1.9 KiB
TOTP / HOTP with a SoloKey
Works on: Secure + Hacker. OATH applet (secrets-app).
Solo 2 stores OATH TOTP/HOTP secrets on the key (USB-CCID / NFC), so your 2FA codes are generated by the hardware. The easiest client is the solo2 CLI — it's the native client, so none of the vendor-lock issues other tools have.
With the solo2 CLI (recommended)
cargo install solo2 # provides the `solo2` binary
# register a TOTP secret (label, base32 seed); --issuer is optional
solo2 app oath register --digits 6 --issuer github.com "alice@example.com" JBSWY3DPEHPK3PXP
# list (note: the stored label is "issuer:account" when --issuer is given)
solo2 app oath list
# github.com:alice@example.com
# get a code
solo2 app oath totp "github.com:alice@example.com"
# 054221
# HOTP instead of TOTP
solo2 app oath register --kind hotp --counter 0 --digits 6 "acme:me" <BASE32_SECRET>
Options: --algorithm sha1|sha256 (default sha1), --period <sec> (TOTP, default 30), --digits, --counter (HOTP).
Removal:
solo2 app oath delete "github.com:alice@example.com" # delete one
solo2 app oath reset # wipe all OATH creds
Note: on current firmware
delete/resetcan returnSecurityStatusNotSatisfied (6982)from the CLI — these destructive ops require a user-presence/security status the CLI doesn't currently drive. (register/list/totpwork without it.)
Notes
- Secrets are a Base32 string or come from an
otpauth://URI / QR from the service. - TOTP uses the host clock; pass an explicit epoch to
solo2 app oath totp <label> <timestamp>to compute a code for a given time.
Other clients
ykman oath / Yubico Authenticator speak the same Yubico OATH AID, but may refuse a non-Yubico device — the solo2 CLI above avoids that. For raw (non-card) TOTP/HOTP math when testing a seed, oath-toolkit's oathtool is handy.