{"id":34743805,"url":"https://github.com/arcanericky/totp","last_synced_at":"2025-12-25T04:28:38.345Z","repository":{"id":44358295,"uuid":"189410793","full_name":"arcanericky/totp","owner":"arcanericky","description":"Time-Based One-Time Password Code Generator","archived":false,"fork":false,"pushed_at":"2023-09-08T13:21:15.000Z","size":133,"stargazers_count":166,"open_issues_count":6,"forks_count":19,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-08-14T11:46:47.253Z","etag":null,"topics":["2fa","authentication","authenticator","passcode","password","totp","totp-tfa","totp-tokens","two-factor","two-factor-authentication"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/arcanericky.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-05-30T12:35:24.000Z","updated_at":"2025-08-05T06:50:18.000Z","dependencies_parsed_at":"2024-06-20T12:03:41.961Z","dependency_job_id":null,"html_url":"https://github.com/arcanericky/totp","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"purl":"pkg:github/arcanericky/totp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arcanericky%2Ftotp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arcanericky%2Ftotp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arcanericky%2Ftotp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arcanericky%2Ftotp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/arcanericky","download_url":"https://codeload.github.com/arcanericky/totp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arcanericky%2Ftotp/sbom","scorecard":{"id":205359,"data":{"date":"2025-08-11","repo":{"name":"github.com/arcanericky/totp","commit":"9a75d161c450215dd10267dd1ec751620128badc"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.4,"checks":[{"name":"Code-Review","score":0,"reason":"Found 2/27 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/builder.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/builder.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/arcanericky/totp/builder.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/builder.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/arcanericky/totp/builder.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/builder.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/arcanericky/totp/builder.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/builder.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/arcanericky/totp/builder.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/arcanericky/totp/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/arcanericky/totp/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/arcanericky/totp/release.yml/main?enable=pin","Info:   0 out of   4 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v1.1.2 not signed: https://api.github.com/repos/arcanericky/totp/releases/96800139","Warn: release artifact v1.1.1 not signed: https://api.github.com/repos/arcanericky/totp/releases/96217204","Warn: release artifact v1.1.0 not signed: https://api.github.com/repos/arcanericky/totp/releases/71627349","Warn: release artifact v1.0.9 not signed: https://api.github.com/repos/arcanericky/totp/releases/63032879","Warn: release artifact v1.0.8 not signed: https://api.github.com/repos/arcanericky/totp/releases/52552151","Warn: release artifact v1.1.2 does not have provenance: https://api.github.com/repos/arcanericky/totp/releases/96800139","Warn: release artifact v1.1.1 does not have provenance: https://api.github.com/repos/arcanericky/totp/releases/96217204","Warn: release artifact v1.1.0 does not have provenance: https://api.github.com/repos/arcanericky/totp/releases/71627349","Warn: release artifact v1.0.9 does not have provenance: https://api.github.com/repos/arcanericky/totp/releases/63032879","Warn: release artifact v1.0.8 does not have provenance: https://api.github.com/repos/arcanericky/totp/releases/52552151"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 27 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-16T23:36:34.344Z","repository_id":44358295,"created_at":"2025-08-16T23:36:34.344Z","updated_at":"2025-08-16T23:36:34.344Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28019490,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-25T02:00:05.988Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["2fa","authentication","authenticator","passcode","password","totp","totp-tfa","totp-tokens","two-factor","two-factor-authentication"],"created_at":"2025-12-25T04:28:37.140Z","updated_at":"2025-12-25T04:28:38.336Z","avatar_url":"https://github.com/arcanericky.