.org/psf/codeofconduct/
_______________________________________________
python-committers mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at
https://mail.python.org/archives/list/[email protected]/message/7QQYG7NST66LQMXF5RB4GCAQ6B3RANGF/
Code of Conduct: https://www.python.org/psf/codeofconduct/
