I use a mobile device to store TOTP tokens (one time use passcodes), but as I also wish to use my workstation device to generate these tokens, I’ve historically used a tool called oathtool<https://www.nongnu.org/oath-toolkit/> to generate these one time tokens (from a stored secret), but due to portability issues with the tool, I ended up porting it to Python. Now with keyring<https://pypi.org/project/keyring/> and oathtool<https://pypi.org/project/oathtool/> and jaraco.clipboard<https://pypi.org/project/jaraco.clipboard/>, I’m able to (a) store the Github-generated key in a secure location, (b) generate tokens from the command line, and (c) copy them to the clipboard for easy pasting into a form (independent of platform). Since I use xonsh for my shell, I’m able to readily create aliases for each of the sites I use thus:
def get_oath(system, user):
code = keyring.get_password(system, user).replace(' ', '')
otp = $(oathtool @(code)).rstrip()
jaraco.clipboard.copy(otp)
def add_mfa(alias, system, user):
aliases[alias] = functools.partial(get_oath, system, user)
add_mfa('github-mfa', 'GitHub MFA', 'jaraco')
Now, when I type github-mfa in my shell, keyring retrieves the key from a secure storage, oathtool converts that to a valid one time passcode, and then jaraco.clipboard puts that on the clipboard, all using nothing but Python and a few libs.
The workflow may not be the best for you, and is probably not quite as secure as a hardware token like Yubikey, but as long as the password store is kept as secure as the hardware token, it’s comparable, and a fair deal more secure than with a password and does supply a second factor. I welcome others to copy all or part of the approach.
On 14 Jun, 2021, at 18:29, Terry Reedy <tjreedy@udel.edu<mailto:tjreedy@udel.edu>> wrote:
On 6/14/2021 3:38 PM, Brett Cannon wrote: I have discovered someone tried to break into my GitHub account (you can check yourself by going to https://github.com/settings/security-log <https://github.com/settings/security-log> and looking for "failed to login" attempts for potentially odd geographical locations for yourself).
I checked and the only logins are me, at home, with the same IP address. (I realize that this could change.) My only development system is on my desktop, so github *could* let me check a box to use the location as a quasi 2nd factor. If the IP address changes, they *could* immediately email (if requested).
TJR
python-committers mailing list -- python-committers@python.org<mailto:python-committers@python.org> To unsubscribe send an email to python-committers-leave@python.org<mailto:python-committers-leave@python.org> https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/python-committers@python.org/message/I... Code of Conduct: https://www.python.org/psf/codeofconduct/