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# TOTP\n\nA time-based one-time password (TOTP) code generator written in Go. A command-line interface that's like [Google Authenticator](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\u0026hl=en_US) or [Authy](https://authy.com/) for your Windows, macOS, or Linux machine.\n\n[![Build](https://github.com/arcanericky/totp/actions/workflows/builder.yml/badge.svg?branch=master)](https://github.com/arcanericky/totp/actions/workflows/builder.yml)\n[![codecov](https://codecov.io/gh/arcanericky/totp/branch/master/graph/badge.svg)](https://codecov.io/gh/arcanericky/totp)\n[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](http://makeapullrequest.com)\n\n## What it Does\n\nIt generates TOTP codes used for two-factor authentication at sites such as Google, GitHub, Dropbox, PayPal, Amazon, and many more.\n\n**Warning**\nEvery copy of your two-factor credentials increases your risk profile. Using this utility is no exception. This utility will store your TOTP secrets unencrypted on your filesystem. The only protection offered is to store these secrets in a file readable by only your user and protected by the operating system only.\n\n## Quick Start\n\n**Add TOTP secrets** to the TOTP configuration file with the `config add` option, specifying the name and secret value. Note the secret names are **case sensitive**.\n\n```sh\ntotp config add mysecretname NV4XGZLDOJSXICQ\n```\n\n**Generate TOTP codes** using the `totp` command to specify the secret name. Note that because `totp` reserves the use of the words `config` and `version` for commands, don't use them to name a secret. If you've generated and installed `totp` completions for for your shell, pressing tab on a partially completed secret name will trigger autocomplete.\n\n```sh\ntotp mysecretname\n```\n\n**List the secret entries** with the `config list` command.\n\n```sh\ntotp config list\n```\n\nAliases are `ls` and `l`.\n\n**Update secret entries** using the `config update` command. Note that `config update` and `config add` are actually the same command and can be used interchangeably.\n\n```sh\ntotp config update mysecretname NV4XGZLDOJSXICQ\n```\n\n**Rename the secret entries** with the `config rename` command\n\n```sh\ntotp config rename mysecretname mynewname\n```\n\nAliases are `ren` and `mv`.\n\n**Delete secret entries** with the `config delete` command\n\n```sh\ntotp config delete mynewname\n```\n\nAliases are `remove`, `erase`, `rm`, and `del`.\n\n**Remove all the secrets** and start over using the `config reset` command\n\n```sh\ntotp config reset\n```\n\n**Use an ad-hoc secret** to generate a code by using the `--secret` option\n\n```sh\ntotp --secret NV4XGZLDOJSXICQ\n```\n\n**Continuous code output** can be generated with the `--follow` option.\n\n```sh\ntotp --follow mysecretname\n```\n\n**Use a QR Code** to move an entry into your mobile device.\n\n```sh\ntotp --qrcode mysecretname\n```\n\nwill output a QR code suitable for scanning into a mobile device app such as Google Authenticator or Authy.\n\nA one-off QR code can also be generated by providing both the name and the secret, for example:\n\n```sh\ntotp --qrcode --secret NV4XGZLDOJSXICQ mysecretname\n```\n\n**For help** on any of the above, use the `--help` option. Examples are\n\n```sh\ntotp --help\ntotp config --help\n```\n\n**Shell completion** can be enabled by using the `completion` command.\n\nBash\n\n```sh\n. \u003c(totp completion bash)\n```\n\nPowershell\n\n```powershell\n. totp completion powershell | Out-String | Invoke-Expression\n```\n\n## TOTP Data Location\n\nThe location for saved data is extracted from the `LOCALAPPDATA` environment variable in Windows and the `HOME` environment for Linux/MacOS and in the file `totp-config.json`. This can be customized using the `--file` option or by setting the `TOTP_CONFIG` environment variable.\n\n## Using the Time Machine\n\n`totp` implements the `--time`, `--forward`, and `--backward` options to manipulate the time for which the TOTP code is generated. This is useful if `totp` is being used on a machine with the incorrect time.\n\nThe `--time` option takes an [RFC3339 formatted time string](https://tools.ietf.org/html/rfc3339) as its argument and uses it to generate the TOTP code. Note that the `--forward` and `--backward` options will internally modify this option value.\n\nExamples with `--time`:\n\n```sh\n$ date '+%FT%T%:z'\n2019-06-01T19:58:47-05:00\n$ totp --time $(date '+%FT%T%:z') --secret NV4XGZLDOJSXICQ\n931665\n$ totp --time 2019-06-01T20:00:00-05:00 --secret NV4XGZLDOJSXICQ\n526171\n```\n\nThe `--forward` and `--backward` options move the current time forward and backward by their duration formatted arguments. See [Go's `time.ParseDuration()`](https://golang.org/pkg/time/#ParseDuration) documentation for more details on this format.