Skip to content

markgollnick/pyoath

Repository files navigation



pyoath

Build Status Coverage Status

Two-Factor Authentication

A Python OATH implementation.

OATH is the Initiative for Open Authentication — not to be confused with OAuth, the Open Standard to Authorization, which is an entirely different paradigm.

Pyoath implements the HOTP Algorithm defined in RFC 4226, published in December of 2005, and the TOTP Algorithm defined in RFC 6238, published in May of 2011. It has been designed for both the client- and server-sides of two-factor authentication systems.

Requirements

  • Python >= 2.7, 3.4, 3.5, 3.6

Installation

For Users:

pip install pyoath

For Developers:

git clone [email protected]:markgollnick/pyoath.git
cd pyoath
python setup.py build install
# Alternatively...
python setup.py sdist
pip install dist/pyoath-*.tar.gz

Usage

Once installed, you can use it as a script (that is, on the client-side)…

$ pyoath -h
usage: pyoath.py [-h] [--google] [--loop] secret

positional arguments:
  secret      shared secret [file] between client and server

optional arguments:
  -h, --help  show this help message and exit
  --google    Google Authenticator mode (assumes secret is encoded in base32)
  --loop      start an authenticator instance that will continue until killed

…or, you can use it as a library (that is, on the server-side):

>>> import pyoath
>>> pyoath.HOTP(b'secret', 0)
'814628'
>>> pyoath.HOTP(b'secret', 1, Digit=8)
'28533881'
>>> pyoath.TOTP(b'secret')
'123456'
>>> pyoath.TOTP(b'secret', Digit=8)
'12345678'
>>> import hashlib
>>> pyoath.TOTP(b'secret', Digit=8, Mode=hashlib.sha512)
'87654321'

Extras

Since most services provide their users with two-factor secret keys in the form of scannable QR Codes, you might be interested in the following utilities:

Acknowledgments

Disclaimer

THIS IS A PROOF-OF-CONCEPT.

It is *NOT* recommended that you store your two-factor authentication secret keys on your hard-disk, as this significantly recudes most semblances of security that two-factor authentication provides. The whole point of two-factor authentication is that a would-be attacker must jump through two separate hoops:

  1. (S)he must crack (or glean through hacking, social engineering, etc.) your password or passphrase to the system or service.
  2. (S)he must gain access to the device containing your two-factor secret key, which is usually your mobile phone, or a key fob which you should have on your person at all times.

Since it’s likely that the computer you use to log into your other systems and online services has its own form of password caching and/or storage, storing a second secret key somewhere on the machine nullifies this idea of device separation, and makes it that much easier for a would-be attacker to gain access to things they shouldn’t.

As it says in the license:

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT
SHALL THE COPYRIGHT HOLDERS OR ANYONE DISTRIBUTING THE SOFTWARE BE LIABLE
FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.

In other words, use this software — wisely, or unwisely — at YOUR OWN RISK.

Now that that’s out of the way… however you choose to go about it, you should still

Two.

Factor.

Everything.

License

Boost Software License, Version 1.0: <http://www.boost.org/LICENSE_1_0.txt>

About

Python OATH implementation for two-factor systems.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages