I use a mobile device to store TOTP tokens (one time use passcodes), but as I also wish to use my workstation device to generate these tokens, I’ve historically used a tool called oathtool to generate these one time tokens (from a stored secret), but due to portability issues with the tool, I ended up porting it to Python. Now with keyring and oathtool and jaraco.clipboard, I’m able to (a) store the Github-generated key in a secure location, (b) generate tokens from the command line, and (c) copy them to the clipboard for easy pasting into a form (independent of platform). Since I use xonsh for my shell, I’m able to readily create aliases for each of the sites I use thus:

```xonsh
def get_oath(system, user):
code = keyring.get_password(system, user).replace(' ', '')
otp = $(oathtool @(code)).rstrip()
jaraco.clipboard.copy(otp)


def add_mfa(alias, system, user):
aliases[alias] = functools.partial(get_oath, system, user)

add_mfa('github-mfa', 'GitHub MFA', 'jaraco')
```

Now, when I type `github-mfa` in my shell, keyring retrieves the key from a secure storage, oathtool converts that to a valid one time passcode, and then jaraco.clipboard puts that on the clipboard, all using nothing but Python and a few libs.

The workflow may not be the best for you, and is probably not quite as secure as a hardware token like Yubikey, but as long as the password store is kept as secure as the hardware token, it’s comparable, and a fair deal more secure than with a password and does supply a second factor. I welcome others to copy all or part of the approach.


On 14 Jun, 2021, at 18:29, Terry Reedy <tjreedy@udel.edu> wrote:

On 6/14/2021 3:38 PM, Brett Cannon wrote:
I have discovered someone tried to break into my GitHub account (you can check yourself by going to https://github.com/settings/security-log <https://github.com/settings/security-log> and looking for "failed to login" attempts for potentially odd geographical locations for yourself).

I checked and the only logins are me, at home, with the same IP address. (I realize that this could change.) My only development system is on my desktop, so github *could* let me check a box to use the location as a quasi 2nd factor.  If the IP address changes, they *could* immediately email (if requested).

TJR

_______________________________________________
python-committers mailing list -- python-committers@python.org
To unsubscribe send an email to python-committers-leave@python.org
https://mail.python.org/mailman3/lists/python-committers.python.org/
Message archived at https://mail.python.org/archives/list/python-committers@python.org/message/IZPTKBBDWK3FA2GVJRZ4HBL2CJRUA76Q/
Code of Conduct: https://www.python.org/psf/codeofconduct/