Time has marched on, and all of the services on which I rely that support 2FA use offline time-based one-time passcodes (TOTP) rather than easily-spoofable SMS text messages except for my bank, which of course makes total sense, because I don’t really need my bank account to be all that secure really </sarcasm>
This of course means that I’ve been able to keep my entirely open source phone, because there is a great app, installable via F-droid, called Authenticator Pro which supports the TOTP systems used by both Microsoft Authenticator and Google’s authenticator app but in a lovely, independently auditable, FOSS form. The source code is on Github.
But I still lose my sodding phone all the time.
Authenticator Pro allows automatic backups. It also encrypts them. The first thing I did when I installed Authenticator Pro was to sync the directory into which it saves the encrypted backups to my home machine using SyncThing (another wonderful FOSS Android app). This is handy because the backups are encrypted with a master password, and if I lose my phone (permanently) then I simply copy the latest backup into a new install of Authenticator Pro and all my logins are safe. It has also not escaped my attention that there’s a Python script in the source code repository that decrypts a file to a normal JSON structure.
The plan
So now I have copy of my TOTP keys in a file on my local machine that can be read from any programming language that will read JSON. There is also a Python library called PyOTP which will generate six-digit login codes based on the current timestamp if you give it a key. So with a quick Python script, installed in the correct location on my PATH, I can now simply type totp
on my command line and get a list of TOTPs for all the services I use.
If you want to use this yourself you’ll need to change the backup_path
value to the path on your local machine where your (unencrypted) Authenticator Pro backups are stored, and have a script running in cron that calls decrypt_backup.py
on any new .authpro
files that come in via your file sync for true automatic operation. Now you can safely lose your phone as often as I do.