\n\nExamples with `--forward` and `--backward`\n\n```sh\n$ totp --time 2019-06-01T20:00:00-05:00 --backward 3m --secret NV4XGZLDOJSXICQ\n222296\n$ totp --time 2019-06-01T20:00:00-05:00 --forward 30s --secret NV4XGZLDOJSXICQ\n820148\n```\n\nThe `--follow` option is also compatible with the time machine.\n\n```sh\ntotp --time 2001-10-31T20:00:00-05:00 --follow --secret NV4XGZLDOJSXICQ\n877737\n208737\n```\n\n## Using the Stdio Option\n\nIf storing secrets in the clear isn't ideal for you, `totp` supports streaming the shared secret collection through stdin and stdout with the `--stdio` option. This allows you to roll your own encryption or support other methods of maintaining shared secrets.\n\nThe `totp \u003csecret name\u003e` and `totp config list` commands support loading the collection via standard input. The \n`totp config update`, `totp config delete`, and `totp config rename` commands support loading via standard input and sending the modified collection to standard output. Experiment with the `--stdio` option to observe how this works.\n\n### Learning with Plaintext Data\n\nNote the `--file` option can achieve the same results as this example. This is meant to teach how stdio works with `totp`.\n\nCreate a collection\n\n```sh\ntotp config add --stdio secretname myvalue \u003c /dev/null \u003e totp.json\n```\n\nView the collection\n\n```sh\ntotp config list --stdio \u003c totp.json\n```\n\nGenerate a TOTP code\n\n```sh\ntotp secretname --stdio \u003c totp.json\n```\n\n### Encrypting Shared Secret Collection\n\nUsing what was learned above, a contrived example for encrypting data with [GnuPG](https://gnupg.org/) follows.\n\nCreate an encrypted collection\n\n```sh\ntotp config add --stdio secretname myvalue \u003c /dev/null | \\\n  gpg --batch --yes --passphrase mypassphrase --output totp-collection.gpg --symmetric\n```\n\nView the collection\n\n```sh\ngpg --quiet --batch --passphrase mypassphrase --decrypt totp-collection.gpg | \\\n  totp config list --stdio\n```\n\nAdd another secret\n\n```sh\ngpg --quiet --batch --passphrase mypassphrase --decrypt totp-collection.gpg | \\\n  totp config add  --stdio newname newvalue | \\\n  gpg --batch --yes --passphrase mypassphrase --output totp-collection.gpg --symmetric\n```\n\nView the modified collection\n\n```sh\ngpg --quiet --batch --passphrase mypassphrase --decrypt totp-collection.gpg | \\\n  totp config list --stdio\n```\n\nGenerate a TOTP code\n\n```sh\ngpg --quiet --batch --passphrase mypassphrase --decrypt totp-collection.gpg | totp --stdio secretname\n```\n\n## Building\n\n`totp` is mostly developed using Go 1.19.x on Debian based systems. Only `go` is required but to use the automated actions the `Makefile` provides, `make` must be installed.\n\nTo build everything:\n\n```sh\ngit clone https://github.com/arcanericky/totp.git\ncd totp\nmake\n```\n\nFor unit tests and code coverage reports:\n\n```sh\nmake test\n```\n\nThe coverage is output to `coverage.html`. Load it in browser for review. For example:\n\n```sh\n/opt/google/chrome/chrome file://$PWD/coverage.html\n```\n\nTo build for a single platform (see the `Makefile` for the different targets)\n\n```sh\nmake linux-amd64\n```\n\nSee the `Makefile` for how to use the `go` command natively.\n\n## Contributing\n\nContributions and issues are welcome. These include bugs reports and fixes, code comments, spelling corrections, and new features. If adding a new feature, please file an issue so it can be discussed prior to implementation so your time isn't wasted.\n\nUnit tests for new code are required. Use `make test` to verify coverage. Coverage will also be checked with Codecov when pull requests are made.\n\n## Inspiration\n\nMy [ga-cmd project](https://github.com/arcanericky/ga-cmd) is more popular than I expected. It's basically the same as `totp` with a much smaller executable, but the list of secrets must be edited manually and there aren't as many command line options. This `totp` project allows the user to maintain the secret collection through the `totp` command line interface, run on a variety of operating systems, and gives me a platform to practice my Go coding.\n\n## Credits\n\nThis utility uses the [otp package by pquerna](https://github.com/pquerna/otp). Without this library, I probably wouldn't have bothered creating this front-end.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farcanericky%2Ftotp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Farcanericky%2Ftotp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farcanericky%2Ftotp/lists"}