Files
Emanuele Cesena 5745148664 add examples
2026-06-19 15:00:14 -07:00

1.9 KiB

TOTP / HOTP with a SoloKey

Works on: Secure + Hacker. OATH applet (secrets-app).

Solo 2 stores OATH TOTP/HOTP secrets on the key (USB-CCID / NFC), so your 2FA codes are generated by the hardware. The easiest client is the solo2 CLI — it's the native client, so none of the vendor-lock issues other tools have.

cargo install solo2          # provides the `solo2` binary
# register a TOTP secret (label, base32 seed); --issuer is optional
solo2 app oath register --digits 6 --issuer github.com "alice@example.com" JBSWY3DPEHPK3PXP

# list (note: the stored label is "issuer:account" when --issuer is given)
solo2 app oath list
#   github.com:alice@example.com

# get a code
solo2 app oath totp "github.com:alice@example.com"
#   054221

# HOTP instead of TOTP
solo2 app oath register --kind hotp --counter 0 --digits 6 "acme:me" <BASE32_SECRET>

Options: --algorithm sha1|sha256 (default sha1), --period <sec> (TOTP, default 30), --digits, --counter (HOTP).

Removal:

solo2 app oath delete "github.com:alice@example.com"   # delete one
solo2 app oath reset                                   # wipe all OATH creds

Note: on current firmware delete/reset can return SecurityStatusNotSatisfied (6982) from the CLI — these destructive ops require a user-presence/security status the CLI doesn't currently drive. (register/list/totp work without it.)

Notes

  • Secrets are a Base32 string or come from an otpauth:// URI / QR from the service.
  • TOTP uses the host clock; pass an explicit epoch to solo2 app oath totp <label> <timestamp> to compute a code for a given time.

Other clients

ykman oath / Yubico Authenticator speak the same Yubico OATH AID, but may refuse a non-Yubico device — the solo2 CLI above avoids that. For raw (non-card) TOTP/HOTP math when testing a seed, oath-toolkit's oathtool is handy.